Hello everyone,
on "Dashboard -> System Information" it says "WAN IP - Unknown".
Do you know this issue?
Do i have to allow specific ports / Settings on WAN1?
The Firewall is a Fortigate 100E with Version 6.0.9 Build 0335 (GA).
I found something where people could "solve" this problem with 'diagnose sys waninfo' or 'diagnose sys waninfo ipify'.
But i is not working for me.
I can't see any denies on "Diag sniffer packet" or "syslog".
**********************************************************************
# diagnose sys waninfo Failed to get my public IP, ret=0 src_ip=0.0.0.0 vfid=-1(null) Command fail. Return code 5
**********************************************************************
********************************************************************** # diagnose sys waninfo ipify Try to get my public IP through [link]https://api.ipify.org[/link] with src_ip=0.0.0.0 vfid=0(root) ... Failed to get my public IP, ret=-1 src_ip=0.0.0.0 vfid=0(root) Command fail. Return code 5 **********************************************************************
Best Regards,
Danfor
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
That's just a command to check what IP it's using to go out to the internet, equivalent to type "what's my ip" in Google search. It wouldn't fix the problem you have. You basically don't have internet. That's what it means.
Check the WAN1 interface config under Network->Interface if it's matching ISP's or upstream router's setting, like DHCP or PPPoE. If everything is correct, then you need to call your ISP or whoever manage the upstream router.
FWIW, and if not obvious your wan-ip needs to be public and in the geo-db to begin with. So just want to point that out. I would find my public address and check a geoip source and then trouble shoot. If your using api.ipify.org, you can diagsniffer and see if it's connecting to the API interface if the request fails, than you need to trouble connectivity.
Ken Felix
PCNSE
NSE
StrongSwan
Hello,
"It wouldn't fix the problem you have" -> you're right. Just mentioned it because some people did this as "helpful workaround".
"You basically don't have internet" -> Thats the point. Internet connection works. I have a working Site2Site-VPN and a working traffic flow to the internet and vice versa.
What i forgot to mention: This WAN1 Interface has a public IP. It has a straight Link to the Internet.
That means, as far as i can see everything works fine, but it says "WAN IP unknown".
What's in your routing-table then?
"get router info routing-t all"
If you go to any IP checking website with any device on the network, it will show you the IP address that the interface is using, UNLESS you are part of a NAT pool. Additionally, as stated earlier, if you go to 'System, Network, wanx', it should show you the address that is being given to the interface.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Got the Problem.... DNS Request doesn't work.
Following scenario:
a Branch-Firewall with Outside-Interface IP 123.123.123.123 and an Inside-IF with 192.168.1.1
a HQ-Firewall with Outside-Interface IP 999.999.999.999 and an Inside-IF with 172.12.1.1
Both are connected via IPsec-Tunnel. The IPsec Tunnel is bound to each Outside-IF!
DNS-Servers are only in HQ.
If a Branch-client with 192.168.1.2 asks e.g. DNS-Request its IP-Source-Header is like 192.168.1.2.
The HQ-DNS-Server receives this packet and sends back to 192.168.1.2 over the HQ-Firewall.
The HQ-Firewall knows this Target IP 192.168.1.2 from routing Table and sends it back over IPsec-Tunnel and everything works.
Now the problem:
The Branch-Fortigate itself is sending a DNS-Request to HQ-DNS Server BUT with its Outside-IF IP 123.123.123.123 as source-header.
The HQ-DNS-Server receives this packet and sends back to 123.123.123.123 over the HQ-Firewall.
The HQ-Firewall knows this Target IP 123.123.123.123 from routing Table and sends it back over OUTSIDE-INTERFACE to the INTERNET because it is a public IP and should use the Default-Route.
And thats why is doesn't work.
What can i do here?
Best Regards
In the DNS setting set a source-ip to define the IP it should be coming from. There's a lot of services that benefit from this over a VPN tunnel, like LDAP and RADIUS or even just doing a ping across from the fortigate.
config sys dns
set source-ip
The alternative is to give your VPN tunnel routable interfaces rather than the default 0.0.0.0/0.0.0.0. Since that's essentially why it's source IP is the wan, the interface it is trying to go across is 0.0.0.0
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1702 | |
1092 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.