Issue with static IP on WAN (no internet)

JOATMON · ‎12-10-2020

We have a cable modem from Spectrum for our backup internet. It is DHCP. I was able to get it working in LAN2 without issue.

Today we got our primary fiber line installed. They gave me a static IP. I cannot get it to work. I can plug my laptop in directly and set the IP and it works fine. But I've tried a few things on the Fortigate 200D and cannot get a connection on a client.

I am not a networking expert, but I thought it might be the "gateway" (the only difference between my laptop static and the WAN interface config). I found this thread and tried creating a static route to 0.0.0.0/0 but it did not help.

My laptop is pulling a DHCP address from the VLAN switch, so I know it's at least getting that far.

Here are the relevant configs. Please let me know if there is anything else I can provide that helps.

Physical Interface

Addressing Mode: Manual

IP/Net mask: 4.x.x.x/255.255.255.252

Interface State: Enabled

IPv4 Policy (literally cloned from the working policy and changed the "To" and "From".

From: (my test subnet)

To: Lumen (wan1)

Source: all

Destination: all

Schedule: always

Service: all

Toshi_Esumi · ‎12-10-2020

How did you decide to make the Spectrum cable as backup? Set a lower distance on the interface than the primary? Or put both in SD-WAN and set the implicit rule to make the primary's weight higher?

Likely that strategy is not working as you intended. Check your routing-table to see where the current default route is pointing to.

I would just disconnect the backup circuit while bringing up the primary.

emnoc · ‎12-10-2020

I can plug my laptop in directly and set the IP and it works fine

If they gave you a static, place that back on the interface and do a diag sniffer packet <interface_name> 5 do you see any packets? if some one ping your static-IP do you see packets? What is the destination mac_address shown in the dump?

keep in mind the ISP might have sticky mac-address so the 1st learned mac-address is locked by the ISP upstream device and if you change hardware , you have to have them flush it. My ISP does that btw. So I my macbook en0 ether address for all of my network gear wan interfaces. This way if I pull my FWF50E off the ISP link and test with my macbook, I don't have to worry about being filtered at layer2.

Just a hunch on what your problem might be, but try that diag sniffer and look at the packets and ether address in the dump

Ken Felix

PCNSE

NSE

StrongSwan

JOATMON · ‎12-11-2020

Sorry all, I finally got this working with the help of this post.

Basically I created a Policy Route for the secondary connection. I guess when I said "backup connection" that was a misnomer that led you all astray. Essentially, for now (and I'm learning) I have it set up so that the primary VLAN uses the fiber and a public wifi VLAN uses the Cable. I should have been more clear in the original post. Sorry!

Thanks for the replies!

sw2090 · ‎12-14-2020

Did you set NAT on the outgoing policy?

--

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

Issue with static IP on WAN (no internet)

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website