Fortigate 50E Behind NAT router for site-to-site VPN client

__ · ‎10-13-2021

Hello all,

I have a primary non-Fortinet router that I would like to place a Fortigate 50E behind. My goal is to configure the FortiGate as a site-to-site VPN endpoint/server to utilize the route when needing VPN services. My reasoning for not using the Fortigate as the main firewall is that this is a secondary appliance and I already have an established primary router of which I am very happy using. I do not want to reconfigure my entire network with all of its VLANs, Rules, Services, etc. to be able to use a proprietary VPN appliance. I believe that to be a reasonable enough use case.

Currently, I have the following interfaces configured:

[ul]

WAN interface for the 50E plugged into a standard upstream untagged VLAN (#100) with access to the internet.

LAN interface for the 50E plugged into a second standard untagged VLAN (#200) of which the computer(s) that will need the VPN is a member. The LAN interface is how I am reaching the management interface for the FortiGate.[/ul]

My current hiccup is that the Fortigate 50E cannot reach the internet. I've attempted the following:

[ul]

execute ping <local gateway on WAN interface> [FAIL]

execute ping <local gateway on LAN interface> [SUCCESS]

execute ping google.com [FAIL]

Modify DNS servers between Forti(Care|Guard|Net|Gate) servers, Local DNS servers, and Cloudflare/Google DNS servers.[ul]

Repeated all of the above for each new DNS server, [no change][/ul]

Modify the internal location of 50E between VLANs, switches, DMZ, etc., [no change]

Modify the WAN interface IP address between static/DHCP, [no change]

Added port forwarding in upstream router for 500/UDP (IPSec) and 4500/UDP (NAT-Traversal) to 50E's WAN interface due to this post. [no change][/ul]

Is there any hope for this scenario? I am not sure what in the 50E is preventing access to the internet unless it cannot function with an internal IP as the WAN gateway.

Toshi_Esumi · ‎10-13-2021

By the way, Forum discussions are not tickets. Just discussion threads.

View solution in original post

Toshi_Esumi · ‎10-13-2021

You need to go through regular troubleshooting process for the routing issues between the router and the 50E including the VLAN switch in-between (I assume this since there is no such thing as "untagged VLAN" on any FGTs) to make them pingable at least each others.

__ · ‎10-13-2021

"You need to go through regular troubleshooting process for the routing issues between the router and the 50E including the VLAN switch in-between"

I am asking what can be done on the Fortigate 50E to be able to reach anything other than an upstream ISP's gateway on the WAN interface. i.e., this device is connected to the network the same way as any other end device or network appliance and is not able to find a route to the internet. Later in the post, I detail the troubleshooting steps I have performed.

"there is no such thing as "untagged VLAN" on any FGTs"

When I say untagged, I am referring to the way that the Fortigate 50E is sitting on the internal network. It is connected to an untagged VLAN port, not tagged. This means that VLANs should be out of the picture with the 50E.

Please let me know if there is anything further I should clear up or anywhere else I can find a relevant support channel.

Regards.

Toshi_Esumi · ‎10-13-2021

You wrote: execute ping <local gateway on WAN interface> [FAIL]

That's why I thought they can't ping each other. Can they?

__ · ‎10-13-2021

The upstream router can ping the downstream Fortigate 50E's WAN interface. The FortiGate 50E cannot ping the upstream router via the WAN interface. This is where my confusion began and is the reason for posting.

Attached is a diagram that may help explain the ping issue. In the image, Router "A" is the upstream (non-FortiGate) router, and Router "B" is the FortiGate 50E.

There are other devices on the LAN that traverse the network with ease so the one common denominator that I can see is that there is a misconfiguration with the 50E to not allow traffic outbound of the 50E's WAN port because it does not know a route to take, having no way to specify the upstream gateway's address in the 50E's Admin UI.

To clarify further, I am wondering where the setting is to configure the WAN interface's upstream gateway. That setting appears to be missing.

Thanks for the help so far toshiesumi!

Toshi_Esumi · ‎10-13-2021

Router A's GW IP should be within the subnet FGT's/Router B's WAN IP. So there is no need for a route. It's directly connected. If you set up a two sessions like console ans SSH into the 50E, then sniff the traffic on the WAN interface in one session while you run "exe ping" in the other session, you should be able to see the packets are going out. As long as the interface is UP, there is not way stopping outgoing packets initiated from inside of the FGT.

__ · ‎10-13-2021

Thanks for all of the help! I'd like to mark this ticket as "Cannot Reproduce" or similar if deleting is not an option. I can only see an option to resolve the thread as "Answered".

The solution to this ended up being out of the FGT's control and is inherently off-topic for this forum.

Thanks again!

Toshi_Esumi · ‎10-13-2021

By the way, Forum discussions are not tickets. Just discussion threads.

gayansa · ‎10-14-2021

Hi,

Do you have a public IP in the internet interface of the router?

BR,

Gayan