Hello All.
I very new to the world of networks and FortiGate so please excuse the question if it seems obvious.
I have a FortiWiFi 60D using 5.2 firmware.
I'm using a TP-Link ADSL Modem connected to WAN1 of the FortiWiFi, the Modem is setup in Bridge mode but has a LAN interface with an IP of 192.168.1.1 for management. I'm trying to Route to the ADSL modem from the LAN side of the FortiWiFi 60D with no luck. I have tried adding Static Routes pointing to this subnet being out the WAN1 which seems to be pushing the traffic out to the internet as I do a traceroute and the packets are heading to my ISP.
Please see attached Image of my setup to help explain.
Does anyone know the best way to try ad get this setup to work?
Thanks.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Bind a secondary IP address to the Fortigate's WAN1 port in the same subnet range as the modem's management IP. (i.e. 192.168.1.200).
Edit: alternately, setup a VIP port forward from your source interface (e.g. internal 0.0.0.0/0.0.0.0) to the 192.168.1.1 IP (behind WAN1); source port will be something like port 8080; dest port would be either port 80 or 443. When you set up the firewall policy, the source interface will be your internal interface (source IP 192.168.2.10/32) to your VIP address created above.
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Just edited my post to provided a secondary solution. Just realized (after your second post) that a secondary IP is not an option on PPPoE connection.
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Thanks David.
I give this a go this evening and let you know.
Thank you.
joe4agze wrote:Never tried it, but have used something similar to it -- you may need to alternate it/make it fit your scenario, maybe use a NAT source IP pool.I give this a go this evening and let you know.
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Routing a private address to the WAN port has never worked for me.
What I have successfully done is to connect another modem LAN port to a free port on the FGT which is given an address from the same subnet, e.g. the dmz port with 192.168.1.2/24. The route is inserted automatically. Although it looks like there could be a network loop I've never had problems with this setup.
The only gotcha is that some modems only have a single LAN port...many have a small 4port switch. One could get by with a hub or switch in front of the modem if it happens to only have one port.
Hello and thanks for the reply.
The router I'm currently using at home is a TP-Link running the DD-WRT firmware which I must say is very configurable but obviously does not have the UTM, user and reporting functions of the Fortinet.
I can currently do the routing to my modem via some installed commands within DD-WRT settings which seems to be adding a secondary ip to the WAN interface which enables routing to the modem.
I guess it is no real biggie but I would have liked to retain this feature if possible.
I will try a few things as suggested and report back though that maybe in a few days now.
Thanks All.
Having the same issue and I think the only solution that I can come up with is either (as already suggested) use a second physical interface for management of the modem if it has multiple LAN interfaces or find a modem that will support having its management traffic on a VLAN (tagged), using both a VLAN subinterface for management and PPPoE for transit on the same physical interface. Thought I'd found a solution with a D-Link modem (handles mini-jumbo packets for full 1500 byte packets on PPPoE) but its VLAN implementation doesn't let you assign the management to a VLAN subinterface. Tried their support team and initial conversations seemed promising but they couldn't seem to escalate the request further enough up the chain.
There's a new box from Draytek (The Vigor 130) which is supposed to handle oversized frames with a future firmware update as well as PPPoE to PPPoA translation but I've yet to determine if it can be managed on a VLAN subinterface. If anyone finds a good quality ADSL/VDSL modem (preferably that's been tested on UK broadband circuits) that lets you manage it via a VLAN subinterface I'd be very keen to hear more about it. If used with a Draytek router, the router will even show the DSL stats of the connected modem in its GUI.
Last resort is badger Fortinet with feature requests to let you assign an IP to the 'host' ethernet interface used for PPPoE connections.
Hmm, writing the last post made me poke around a little further - seems the Draytek Vigor 130 won't let you do any VLAN tagging on the LAN side despite having the functionality to do so for the WAN side.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1713 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.