I' ve been reading through documentation to figure out where I' ve gone wrong since yesterday morning. My eyes hurt.
Forgitgate 100D 2 with 5.0 OS.
Two WAN connections.
What I needed: two subnets, 1 for PCs and Servers the other for our new VOIP system. offsite phones allowed to come through Wan2 to the phone system. SIP providers coming through Wan2.
What I did: I set physical port 16 up as an interface with it' s IP 192.168.0.1, I grouped all other physical ports to 192.168.1.1
192.168.1.1 is PC/Servers = lan
192.168.0.1 is the phone system = phnsys
Policy -
lan > phnsys allow all traffic always NAT OFF
phnsys > lan all all traffic always NAT OFF
Wan2 > phnsys allow SIP, RTP, branch office to VIP Group NAT ON
phnsys > Wan2 all all traffic always NAT ON
lan > Wan2 allow all traffic always NAT ON
Policy Route
192.168.1.1 > 192.168.0.1 GW 0.0.0.0
192.168.0.1 > 192.168.1.1 GW 0.0.0.0
Any Port 80 > Wan2 GW Public IP Wan2
Anything else > Wan1 GW Public IP of Wan1
Virtual IPs for SIP, RTP, branch office ports then grouped into a VIP Group. Virtual IP was not WAN2 Public IP, it was another IP provided by WAN2 ISP but same subnet.
The issue: SIP connections from WAN2 > Phnsys had many problems. Playing with the options within this configuration would eventually get it to connect again. However routing softphones via SIP from lan > phnsys wouldn' t not work even though I was allowing all traffic between the two. Phones on the phnsys switch worked fine.
It seemed only 1 SIP provider could connect in at a time. We have two SIP providers and only the failover provider could get past the firewall.
I have actually deleted all policies, VIP' s, policy routes, etc from the firewall to start over. With Fortinet is it better to use VLANS or dedicate a port to a subnet? either way fortinet seems to interfere with SIP and disabling policy-helper didn' t fix anything.
Any suggestions? as I' m bumfuzzled... next stop is support call.