Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
KuyaJerome
New Contributor

Modem to Fortigate Port Forwarding VPN

Hi,

 

I am very new to Firewalls, though I configured some with the help of video tutorials. Now we have one on our own, I'm planning to configure it for Remote VPN so we can easily access our office files anywhere specially when we're in the field since we are IT service providers. 

 

I followed the instructions from this link https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=5&cad=rja&uact=8&ved=2ahUKEwjj3NiJ4N_e...

 

But I think this only applies when we are using the Public IP of our ISP. I set the WAN IP as DHCP. Now, I need the detailed instructions on how I can access our office LAN outside using Remote VPN. I think I have to port forward the Public IP of our router to the DHCP IP of the Fortigate. And I have no idea on how to do that. I hope I have someone I can talk with this.

 

Thanks and best regards,

 

Jerome

16 REPLIES 16
Tim_86
New Contributor III

Hi Jerome,

 

Am correct you are using NAT on your modem to your Fortigate?

 

You can configure SSL-VPN on a specific port like 10433.

There is an entire topic about this in the cookbook how to setup a SSL-VPN and a policy.

 

If you are using NAT on your modem you'll need to forward the SSL-VPN port to the WAN address your Fortigate received from your modem.

 

The most pratical would be if your Fortigate would receive a public IP.

This way you only have to follow the steps in the cookbook.

 

Kind regards,

Tim

KuyaJerome

Hi Tim,

 

Thank you very much for the quick reply. I have attached an image of our current setup. I hope this will clear it up. The link I provided from the cookbook uses the Public values of the router, so Forticlient can easily lookup the IP of the Firewall. While on our side, we used DHCP for the Firewall.

 

Tim_86
New Contributor III

Hi Jerome,

 

This is quite simple once you get the hang of it :D

 

Your modem hands your Forti an IP of 192.168.0.20. (Try to make it static or a reservation).

 

The only thing you need to do is forward the SSL-VPN port from your modem to 192.168.0.20.

 

You  can change the port in the SSL-VPN settings to something like 8443 so it won't conflict with the webinterface that runs on 443(or change that).

 

So in your modem you will forward port 8443 to 192.168.0.20 (all 8443 traffic wil be forawarded to the gateway of your fortigate)

Your FortiClient can add a VPN profile that points to your WAN IP 124.105.x.x and port 8443.

Out of safety precautions you might want to remove your real ISP IP.

 

I see you've got your own DHCP/DNS server, the SSL-VPN has got his own IP range which VPN clients connect on.

As long as your VPN clients point to the same DNS server, name resolvement for the internal network shouldn't be a problem.

 

I hope this makes it a bit clear, good luck!

 

KuyaJerome

Hi Tims, 

 

Thank you again. I kind of understand now what you are trying to tell me. It's how am I going to add the port forwarding in the router. I have attached screenshots of the settings from our modem. Where am I going to add it? 

 

I can still follow this instructions right? https://cookbook.fortinet.com/ipsec-vpn-forticlient/  All I have to do now is just add the port forwarding from the modem? Or do I have another set of instructions to follow? 

Tim_86
New Contributor III

Hi Jerome, 

 

Isn't there a forwarding option under NAT?

 

You might want to try SSL-VPN instead of IPSEC, you only need one forwarder for SSL-VPN.

https://cookbook.fortinet.com/ssl-vpn-using-web-and-tunnel-mode-54/

 

https://www.youtube.com/watch?v=IFqsfz6Bto0

 

Just follow the steps 1. to 5. and install the FortiClient (just took a quick view).

The steps beyond 5. you can replace with installing the FortiClient.

The "listen on port" is the port SSL-VPN uses, this is the one you want to foward to the WAN of your Forti from your modem.

 

I hope this gets you in the right direction,.

 

KuyaJerome

Hi Tim,

 

Please see attached image again. What IP goes to where? I am very sorry for I am really new to this. And thank you for assisting me anyway. 

 

And for the Predefined Bookmark, is this the IP of our Firewall? 

Tim_86
New Contributor III

I'm not really familiar with the interface of the device your are using.

You might want to check Virtual Server? (This is a DMZ function most of the time).

What type of modem are you using?

 

KuyaJerome

It's a DSL Modem Tim. 

Tim_86
New Contributor III

But do you have a brand and model? 

 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors