Physical Lan Interface configuration

sunu · ‎10-30-2014

Hi,

I can't find find Lan Interfcae list in fortigate web consol. It showing only One Interface, so i cant create another Physical interface.so please anybody know how to solve this, please..

firmware is in this Versionv5.2.1,build618 (GA) and am using fortigate 60D.

ede_pfau · ‎10-30-2014

hi,

by default the LAN ports on desktop models are switch ports.

They are represented as just one interface because all belong to the same broadcast domain / same subnet.

If you want to use more ports you have to change the port mode from 'switch' to 'interface'. You can do so in the Network>Interface section. Beware that all configuration related to the 'internal' port need to be removed before you are allowed to switch the mode. Check these:

- policies

- address objects assigned to that interface

- DHCP server

- static routes

Ede Kernel panic: Aiee, killing interrupt handler!

View solution in original post

sunu · ‎11-03-2014

This is my remote fortigate policies

rwpatterson · ‎11-03-2014

What about the routes on both devices.

# config router static

# show

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

sunu · ‎11-03-2014

In Local Network

Local network is in internal1

config router static

    edit 1

        set gateway 192.168.0.1

        set device "internal7"

    next

    edit 2

        set gateway 192.168.0.1

        set device "internal2"

    next

end

in Remote Network

DXB (static) # show

DXB (static) #  

nothing showing here

sunu · ‎11-03-2014

I think problem with Local Fortigate. i can ping to all our remote Network Local gateway. But from Remote i can't ping to Local network Internal1 interface.

In Local IPSEC Monito it showing some traffic. like

sunu · ‎11-04-2014

Hi Ede,

I think, i make you total confused.

Am glad to say my VPN is up and working properly

actually my problem before is(from the beginning), i need multiple subnet. but my fortigate is in Switchmode.

I changed it to Interface mode. i follow Dave Hall post, to edit my conf file in Text editor and then restored to fortigate.

Add everything and VPN showing UP. But no traffic between tunnel because of the policies. I revised polices

and now its working.

Actually my VPN is in Tunnel mode . before i mentioned "Interface mode" is about my fortigate Switchmode.

am really thanks to all of you guys..

actually i learn from this forum about Fortigate. its really helpful.

sunu · ‎11-16-2014

Hi Ede I have one doubt. here i included one picture describing our VPN network. We added one FTG70D to our VPN. and its status showing UP. but no traffic between both. In our main office, we have two subnet 192.168.0.0/23 and 192.168.1.0/24. and in remote also have 192.168.1.0/24. is this make the problem. in main office telephone system using 1.0/24 subnet and pc connected to telephone.

other VPN connections are working good.

FGT70D WAN configured with Static IP from ISP and main office FGT60D is in PPOE and dns is Fortiddns.

is changing the subnet may solve the issue or want to make any other configuration.

Please give me any suggection.

ede_pfau · ‎11-03-2014

What do you intend to do with a policy from WAN to LAN?

You cannot access a private address like 192.168.x.y over the internet, they are not routed. That's why they are called 'private' addresses.

So depending on your intentions you need to change the config.

Ede Kernel panic: Aiee, killing interrupt handler!

ede_pfau · ‎11-03-2014

OK, if I get you right you want to access a server on the remote subnet behind a VPN tunnel.

For this, you need to allow that traffic.

Traffic to the server is not coming from the WAN interface - it's coming from the tunnel! A VPN tunnel is represented by the tunnel interface. The interface is named like the phase1.

So in your case you need (at least) these policies:

on your FGT (local side):

source IF: internal

source addr: <local subnet>

dest IF: <tunnel IF>

dest addr: <remote subnet behind tunnel>

no NAT

on remote FGT:

source IF: <tunnel IF>

source addr: <remote subnet behind tunnel>

dest IF: internal

dest addr: <local subnet>

where 'IF' stands for 'interface'.

Ede Kernel panic: Aiee, killing interrupt handler!

rwpatterson · ‎11-03-2014

Also the remote router needs to know the path to your network is through the VPN tunnel. (it isn't the default)

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

ede_pfau · ‎11-03-2014

sunu,

please delete these policies.

One of them is has action 'IPSEC' which it totally wrong.

Let's clarify:

- you need the tunnel definition (phase 1) in 'Interface mode'. Please check that this is enabled.

This 'Interface mode' has nothing to do with your physical ports' switch/interface mode !!!

- the policies need to be from 'internal' to 'tunnelname' and vice versa. The 'wan' interface is NEVER used in this. Please re-read my previous post.

- you need one static route on each Fortigate, pointing the remote private LAN to the tunnel.

If this seems all Greek to you then I suggest you read the basics on VPN in the FortiOS Handbook. Otherwise, I fear we don't talk the same language.

Ede Kernel panic: Aiee, killing interrupt handler!