Hi everyone,
few days ago i configured on my FGT60E the WAN1 internet connection ftth via PPPoE on a VLAN ID XXX (vlan id provided by the connectivity provider).
The physical router of the old connection fttc has been removed.
Unfortunately, the SSL VPN portal is unreachable.
And port redirection also doesn't work... (80, 443 directed to the lan) :((
I updated the VIP, by entering the address assigned to me by the PPPoE negotiation in the external ip but it doesn't work anyway... what am i missing? I have never worked with wan connections that have VLANs.
Thank you all.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
anyone have any ideas? I have a bad headache and I don't know where to look anymore.
Hey Flamba1,
did you configure a VLAN interface on top of the WAN interface to handle the VLAN tagging?
If yes, you might need to ensure that your VIPs and SSLVPN use the VLAN interface in their configuration, not the physical interface.
outbound traffic works, the authentication works and i see the public ip that is assigned to me.
on the physical interface wan1 i set a manual ip 0.0.0.0
but i don't understand this very well:
"you might need to ensure that your VIPs and SSLVPN use the VLAN interface in their configuration"
on my internal interface i have no vlan.
in the virtual ip configuration i set on interface the VLAN on wan1
in the external ip of the vip i set the public IP assigned by the provider.
in the internal ip of the vip i set the ip address of a machine on my internal network .
then i created the ipv4 policy...
am i wrong something?
Hey Flamba:
- regarding your SSLVPN, you can set what interface it listens on. Set the VLAN interface.
- regarding your VIP, you can set an external interface; you already selected the VLAN interface?
That should be all that is required (in addition to policies from VLAN interface to internal with destination VIP, and SSLVPN interface to internal).
As long as your provider tags the traffic properly, FortiGate should treat it as arriving on the VLAN interface.
If the traffic is untagged, FortiGate will treat it as belonging to the WAN interface though - you might need a packet capture to verify that the traffic IS actually tagged (or check with your ISP if they use VLAN tags or not).
all correct ... not working.
later i try to do a packet capture.
sorry to hear that you're still having issues.
I would suggest two packet captures - on your WAN interface, and your VLAN interface. You should see roughly the same traffic on them; if there is a difference (especially with incoming traffic) that could mean traffic is not actually hitting the VLAN interface (probably missing VLAN tag), for example.
if missing VLAN tag what i can do ?
I think this is the problem.
Hey flamba,
in that case, FortiGate would assume the traffic is arriving on the WAN interface only, and your VIP etc would need to use the WAN interface, not the VLAN interface; FortiGate needs the VLAN tag in traffic to determine that traffic belongs to a VLAN interface.
Verify with your ISP if they tag the VLAN or not. If they do not, then just don't do any VLAN config on FGT. If they do tag the VLAN, but you still have the issue, that probably needs more troubleshooting than a forum post can provide; I would suggest you open a ticket with Technical Support.
problem solved!!! in the vlan configuration there was an incorrect distance value ... !!!!!!!!!!!
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1660 | |
1077 | |
752 | |
443 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.