- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Request for Site Access via Specific Port
Hi,
Assistance with a network configuration. We have two internet modems in our current setup:
1. A fiber connection linked to the Forti WAN port.
2. A DIA with a static IP connected to Forti port number 4.
The internet is functioning correctly from the WAN port, now we need the user login to specified sites accessed exclusively through port number 4.
Modem: FortiWiFi 30E
Firmware: v6.2.15 build1378 (GA)
Solved! Go to Solution.
- Labels:
-
FortiGate
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So far looks fine. Can you ping "fast.com"? Since I can ping it from my 40F, you should be able to. If not, try traceroute.
fg40f-utm (root) # exe ping fast.com
PING fast.com (23.5.241.75): 56 data bytes
64 bytes from 23.5.241.75: icmp_seq=0 ttl=55 time=19.7 ms
64 bytes from 23.5.241.75: icmp_seq=1 ttl=55 time=19.6 ms
64 bytes from 23.5.241.75: icmp_seq=2 ttl=55 time=19.6 ms
64 bytes from 23.5.241.75: icmp_seq=3 ttl=55 time=19.6 ms
64 bytes from 23.5.241.75: icmp_seq=4 ttl=55 time=19.6 ms
--- fast.com ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 19.6/19.6/19.7 ms
fg40f-utm (root) # exe traceroute fast.com
traceroute to fast.com (23.5.241.75), 32 hops max, 3 probe packets per hop, 84 byte packets
1 63.231.10.70 <tukw-dsl-gw70.tukw.qwest.net> 1.366 ms 1.881 ms 1.909 ms
2 63.226.198.41 <63-226-198-41.tukw.qwest.net> 2.014 ms 1.898 ms 1.900 ms
3 * * *
4 4.69.219.65 <ae2.3605.edge9.sanjose1.level3.net> 18.981 ms * *
5 4.14.32.70 <citigroup-i.bar2.sanfrancisco1.level3.net> 200.976 ms 124.634 ms 203.926 ms
6 * * *
7 * * *
8 23.5.241.75 <fast.com> 19.540 ms 19.830 ms 19.459 ms
Toshi
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In step 4 (firewall policy), destination should be All.
Then go to SD-WAN rules, and add the following rule:
- source: all
- destination: site1.com, site2.com
- strategy: manual
- interface preference: port4
Then add another SD-WAN rule "below" of the previous one:
- source: all
- destination: all
- strategy: manual
- interface preference: WAN
That will make things exactly in the way you requested.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I found two cloud servers not running. All servers are now working fine.
Created on 04-05-2024 05:40 PM Edited on 04-05-2024 05:40 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First is your wan interface configured DHCP, PPPoE or static?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Wan configured as static
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If that's the case you can configure the static routes via GUI should work fine if you configured the gateway properly. Below is my 40F's static routes. The last one is the one I created with an FQDN "test" address object. Mine is PPPoE so I had to configure dynamic-gateway via CLI, but your case, the gateway IP you configured should be there.
Can you share your screen? You must have created a couple of static routes including the "fast.com".
Toshi
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You said port4 has static IP. And you need to set the static routes toward port4 with the GW IP. Nothing to do with wan side.
sorry.
Toshi
Created on 04-05-2024 07:10 PM Edited on 04-05-2024 07:10 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please check our configure for WAN port, Port#4, and static route
WAN PORT
Port # 4
Static Route
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So far looks fine. Can you ping "fast.com"? Since I can ping it from my 40F, you should be able to. If not, try traceroute.
fg40f-utm (root) # exe ping fast.com
PING fast.com (23.5.241.75): 56 data bytes
64 bytes from 23.5.241.75: icmp_seq=0 ttl=55 time=19.7 ms
64 bytes from 23.5.241.75: icmp_seq=1 ttl=55 time=19.6 ms
64 bytes from 23.5.241.75: icmp_seq=2 ttl=55 time=19.6 ms
64 bytes from 23.5.241.75: icmp_seq=3 ttl=55 time=19.6 ms
64 bytes from 23.5.241.75: icmp_seq=4 ttl=55 time=19.6 ms
--- fast.com ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 19.6/19.6/19.7 ms
fg40f-utm (root) # exe traceroute fast.com
traceroute to fast.com (23.5.241.75), 32 hops max, 3 probe packets per hop, 84 byte packets
1 63.231.10.70 <tukw-dsl-gw70.tukw.qwest.net> 1.366 ms 1.881 ms 1.909 ms
2 63.226.198.41 <63-226-198-41.tukw.qwest.net> 2.014 ms 1.898 ms 1.900 ms
3 * * *
4 4.69.219.65 <ae2.3605.edge9.sanjose1.level3.net> 18.981 ms * *
5 4.14.32.70 <citigroup-i.bar2.sanfrancisco1.level3.net> 200.976 ms 124.634 ms 203.926 ms
6 * * *
7 * * *
8 23.5.241.75 <fast.com> 19.540 ms 19.830 ms 19.459 ms
Toshi
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
By the way, this "fast.com" seems to be a speedtest site. Then the server destinations the test packets go to/come from are most unlikely under "fast.com" FQDN would resolve to.
So routing only "fast.com" wouldn't actually test the internet bandwidth through port4.
If you want to test that particular path's bandwith, you add a static default route toward port4 then take wan side down, like just unplugging the cable.
Toshi
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I know that, need our ERP system going from port no#4
Created on 04-06-2024 08:10 AM Edited on 04-06-2024 08:48 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried today, and working fine our system going from port no# 4. Maybe take time, Thanks for your support.
Also, please share how to configure forti via CLI, because I'll install a new forti with ver 7.xx and need configure the same via CLI
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You just need to figure out where in CLI those config items you've done are located. Then take a look at how the result of your GUI config in CLI with "show" command.
Those are under:
config firewall address
config router static
config firewall policy
For example my address object "test" and the static route look like below:
config firewall address
edit "test"
set uuid 286cf9f2-f39a-51ee-a696-8764c440c169 <-- You don't configure UUID. It's automatically generated.
set type fqdn
set allow-routing enable
set fqdn "www.toshiesumi.com"
next
end
config router static
edit 7
set device "LumenV201"
set dynamic-gateway enable
set dstaddr "test"
next
end
Toshi