Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
morana
New Contributor

NO internet connection when using static ip ?

hello every one

 

i am wondering why internet connection not working in fortigate 70f when i config the wan port ip manually ??

i try to exec ping google.com but not resolved

but when i change  to dhcp to take an ip from the tplink router ,everything works just fine and i am able to ping anything from CLI .

 

with static ip config

i try to add static route :

0.0.0.0        172.16.16.1 (tplink gateway)

i also added dns

8.8.8.8 (unreachable )

8.8.4.4 (unreachable )

i can ping the gateway only 17.16.16.1

------------------------

 i need the internet only  to setup VPN site to site NOT to provide internet access to the local workstations .

as i mentioned it works only if i use DHCP not static IP . as u know DHCP not a good choice for my case ,if anything happened like power loss or restarting, it will obtain a new WAN IP address and the other site will not be able to access the database .

 

34 REPLIES 34
mpeddalla
Staff
Staff

Hello  @morana ,

 

Thank you for contacting the Fortinet Forum portal.

Whatever mode you use make sure the arp entry is present in the arp table of the FortiGate to ensure the next hop route.

-Did you verify with the ISP the same information as to why the manual configuration is not working as expected?

Please refer below article and make sure the steps:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Changing-Internet-Service-Providers/ta-p/1...

 

Best regards,

Manasa.

 

If you feel the above steps helped resolve the issue, mark the reply as solved so that other customers can get it easily while searching for similar scenarios.

morana
New Contributor

the arp table shows me the ip 172.16.16.1 with interface wan2 -- fine

no problem with isp . i can configure static ip for any device like my laptop .except forigate .

 

i have 2 wan connections port wan1 is fine .

port wan2 not working static .

is it related to firewall policy ??

if so ,how can i add a rule firewall policy for wan 2 to get internet access for only fortigate system , i do not want the local machines clients that connected to fortigate gateway to be provided with internet .?

AEK

Hi Morana

Firewall policy doesn't have control on firewall generated traffic (like ping from FG to WAN). I think you have another default gateway in your routing table that has lower priority or lower distance than a manually added static route. You can check with command:

get router info routing-table all

If this is the case then you need to manage your default gateways depending on your requirement, e.g.: if that route is not needed then just remove it, or if is a WAN gateway you may use SD-WAN or policy routes, etc...

AEK
AEK
morana
New Contributor

wan1 is used as service from ISP provider for VOIP only and is configured static 16.16.16.1

now i added wan2 (port 2 connected directly to tplink router with new ip  :192.168.1.2 ) just for internet connection to use vpn ipsec site to site . static not working for internet connection but DHCP works the problem is even with DHCP the ipsec tunnel not up for both sites .

all what i need is to make the vpn site to site working (fortigate to fortigate ) i tried every possible but not success .

site 1 (dhcp = internet ok )

site 2(static ip= internet ok)

 

but there is no connection between tunnels !! is it because DHCP ?

  i mean in order to start ipsec site to site .static ip is required for both sites ?

one more thing

there is deafult gateway in static route :

0000/0         0000

is this required or should remove it ?

 

AEK

Can you share the whole line of that existing default gateway (0000/0  0000)?

Also please you share the route entry that you added manually (from the same command), as well as the entry added with DHCP.

AEK
AEK
morana
New Contributor

192.168.40.0/24  16.16.16.4   VOIP-SERVS(WAN1)   enabled Margo-office
192.168.30.0/24 16.16.16.3    VOIP-SERVS(WAN1)   enabled Margo-office2
192.168.20.0/24 16.16.16.2   VOIP-SERVS(WAN1)    enabled Margo-office3
0.0.0.0/0              0.0.0.0        VOIP-SERVS(WAN1)    enabled Default Gaetway
0.0.0.0/0            192.168.1.1  NET-VPN      (WAN2)    enabled

 

the last line is for static ip for internet gateway

 

for the DHCP is obtained  :

192.168.1.7/255.255.255.0

 

morana
New Contributor

192.168.40.0/24  16.16.16.4   VOIP-SERVS(WAN1)   enabled Margo-office
192.168.30.0/24 16.16.16.3    VOIP-SERVS(WAN1)   enabled Margo-office2
192.168.20.0/24 16.16.16.2   VOIP-SERVS(WAN1)    enabled Margo-office3
0.0.0.0/0              0.0.0.0        VOIP-SERVS(WAN1)    enabled Default Gaetway
0.0.0.0/0            192.168.1.1  NET-VPN      (WAN2)    enabled

 

the last line is for static ip for internet gateway

ebilcari

You can find details related to route distance and preference on this article.

It seems that the Wan1 interface is preferred over the static route that you insert manually.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
morana

thanks for reply i red the article and got a headache  ,i am not an expert and do not want to do anything related to command line . if i can do that with GUI will be fine but how to make it for my case i do not know .

all what i want is to keep wan1 working as it is know , at the same time  wan2 working for ipsec site to site . i could not  figure it out , is the problem within routing or with internet itself . but as i mentioned Site 1 DHCP is with internet access and site B static is with internet access for both i can ping anything like yahoo and google etc, but when it comes to ipsec tunnel both shows me : STATUS : inactive

 

 

 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors