Hi everyone,
I'm new to the FORTIGATE.....
I got cisco WRVS4400N (ISP gateway) directly connected to internet by CAT 5 cable which the connection type is PPPOE ,it got static ip example 172.17.0.50/255.255.255.255 because i off and on cisco the WAN IP remain unchanged, default gateway 111.68.12.200 and DNS1 and 2 which is 203.99.131.10 and 207.99.131.249 and the LAN IP 192.168.1.1and the username(test) and password(blank) (which can be see when log in to the cisco and WAN IP obviously one only subnet mask = 255.255.255.255 ).
Now i want to add my Fortigate 60D to the cisco WRVS4400N, i put the WAN1 addressing mode to PPPOE and key in the related username, password, enable retrieve gateway from server and override internal dns. The policy all have being set to allow OUT. The WAN1 is connected to the WRVS4400N Ethernet port, will disable the DHCP server in CISCO since will assign DHCP server from FORTIGATE 60D internel interface.
Question
1) Do i need to create static route which destination=0.0.0.0/0.0.0.0, Interface=WAN1, gateway=111.68.12.200 ? (actually i run through many cookbook and thread, pppoe is dynamic even i have static IP address) else what should i do ?
2) Do i need to key in DNS under fortigate,network to our MAIN SERVER DNS IP and DOMAIN NAME as i already enable override internel DNS from WAN1 interface or need to fill in as the above info 203.99.131.10 and 207.99.131.249 ?Which DNS IP i should fill in ? (because this fortigate is for branch usage located oversea ,just for two or three people)
3) Do i need to create DDNS for my fortigate 60D in order to able remote access/VPN from other country or just above IP address 172.17.0.50 will do ?
Thank you so much for you all
hi,
and welcome to the forums.
Your setup is a bit different from the obvious in that
- your ISP assigns a private IP address (RFC1918)
- your FGT will be the second router in the setup
- the FGT will have nothing to do with PPPoE at all
That is to say:
1- what your FGT will see as the WAN is 192.168.1.x/24, with gateway 192.168.1.1. The wan1 port should be in that range, e.g. 192.168.1.2/24. Just a static IP address, no PPPoE, no DHCP. Consequently, no 'override DNS' or 'obtain default gateway'.
This is called a transfer network. It is only used to connect the FGT to the ISP router.
You need to create a static route as default route, destination '0.0.0.0/0', interface 'wan1', gateway '192.168.1.1'.
The choice of internal address range is up to you EXCEPT for 192.168.1.x/24. I would choose something like 192.168.101.0/24, with .1 assigned to the 'internal' port/switch.
That of course leads to the DHCP server on 'internal' shelling out a range like 192.168.101.[20-100] with netmask /24 (= 255.255.255.0).
In the DHCP settings, specify either your ISP's DNS addresses (less elegant), or the FGT's internal address .101.1 in combination with a DNS on 'internal' which forwards to 'System DNS'. 'System DNS' of course is your ISP's DNS addresses.
Notice that in WAN facing policies you do not need to enable NAT. In fact you should not.
3- the DDNS thing is difficult, as you only get a private IP address from your ISP, assigned to the Cisco router, which cannot be addressed directly. At the moment, I'd say you cannot reach the router (nor the FGT) remotely. Workarounds:
- create a dial-out VPN from FGT to your management network
- make a Teamviewer session from an internal PC which has a browser running for administration from the 'internal' port
I hope you get started with this. Feel free to post additional questions if unclear.
Ede, thank you so much for replied, no quite understand for the DNS setting FGT's internal address .101.1 in combination with a DNS on 'internal' so i should fill in 203.99.131.10 and 207.99.131.249 which i saw in cisco ?
2) Why should not need to enable NAT in order to get to the internet ?
3) When i create VPN autokey from my main site ,the REMOTE GATEWAY can i config as STATIC (172.17.0.50) ? in order to make connection between FORTIGATE ? Any solution to make work because the main purpose is VPN access shared folder to Main office, so can i make site to site connection using this static IP 172.17.0.50 ?
4) Or should i get the public accessible address from ISP example : 172.17.0.50/29
User | Count |
---|---|
2554 | |
1356 | |
795 | |
647 | |
455 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.