How to Configure WAN2 to AT&T U-Verse RG?

Report Inappropriate Content · ‎06-25-2011

In my small business, I have a Fortigate 60C as the Firewall that is connected to two different ISPs as WAN1 and WAN2. This all worked fine until I moved to a new office and Comcast did not have service there, so I got static IPs from AT&T via their U-Verse service. But what was easy with Comcast and TelePacific seems hard now with the AT&T Residential Gateway (RG). Does anyone have the steps to configure the AT&T U-Verse 2701 HGV-B RG to connect to WAN2 on Fortigate 60C? The RG wants to discover the MAC addresses of all the machines on the local network, but I only want it to see the WAN2 port on the Fortigate 60C firewall and pass all traffic for all static IPs on to the firewall to process. I found the following post that seems related, but does not get me all the way to a working solution: http://www.ka9q.net/Uverse/static-ip.html Someone suggested I use VDOMs (http://docs.fortinet.cor/fgt/techdocs/fortigate-vlans-vdoms.pdf), but this does not seem to be useful, since the intention here is to use the Fortigate Firewall to have a live backup ISP connection for the business. The firewall detects if the primary interface (WAN1) is down and switches traffic to WAN2. This all worked fine until I moved to a new office and Comcast did not have service there, so I got static IPs from AT&T via their U-Verse service. But AT&Ts static IPs are not really static (see ttp://www.ka9q.net/Uverse/static-ip.html ) and their " Residential Gateway" (RG) does not seem to have been built with the notion of a firewall as its only connection point to the LAN. This was easy to configure with Comcast and with TelePacific modems, but what I need to do is convince the RG to pass all traffic to the firewall. I configure the RG by directly connecting to it. Is there a way to get to it through the firewall? I tried setting up a static route and a firewall policy to allow traffic to its fixed address of 192.168.1.254 (which there does not seem to be anyway to change.)

rwpatterson · ‎06-25-2011

Seems to me that the issue is that both the LAN and WAN2 have the same IP subnet. One of the first unwritten rules of network building is to change the IP subnet from the default on any piece of gear you get. The most common default networks are 192.168.1.x/24, 192.168.0.x/24, and 192.168.2.x/24. Chances are you will run into someone else that didn' t change their default IP subnet when they set theirs up.... I cannot see how you will ever get this to work, unless you change the internal subnet. That' s something you do have access to change. Sorry I couldn' t be the bearer of better news.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

ede_pfau · ‎06-26-2011

Your schematic is not what you have in reality. You cannot configure 2 interfaces of a routing FGT with IP addresses in the same subnet. In contrast to the ShoreTel Modem the RG is a router. The IP of WAN1 is 6x.23x.19x.74/24, the same as the internet facing interface of the ShoreTel modem. You have to put WAN2 into the 192.168.1.x subnet, e.g. set WAN2 to 192.168.1.253. Change ' internal' to a different IP range like 192.168.100.1/24. If you use the DHCP server on the FGT it isn' t too much work to change the internal IP range. As Bob wrote there' s no other way to get this going. In all policies ' internal' to ' WAN2' check the NAT option: then the RG will only ever see the IP of the WAN2 interface and its MAC address, not those of your internal hosts. If you can get the traffic of all public IPs of the AT&T connection forwarded across the RG depends on the RG alone, the FGT can do it once it gets passed.

Ede Kernel panic: Aiee, killing interrupt handler!