Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
UnderscoresAndDashes
Contributor

Created on ‎02-21-2025 06:22 AM

Wanting to eliminate a Fortigate acting as a Internet service provider managed router.

I have an AT&T fiber circuit where they handoff to me using a /30, but giving me an IP range in a using a /28. 

So for example Handoff IP is 1.2.3.8/255.255.255.252 Handoff Gateway 1.2.3.7 

Usable IP Range 1.2.3.9-1.2.3.23

 

Since AT&T did not install their own managed router, I opted to use a Fortigate 80E to handle the NAT. 

80E Wan1 is IP'd to 1.2.3.8/255.255.255.252 Static route 0.0.0.0/0 gateway 1.2.3.7

80E Lan is IP'd to 1.2.3.9/255.255.255.240 

 

On the internal side of the network, I have a 100F that has it's wan1 IP to 1.2.3.11/255.255.255.240 

sdwan gateway 1.2.3.9

 

All of this was working fine, untill I could no longer establish IPSec tunnels using port 500. FortiTac says it's an AT&T problem, AT&T says it's a firewall problem. 

 

So my question is, is there a way to eliminate the 80E as the management router for the AT&T circuit and bring the handoff strait to the 100F and still be able to use the /28 AT&T provided us? Any help would be appreciated. If any clarification is needed, please do not hesitate to ask. 

 

Thank you. 

Labels:
288
0 Kudos
7 REPLIES 7
Dhruvin_patel
Staff
Staff

Created on ‎02-23-2025 01:25 PM

Greetings!

 

To eliminate the FortiGate 80E as the management router for the AT&T circuit and bring the handoff directly to the FortiGate 100F while still utilizing the /28 IP range provided by AT&T, you can follow these steps:

 

1. Configure the WAN1 interface of the FortiGate 100F with the IP address 1.2.3.9/255.255.255.240, which falls within the usable IP range provided by AT&T.

 

2. Update the static route on the FortiGate 100F to point the default route (0.0.0.0/0) to the gateway IP 1.2.3.7, which is the handoff gateway provided by AT&T.

 

3. Ensure that the necessary firewall policies are in place on the FortiGate 100F to allow traffic for IPsec tunnels using port 500.

 

By following these steps, you can bypass the FortiGate 80E and have the FortiGate 100F directly manage the AT&T circuit while still utilizing the IP range provided by AT&T. This setup should help resolve any issues related to establishing IPsec tunnels using port 500.

 

Regards!

Dhruvin Patel
254
dingjerry_FTNT
Staff
Staff

Created on ‎02-23-2025 01:49 PM

Hi @UnderscoresAndDashes ,

 

You have to talk to AT&T first to check the handoff IPs.

 

Reasons:

 

1) 1.2.3.8/30 

1.2.3.8 is the network ID and usable IPs for this subnet are 1.2.3.9 and 1.2.3.10, so I wonder why you got 1.2.3.7 as the gateway IP.

 

2) If 1.2.3.8 is with /28

The subnet range is 1.2.3.0 - 1.2.3.15.  The usable IP range 1.2.3.9-1.2.3.23 you got is not covered by /28.  It has to be /27 at least to cover the usable IP range within the same subnet.

 

 

Regards,

Jerry
243
Toshi_Esumi
SuperUser
SuperUser

Created on ‎02-23-2025 08:44 PM Edited on ‎02-23-2025 08:44 PM

If you got 1.2.3.7 as the interface/handoff GW and the subnet is /30, the subnet is mostlikely 1.2.3.4/30 and your FGT wan interface should have 1.2.3.6/30.
But the additional /28 is overlapping with the interface subnet, which AT&T regularly wouldn't do. As @dingjerry_FTNT suggest, talk to AT&T and verify the exact subnet for the interface as well as the aditional /28.

Toshi

226
Toshi_Esumi
SuperUser
SuperUser
In response to Toshi_Esumi

Created on ‎02-23-2025 09:00 PM Edited on ‎02-23-2025 09:00 PM

Wait. I miscalculated it. If 1.2.3.4/30 is the interface subnet, the GW IP should be 1.2.3.6 because 1.2.3.7 is the broadcast IP of the /30. So the entire thing doesn't make sense.

 

Toshi

211
0 Kudos
UnderscoresAndDashes
Contributor
In response to Toshi_Esumi

Created on ‎02-24-2025 06:14 AM Edited on ‎02-24-2025 06:17 AM

This is the last octect and subnet mask of the Management router Wan1(Handoff)

last octect and subnet mask of the Management router Wan1.jpg

This is the Gateway of the Handoff

This is the Gateway of the Handoff.jpg

 

This is the Lan side of the Management router

This is the Lan side of the Management router.jpg

 

 This is the Wan of the 100F

 This is the Wan of the 100F.jpg

 

 This is the gateway inside a SDWan zone. 

This is the gateway inside a SDWan zone.jpg

 I hope this clarifies it more. Thank you again for taking the time. 

 

 

194
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to UnderscoresAndDashes

Created on ‎02-24-2025 08:58 AM

You shouldn't have masked a part of the last octet. x.x.x.218 (.216/30) and x.x.x.129 (.128/28) are very far away each other even if x.x.x are the same.
Now we can understand your original post.

The direct answer to your question is if you want to eliminate 80E, the device/router terminating the IPsec to do the same the 80E is currently doing: terminate the circuit with the /30 subnet, then take the IPsec traffic with the /28 IPs by itself.
That means the 80E has to be physically taken out from the network.

I would rather fight with AT&T by relaying what FTNT TAC saw in the debug session as the evidence why you believe the problem is on AT&T side. What exactly did TAC said/saw?

Toshi

184
0 Kudos
UnderscoresAndDashes
Contributor
In response to Toshi_Esumi

Created on ‎02-24-2025 11:00 AM

Tac seen what I saw. That any traffic existing the 80 was dying on port 500 after leaving the gate. I will continue the fight with AT&T. 

178
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.