hello every one
i am wondering why internet connection not working in fortigate 70f when i config the wan port ip manually ??
i try to exec ping google.com but not resolved
but when i change to dhcp to take an ip from the tplink router ,everything works just fine and i am able to ping anything from CLI .
with static ip config
i try to add static route :
0.0.0.0 172.16.16.1 (tplink gateway)
i also added dns
8.8.8.8 (unreachable )
8.8.4.4 (unreachable )
i can ping the gateway only 17.16.16.1
------------------------
i need the internet only to setup VPN site to site NOT to provide internet access to the local workstations .
as i mentioned it works only if i use DHCP not static IP . as u know DHCP not a good choice for my case ,if anything happened like power loss or restarting, it will obtain a new WAN IP address and the other site will not be able to access the database .
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello @morana ,
Thank you for contacting the Fortinet Forum portal.
Whatever mode you use make sure the arp entry is present in the arp table of the FortiGate to ensure the next hop route.
-Did you verify with the ISP the same information as to why the manual configuration is not working as expected?
Please refer below article and make sure the steps:
Best regards,
Manasa.
If you feel the above steps helped resolve the issue, mark the reply as solved so that other customers can get it easily while searching for similar scenarios.
the arp table shows me the ip 172.16.16.1 with interface wan2 -- fine
no problem with isp . i can configure static ip for any device like my laptop .except forigate .
i have 2 wan connections port wan1 is fine .
port wan2 not working static .
is it related to firewall policy ??
if so ,how can i add a rule firewall policy for wan 2 to get internet access for only fortigate system , i do not want the local machines clients that connected to fortigate gateway to be provided with internet .?
Hi Morana
Firewall policy doesn't have control on firewall generated traffic (like ping from FG to WAN). I think you have another default gateway in your routing table that has lower priority or lower distance than a manually added static route. You can check with command:
get router info routing-table all
If this is the case then you need to manage your default gateways depending on your requirement, e.g.: if that route is not needed then just remove it, or if is a WAN gateway you may use SD-WAN or policy routes, etc...
Created on 04-28-2024 07:12 AM Edited on 04-28-2024 07:20 AM
wan1 is used as service from ISP provider for VOIP only and is configured static 16.16.16.1
now i added wan2 (port 2 connected directly to tplink router with new ip :192.168.1.2 ) just for internet connection to use vpn ipsec site to site . static not working for internet connection but DHCP works the problem is even with DHCP the ipsec tunnel not up for both sites .
all what i need is to make the vpn site to site working (fortigate to fortigate ) i tried every possible but not success .
site 1 (dhcp = internet ok )
site 2(static ip= internet ok)
but there is no connection between tunnels !! is it because DHCP ?
i mean in order to start ipsec site to site .static ip is required for both sites ?
one more thing
there is deafult gateway in static route :
0000/0 0000
is this required or should remove it ?
Can you share the whole line of that existing default gateway (0000/0 0000)?
Also please you share the route entry that you added manually (from the same command), as well as the entry added with DHCP.
Created on 04-28-2024 08:17 AM Edited on 04-28-2024 08:21 AM
192.168.40.0/24 16.16.16.4 VOIP-SERVS(WAN1) enabled Margo-office
192.168.30.0/24 16.16.16.3 VOIP-SERVS(WAN1) enabled Margo-office2
192.168.20.0/24 16.16.16.2 VOIP-SERVS(WAN1) enabled Margo-office3
0.0.0.0/0 0.0.0.0 VOIP-SERVS(WAN1) enabled Default Gaetway
0.0.0.0/0 192.168.1.1 NET-VPN (WAN2) enabled
the last line is for static ip for internet gateway
for the DHCP is obtained :
192.168.1.7/255.255.255.0
Created on 04-28-2024 08:15 AM Edited on 04-28-2024 08:16 AM
192.168.40.0/24 16.16.16.4 VOIP-SERVS(WAN1) enabled Margo-office
192.168.30.0/24 16.16.16.3 VOIP-SERVS(WAN1) enabled Margo-office2
192.168.20.0/24 16.16.16.2 VOIP-SERVS(WAN1) enabled Margo-office3
0.0.0.0/0 0.0.0.0 VOIP-SERVS(WAN1) enabled Default Gaetway
0.0.0.0/0 192.168.1.1 NET-VPN (WAN2) enabled
the last line is for static ip for internet gateway
You can find details related to route distance and preference on this article.
It seems that the Wan1 interface is preferred over the static route that you insert manually.
Created on 04-28-2024 09:19 AM Edited on 04-28-2024 09:22 AM
thanks for reply i red the article and got a headache ,i am not an expert and do not want to do anything related to command line . if i can do that with GUI will be fine but how to make it for my case i do not know .
all what i want is to keep wan1 working as it is know , at the same time wan2 working for ipsec site to site . i could not figure it out , is the problem within routing or with internet itself . but as i mentioned Site 1 DHCP is with internet access and site B static is with internet access for both i can ping anything like yahoo and google etc, but when it comes to ipsec tunnel both shows me : STATUS : inactive
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1662 | |
1077 | |
752 | |
446 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.