NO internet connection when using static ip ?

morana · ‎04-27-2024

hello every one

i am wondering why internet connection not working in fortigate 70f when i config the wan port ip manually ??

i try to exec ping google.com but not resolved

but when i change to dhcp to take an ip from the tplink router ,everything works just fine and i am able to ping anything from CLI .

with static ip config

i try to add static route :

0.0.0.0 172.16.16.1 (tplink gateway)

i also added dns

8.8.8.8 (unreachable )

8.8.4.4 (unreachable )

i can ping the gateway only 17.16.16.1

------------------------

i need the internet only to setup VPN site to site NOT to provide internet access to the local workstations .

as i mentioned it works only if i use DHCP not static IP . as u know DHCP not a good choice for my case ,if anything happened like power loss or restarting, it will obtain a new WAN IP address and the other site will not be able to access the database .

Toshi_Esumi · ‎04-28-2024

Regardless if you use GUI or CLI for configuration, you have to understand the routing mechanism involving two internet circuits. Then if you need to change the default behavior, like dedicating one internet circuit for a specific purpose but no general internet access to go toward it, you have to tweak or alter the mechanism. Some may not be possible via GUI but CLI only.

When both interfaces wan1/2 are DHCP, the FGT pulls the default route 0/0 toward the GW with the same admin distance (AD), by default 5. Since no other metrics would apply to those two 0/0 routes they're simply load-balanced per session.

- 0/0 -> wan1, AD=5
- 0/0 -> wan2, AD=5

If you want to use/route only s2s IPsec VPN traffic to wan2 then the rest of internet to go to wan1, you need to general internet traffic not to go to wan2. But only traffic to the remote end of the VPN goes to wan2.

The simplest way is, if the other end of VPN has a static public IP, you can remove the 0/0 route to wan2 and set the /32 route for the remote IP.
- 0/0 -> wan1, AD=5
- x.x.x.x/32 -> wan2, AD doesn't matter although 10.
Because more specific routes have higher precedence.

Bu if the other end of the VPN is a dynamic public IP, you need to set up DDNS if it's another FGT to be able to use FQDN to set the /32 static route. If DDNS is not possible, now you need to start tweaking the default route because you can't simply remove the 0/0 route to wan2.

Let us know if this would be your option.

Toshi

morana · ‎04-28-2024

i will try that then give u feedback ,thanks

i do not to deal with wan1 at all. it is different service.

i want only wan2 to be used for site to site connection NOT to provide clients internet connection .becoze we have mikrotik server for this puropose .

in fortigate wan1 is VOIP service(not internet)

we have non use ADSL connection we planned to use it only for site to site it is connected directly to tplink home router --to---> WAN2 in fortigate .

the idea is no one will use this port for internet access except fortigate system to be provided with internet to allow us to be connected site to site with new far office .

Toshi_Esumi · ‎04-28-2024

If the other end of the public IP is inside of its ISP's network, the IPSec wouldn't come up though unless the ISP can set up port-forwarding for UDP 4500 and ESP packets from their NAT device to the IPsec termination device.
Does the IPsec come up if you set it up with wan1 interface?

Toshi

morana · ‎04-28-2024

i can not do setup in wan1 . becoz this port is busy 24 hours .

ok do u think should i use new interface like port number 5 instead of wan2 ?

morana · ‎04-28-2024

---------------------------------------------------------------------------------------------------

The simplest way is, if the other end of VPN has a static public IP, you can remove the 0/0 route to wan2 and set the /32 route for the remote IP.
- 0/0 -> wan1, AD=5
- x.x.x.x/32 -> wan2, AD doesn't matter although 10.
Because more specific routes have higher precedence

----------------------------------------------------------------------------------------------

site1= wan2= DHCP obtained ip address :192.168.1.55

site2=wan2= static ip address : 192.168.1.99

YOU MEAN

SITE1 ===>wan2====config vpn=> remote ip : 192.168.1.99/32 (this is remote ip )

?????

Toshi_Esumi · ‎04-28-2024

Are those IPs are just faking your real addresses on both ends? Or the public IPs are NOT terminated at the VPN termination devices but at the ISP's GW devices? You can not set up VPN to an private IP behind a NAT, has to be the public IP.

Toshi

ebilcari · ‎04-29-2024

I understand your confusion but in order to give remote advice about routing, the full network schema, all routing configurations and the routing tables of the nodes are needed. Route distance and preference are relatively simple concepts used by the network device to fill its routing table. If you have full visibility on the network devices you can easily verify how the routing tables are inserted and how to manipulate them.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

morana · ‎04-28-2024

sory u mean u want DHCP interface parameters ?

AEK · ‎04-28-2024

I mean the entries shown by the following command:

get router info routing-table all

AEK

morana · ‎04-28-2024

Routing table for VRF=0
S* 0.0.0.0/0 [5/0] via 192.168.1.1, wan2, [1/0]
C 16.16.16.0/24 is directly connected, wan1
C 192.168.1.0/24 is directly connected, wan2
C 192.168.10.0/24 is directly connected, internal
S 192.168.20.0/24 [10/0] via 16.16.16.2, wan1, [1/0]
S 192.168.30.0/24 [10/0] via 16.16.16.3, wan1, [1/0]
S 192.168.40.0/24 [10/0] via 16.16.16.4, wan1, [1/0]
S 192.168.50.0/24 [254/0] is a summary, Null, [1/0] <<------- this 1 created by site to site for the new subnet office

NO internet connection when using static ip ?

Nominate a Forum Post for Knowledge Article Creation