Newbie to fortigate - setup multiple port and give limited internet connection

papapuff · ‎07-10-2023

hello there.

need help please.

I've setup fortigate fg-60F.

each port has their own setting (act as interface).

we have 2 internet provider. WAN1 is pppoe, WAN2 is dhcp from internet building.

we've setup:

1) int2 (port no.2),

have IP 1.0.0.10.

netmask 255.255.255.0

dhcp off

2) int3,

have ip 1.0.1.10.

netmask 255.255.255.0.

dhcp off

3) int4,

have ip 192.168.100.100

dhcp on

purpose:

* int2 for LAN1,

- only work local (intranet).

- can communicate with int3

- can't access internet

* int3 for LAN2,

can communicate with LAN1.

can access internet, and will use WAN1

* int4 for internet only (for public),

- can access internet use wan2

- can't communicate with any other port

on fortigate, already created policy:

1) firewall policy 1

source: int2

ip: 1.0.0.0/24

destination: int3

ip: 1.0.1.0/24

services: all

antivirus : enable

others securities: disable

2) firewall policy 2

source:int3

ip: 1.0.1.0/24

destination:int2

ip: 1.0.0.0/24

services: all

antivirus : enable

others securities: disable

3) firewall policy 3

source:int3

ip: 1.0.1.0/24

destination:wan1

ip: all

services: all

4) firewall policy 4

source: int4

ip: 192.168.100.0/24

destination:wan2

ip: all

services: all

5) policy route 1:
incoming interface: int3
source: (blank)
destination: (all blank)
protocol: any
forward traffic : wan1
gateway addresS: 0.0.0.0

5) policy route 2:
incoming interface: int4
source: (blank)
destination: (all blank)
protocol: any
forward traffic : wan2
gateway addresS: 0.0.0.0

here the problem:

- device under int3, can communicate with int2, but can't access internet.

- Ethernet on device under int3, has following setting:

IP : 1.0.1.12

netmask: 255.255.255.0

gateway: 1.0.1.10

dns server: (dns given by ISP wan1)

kindly please need help.

thank you

Dan_Eng52 · ‎07-10-2023

FortiGate is the only way!

I'm happy to try and help you are you able to show provide a screenshot of your firewall policy created for devices sourced from Internal3 > WAN1 as well as the routes currently setup so I can see what is configured?

I would work my way from the bottom up i.e. ensure device has correct IP, ensure that it can ping the default gateway etc. If the device can ping the default gateway that means it is reaching the firewall if so, try doing an nslookup and see if you can resolve DNS it could be that you have a DNS issue or perhaps the NAT option isn't selected in your policy. I'd also run some ping/DNS tests from the firewalls WAN1 interface to ensure your external circuit is operating properly.

If you can run those tests and show me the CLI output or screenshot of the policy in the GUI as well as routes that'll be helpful in understanding what is currently configured and how the firewall will handle traffic.

Regards,

Dan.

Dan_Eng52 · ‎07-10-2023

Also you posted the following:

- Ethernet on device under int3, has following setting:

IP : 1.0.1.12

netmask: 255.255.255.0

gateway: 1.0.1.12

dns server: (dns given by ISP wan1)

Not sure if this is a typo, but the IP and gateway are the same address. As mentioned, I'd go through those tests first confirming IP details are required, running pings/nslookups to test connectivity to gateway, internet etc. This should hopefully shed some light.

papapuff · ‎07-10-2023

yes correct, it was typo.

however, now I've set IP on device:

IP: 1.0.1.12

gateway: 1.0.1.10

dns serveR: 1.0.1.10

from device:

- ping to gateway 1.0.1.10 -> replied 100%

- ping to gateway isp -> replied 100%

- ping to google.com -> could not find the host....

papapuff · ‎07-10-2023

hello,

thanks for answer.

after I check:

1. for NAT and IP Pool has been set as you said.

2. from device connected to int3,

- ping to 1.0.1.10 -> replied (not RTO)

- ping to gateway ISP -> replied

3.from CLI, set interface to int3 (use ping-option souurce)

- ping to 1.0.1.10 -> replied (not RTO)

- ping to gateway ISP -> lost 100%

4. from CLI, set interface wan1 (use ping-option souurce)
- ping to gateway ISP -> replied
- ping to google.com -> replied

attached screenshot firewall policy from int3 to wan1.

thanks.

elsantas · ‎07-11-2023

Hello,

I will try also to shed some light if you don't mind.
Did you tried also to ping 8.8.8.8??? I am asking this because if you managed to do so, then maybe there is a problem with your DNS and not with connection overall.
Also, I know it is a generic question, but you IP routes are configured correctly??? Because in your above screenshot I cannot detect anything wrong. (Maybe I would change the Inspection Mode to Flow just for testing).

Regards

==============================

Not all those who wander are lost

==============================

papapuff · ‎07-11-2023

thanks for share.

tried to ping 8.8.8.8 from:

device -> RTO

fortigate, use ping option-source 1.0.1.10 then exec ping 8.8.8.8 -> RTO

what I wonder is, when I ping gateway ISP from device, it return Reply.

but when I ping from fortigate use source 1.0.1.10, packet loss (RTO)

I've tried switch policy int3 to WAN1, become flow mode. still can't ping outside.

switch from proxy mode to flow mode, will effect instant, correct?

by the way, fortios use version 7.2.4

thanks

Dan_Eng52 · ‎07-11-2023

I am in agreement with elsantas, this is definitely an issue with either DNS or routing. Since you can resolve DNS and ping ISP from the WAN interface I would hazard a guess that this is a routing issue. Can you show us the routes you currently have setup?

3.from CLI, set interface to int3 (use ping-option souurce)

- ping to 1.0.1.10 -> replied (not RTO)

- ping to gateway ISP -> lost 100%

4. from CLI, set interface wan1 (use ping-option souurce)
- ping to gateway ISP -> replied
- ping to google.com -> replied

You can run a traceroute from that source IP to see where it fails, which will help identify the issue. Can you also shed some light on the topology you have set up, I'm noticing that you're using public addressing is this a transit network?

papapuff · ‎07-11-2023

hello..

here tracert to gateway isp x.x.x.x from device under int3:

Tracing route to X.X.X.X over a maximum of 30 hops

1 2 ms 1 ms 1 ms 1.0.1.10
2 2 ms 2 ms 1 ms X.X.X.X

static route:

only have entries for vpn ipsec.

update policy route, now only:

source interface: int4

action : forward traffc

gateway address: 0.0.0.0

outgoing interface: wan2

Dan_Eng52 · ‎07-11-2023

Hi papapuff,

If you do not have any static routes setup, how are you routing traffic to the outside?

Unless you're using WAN interfaces as DHCP clients, then the ISP may push the IP and a default route, in that case you don't need to configure static routes. If not, static routes will be required which in your case may look something like this:

Destination: 0.0.0.0/0.0.0.0

Gateway: WAN1 Gateway

Interface: Port3

Administrative Distance: 10

Priority: 1

Destination: 0.0.0.0/0.0.0.0

Gateway: WAN2 Gateway

Interface: Port4

Administrative Distance: 10

Priority: 1

Regards,

Dan.

Newbie to fortigate - setup multiple port and give limited internet connection

Nominate a Forum Post for Knowledge Article Creation