hello every one
i am wondering why internet connection not working in fortigate 70f when i config the wan port ip manually ??
i try to exec ping google.com but not resolved
but when i change to dhcp to take an ip from the tplink router ,everything works just fine and i am able to ping anything from CLI .
with static ip config
i try to add static route :
0.0.0.0 172.16.16.1 (tplink gateway)
i also added dns
8.8.8.8 (unreachable )
8.8.4.4 (unreachable )
i can ping the gateway only 17.16.16.1
------------------------
i need the internet only to setup VPN site to site NOT to provide internet access to the local workstations .
as i mentioned it works only if i use DHCP not static IP . as u know DHCP not a good choice for my case ,if anything happened like power loss or restarting, it will obtain a new WAN IP address and the other site will not be able to access the database .
Good.. Now please set it manually as you did before then share the same command:
get router info routing-table all
this is Manually
Routing table for VRF=0
S* 0.0.0.0/0 [10/0] is directly connected, wan1, [1/0]
[10/0] via 192.168.1.1, wan2, [1/0]
C 16.16.16.0/24 is directly connected, wan1
C 192.168.1.0/24 is directly connected, wan2
C 192.168.10.0/24 is directly connected, internal
S 192.168.20.0/24 [10/0] via 16.16.16.2, wan1, [1/0]
S 192.168.30.0/24 [10/0] via 16.16.16.3, wan1, [1/0]
S 192.168.40.0/24 [10/0] via 16.16.16.4, wan1, [1/0]
S 192.168.50.0/24 [254/0] is a summary, Null, [1/0]
So in summary:
When using DHCP for wan2:
S* 0.0.0.0/0 [5/0] via 192.168.1.1, wan2, [1/0]
That's because distance is 5, so wan1 route is removed.
When using manually added static route:
S* 0.0.0.0/0 [10/0] is directly connected, wan1, [1/0]
[10/0] via 192.168.1.1, wan2, [1/0]
Both are in the routing table because both have same distance (10).
On the other hand I find the wan1 route quite strange.
WAN1 is static IP ===> 16.16.16.1
ok i will share it once i am there .
Anyway, you want IPsec VPN through WAN2, right? Then the following should work for you:
Know that this config will make your wan2 the active interface for all WAN traffic and IPsec VPN as well, while wan1 gateway will be disabled.
Again if you want to use both interfaces it is much simpler to configure SD-WAN.
https://docs.fortinet.com/document/fortigate/7.4.3/administration-guide/889544/sd-wan-quick-start
If you don't want SD-WAN then set both default routes to the same distance and use policy routes to manage your internet traffic (less interesting option).
Edit: That was not a good solution.
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
Routing table for VRF=0
S* 0.0.0.0/0 [5/0] via 192.168.1.1, wan2, [1/0]
C 16.16.16.0/24 is directly connected, wan1
C 192.168.1.0/24 is directly connected, wan2
C 192.168.10.0/24 is directly connected, internal
S 192.168.20.0/24 [10/0] via 16.16.16.2, wan1, [1/0]
S 192.168.30.0/24 [10/0] via 10.10.10.3, wan1, [1/0]
S 192.168.40.0/24 [10/0] via 10.10.10.4, wan1, [1/0]
S 192.168.50.0/24 [254/0] is a summary, Null, [1/0] <<----------
the last line is the new subnet remote office ,that i am trying to reach for site to site
some1 told me to use dynamic ip with ddns in order to make it work but, fortiddns.com or any dns server in the list not working cannot ping from CLI to any dns servers even with success domain created : example.branch.fortiddns.com
Hello @morana,
@Toshi_Esumi has already explained all possible scenarios to match your situation. However, I would like to add a few more points:
1- Firstly, you need to configure Port Address Translation (PAT) on your TP-Link modem because the remote site reaches your firewall through this modem. You must redirect UDP port 4500 to your firewall; otherwise, the IPSec tunnel will not establish.
2- Secondly, you mentioned that your sites do not have a public address directly. Your firewall is behind your TP-Link modem, which means your public address does not belong to you and will change continuously. To handle this unstable public address condition, you can configure a dial-up IPSec instead of the DDNS solution.
In addition, please follow these steps to ensure your routing and other network components work as expected:
1- Add a specific route such as 9.9.9.9/32 to use your WAN2 port.
2- Try pinging the first next-hop, which is the TP-Link modem's interface IP address. If it fails, ensure connectivity between the TP-Link modem and the firewall.
3- If successful, try pinging 9.9.9.9. If it fails, please check the TP-Link modem's configuration, as step 2 indicated that packets already reached the TP-Link modem.
4- If successful, everything seems good for internet connection via this WAN2.
5- At this point, consider @Toshi_Esumi ' s and the above feedback. Run the below troubleshoot commands, and the please share the community of this output.
--First CLI Screen--
exec traceroute-options source a.b.c.d (it's your wan2 ip address)
exec traceroute x.y.z.t (remote peer ip address)
get router info routing table details x.y.z.t (remote peer ip address)
dia vpn ike log-filter dst-addr4 x.y.z.t
dia de app ike -1
dia de en
--Second CLI Screen--
diag sniff packet any "host x.y.z.t" 4 0 a
--Third CLI Screen--
You must be ensure the what's the source and the destination before the run below commands. For example; in the above redirection if you try to ping 9.9.9.9 and your source ip is a.b.c.d then the commands must like that. Please run this and the second screen commands during the Step 3 which means pinging the 9.9.9.9 situation. I asked because your firewall rule might not have been correctly configured, possibly due to mistakenly enabling NAT.
diagnose debug disable
diagnose debug flow trace stop
diagnose debug flow filter clear
diagnose debug reset
diag debug console timestamp enable
diagnose debug flow filter saddr a.b.c.d
diagnose debug flow filter daddr 9.9.9.9
diagnose debug flow show function-name enable
diagnose debug flow trace start 9999
diagnose debug enable
Best Regards.
thanks for reply , i will try that for both tplinks home router for site A and site B
but as i mentioned site A fortigate no internet connection when using manually static ip only can get internet when change it to DHCP .and site B fortigate internet works fine if configure it as static ip !!
thank u guys all , i appreciate your effort to help me ,and i will try all ur suggestions
That's probably because Site-B doesn't have two internet circuits on both wan1 and wan2.
What is the public IP at the Site-B when someone on-site search "What is my IP" at Google? That's the IP you need to set a staitc route toward wan2 and the IPsec phase1 is connecting to. Private IPs like 192.168.x.x are not reachable over the internet.
Toshi
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.