Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Retal
New Contributor

LAN/WAN configuration with Fortigate 90D

Welcome I have a problem. I would like to ask you for help...

My current setup looks like this (current configuration) and I would like to connect all through my Fortigate - target configuration.

(v5.0,build0318 (GA Patch 12)).

 

I would be very grateful for your help.

 

4 REPLIES 4
gschmitt
Valued Contributor

Retal wrote:

Welcome I have a problem. I would like to ask you for help...

What exactly is it you need help with? 

Do you have any specific questions or need help with any issues?

Retal
New Contributor

gschmitt wrote:

Retal wrote:

Welcome I have a problem. I would like to ask you for help...

What exactly is it you need help with? 

Do you have any specific questions or need help with any issues?

Hi.

As you can see I have devices with a static IP number. One server and Router with OpenVPN server installed.

My Fortigate Unit works in switch mode and I would like to pass traffic with a static IP address to these devices.

Should I changing Fortigate from Switch mode to interface mode? If so, how to set up interfaces, policy, router, firewall objects?  I also want to run NAT, DHCP o Fortigate.  I am a beginner and ask for advice.
gschmitt
Valued Contributor

Retal wrote:

My Fortigate Unit works in switch mode and I would like to pass traffic with a static IP address to these devices.

Should I changing Fortigate from Switch mode to interface mode?

Just to make sure we are both talking about the same thing: A FortiGate 90D has 2 WAN interfaces and 14 internal interfaces.

Normally you have 1 subnet per interface. By switching to Interface mode from Switch Mode you break up those 14 internal interfaces into 14 different interfaces (which you an combine into software switches later)

 

If you need more than 3 subnets (and don't want to use VLANs) you should use interface mode.

 

For this you have to remove all references to the interfaces (Policies, Routes, Address Objects)

You can see how many References are remaining at System > Network > Interfaces, right click on the bar, select Ref. and Apply

If you click the number you can see what is still left to remove (DHCP counts aswell)

 

The device will reboot to take effect.

 

If so, how to set up interfaces, policy, router, firewall objects? I also want to run NAT, DHCP o Fortigate. I am a beginner and ask for advice.

To configure an interface just double click an interface in the same menu.

You can set an alias and set the Addressing mode (Manual 192.168.1.254/24 (255.255.255.0) as an example)

To enable DHCP simply check the DHCP Server box and add Ip ranges you want to use. (192.168.1.100-150 as an example)

 

To make one side accessable to the other you need policies.

 

At Policy&Objects > Policies > IPv4 click Create new.

As an example select Interface internal1 (Interface mode; if switchmode it should be internal)

Source address all

Outgoing interface wan1

Destination Address all

Service any (unless you want to specify which services like HTTP/HTTPS for browsing)

 

If you want to access the internet you probably want to enable NAT (or you get Martian Packages)

 

You can also create address objects at Policy&Objects > Objects > Addresses to make the policies tighter.

You could Create New an object internal_lan with your subnet 192.168.1.0/24 and use this as your source address

Or you could enter an IP range 192.168.1.100-150 so only your DHCP clients can access the internet.

 

If you want to use NAT you HAVE to create a virtual IP (below Addresses)

 

Let's say your internal2 (or wan2 in switch mode) has the IP 10.10.10.1/24 and your server 10.10.10.2 and you want to enable to access it via HTTP from the internet (wan1) and your public IP is 88.77.66.55

 

Create a new VIP object (http_server)

External IP address/Range would be your public IP 88.77.66.55

Mapped IP address/Range would be your server 10.10.10.2

Enable Port Forwarding (or ALL Ports will get redirected)

Select Protocol TCP

External Service port 80

Map to port 80

 

Create a policy Source Interface wan1

Source address all (use all unless otherwise specified, but try to specify as often as possible)

Destination Interface wan2 (or internal2)

Destination address http_server (your VIP Object)

Service http

Normally you disable NAT for that.

 

Now if you enter 88.77.66.55 into your browser your requests get redirected to your server.

Retal
New Contributor

Thank you very much

Labels
Top Kudoed Authors