Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
FXLEWIS
New Contributor II

Created on ‎11-04-2023 04:47 PM

Fortinet 40F basic setup / connecting to the Internet

Hi -

New to FortiGate and a firewall newbie as well.

 

Current layout

 

Verizon FIOS G3100 router

  • 3 SSIDs
  • 1 with WPA2 @ 2.4 GHZ (legacy)
  • 1 with WPA2 @ 5 GHZ (legacy)
  • 1 with WPA3 # 5 GHZ
  • WAN IP 98.113.x.x (obviously not providing my WAN IP to the public - no offense) 
  • Internal IP 192.168.1.1/24 internal network

 

Forti40F

  • I created 3 SSIDs to match what the G3100 currently has
  • SSID_1 - 10.1.10.1/255.255.255.0
    SSID_2 - 10.1.20.1/255.255.255.0
    SSID_1 - 10.1.30.1/255.255.255.0
  • LAN 1 on the Forti still has the factory IP 192.168.1.99

 

I tested connectivity to each SSID successfully from a laptop but with no WAN connection just to verify security and connectivity to the wifi.

 

I unplugged the G3100 and plugged in the WAN connection to the FortiNet

 

The FortiNet leased a 98.113.x.x address.

 

I tried getting to the Internet with no success.

 

So questions because I am doing something wrong.

 

  1. Does it make sense to to change the IP for the LAN 1 interface to 192.168.1.1 /24?
  2. Do I need to setup static routes from the 10.1.x.x/24 networks and if so what would be the default route?

Sorry to be a noob but you have to learn somewhere :)

 

2297
0 Kudos
11 REPLIES 11
FXLEWIS
New Contributor II

Created on ‎11-04-2023 05:25 PM

Update.

 

I changed the IP for the internal software switch to 192.168.1.1

 

I setup static default routes from each 10.1.x.x subnet  to my WAN interface.  Same for the 192.168.x.x subnet.

 

We'll see if this works.

2045
0 Kudos
Toshi_Esumi
SuperUser
SuperUser

Created on ‎11-04-2023 07:41 PM Edited on ‎11-04-2023 07:44 PM

Try one step at a time.

1) When you swapped the router to the 40F, make sure you can get to the inter net from the 40F itself (ping something from CLI). If works, the default route is fine.

2) Connect your laptop or desk top directly to one of available lan ports or a switch behind. Make sure it pulled a lan IP over DHCP, then try reaching the internet. If that works, the NAT policy is fine.

3) then finally test from a WiFi client. You said you configured on the 40F. That means either you have a FortiAP(s) connected to it. And those must be tunnel mode SSIDs. Traceroute toward the internet from the client to see it at least shows the 40F's IP.

 

One thing you're misunderstanding is the default route is not per lan/wifi subnet. 40F needs only one. Each client needs to know only the GW IP 10.1.x.1 on the 40F. Then, the 40F needs to know where to send the traffic from the clients if the destination of the packet is not local, which is the default route/default gateway. If the WAN circuit is DHCP or PPPoE, the 40F would pull it automatically from the ISP. Only if it's static, you have to configure static default route on the 40F under Network->Static Routes in GUI. This part should be exactly the same with the FiOS router.

 

Toshi

 

 

2020
FXLEWIS
New Contributor II
In response to Toshi_Esumi

Created on ‎11-05-2023 11:02 AM Edited on ‎11-05-2023 11:02 AM

Toshi  -

 

First, thanks for responding.

 

1) When you swapped the router to the 40F, make sure you can get to the inter net from the 40F itself (ping something from CLI). If works, the default route is fine.

 

Successfully pinged GOOGLE.COM from the 40WF using the CLI

 

2) Connect your laptop or desk top directly to one of available lan ports or a switch behind. Make sure it pulled a lan IP over DHCP, then try reaching the internet. If that works, the NAT policy is fine.

 

Connected my laptop to the 40F on port 1.  Verified the laptop leased an IP from the 40F.  Successfully pinged the gateway.  Unsuccessful pinging GOOGLE.COM.

 

I know to set the NAT policy I need to go into Firewall Policy / Create New and I believe for my purposes, create Static SNAT.  I don't have a pool of IPs from my ISP so I don't need a dynamic snat and for the sake of simplicity for now I don't think I need a central SNAT.

 

So I'm doing something wrong in my NAT policy.

 

1981
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to FXLEWIS

Created on ‎11-05-2023 10:10 PM

It's called "overload" with the interface IP. GUI setting in the policy is below (this is 7.0.13).
defaultSNAT.png

When you test it, ping like 8.8.8.8, not Google.com. It could be your machine's DNS setting issue if you ping host name/FQDN and can't get to.

 

Toshi

1951
FXLEWIS
New Contributor II
In response to Toshi_Esumi

Created on ‎11-06-2023 03:28 PM

Toshi -

 

Making progress.  Never heard of "overload".  I figured pinging by name would prove DNS works as well as connectivity.  I did repeat successfully with pinging by IP so ICMP works.

 

I created policies for all 3 SSIDs and was successfully able to connect to each and reach websites from my laptop connected to each SSID.

 

I created a policy for the "internal" interface and I was able to access the Internet from ports 1 and 2 using my laptop connection.  Need to test 3 and 4 but ran out of time.

 

Am I correct that my policy should use the internal interface for the switch connection to the Internet?

FW_POLICY_INTERNAL.png

 

 

 

1919
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to FXLEWIS

Created on ‎11-06-2023 03:37 PM

Are you sure it's really FortiGate 40F? If so, the default hard-switch interface on the 40F should be "lan". Did you rebuild the hard-switch interface with the name "internal"? Or did you crate a new software switch and included all lan and SSID1-3?

Either way, all 4 LAN ports are under "internal" so you don't have to test indivitual ports. If one port works, the rest should work as well. And your policy should be fine.

 

Toshi

1914
FXLEWIS
New Contributor II
In response to Toshi_Esumi

Created on ‎11-06-2023 04:44 PM

It''s a WiFi40F.

 

Forti40F_SysInfo.png

I did not rebuild the hard-switch interface.  I reset the FW to factory defaults once to start new.

 

FortiWIFI_Interfaces.png

 

The reference I see to a LAN interface is when I go into the policy and choose my incoming interface.  I can choose INTERNAL or LAN.


FORITNET_LAN_INT_0.pngInterface optionsInterface options

1902
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to FXLEWIS

Created on ‎11-06-2023 04:49 PM

If it's FWF40F, as in the datasheet, it supports only one/single RADIO. So either 2.4GHz or 5GHz, not both.

https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/fortigate-fortiwifi-40f-series.pdf

 

Toshi

1898
Toshi_Esumi
SuperUser
SuperUser
In response to Toshi_Esumi

Created on ‎11-06-2023 05:14 PM

And the Address:internal (which is a separate object, different from interface) was automatically set (probably by default) with 192.168.1.0/24. Unless you change the interface:internal" config, you can't change it.


Those physical "lan1", "lan2", "lan3" and "lan4" interface are combined in "lan" hard-switch, which you might not be able to see in GUI but under "config system virtual-switch" in CLI.
Then there should have been a default wifi interface like "wifi" after a factory reset, which you might have removed. Those "wifi" and "lan" interface should be combined into the "internal" software switch interface by default.

 

Toshi

1894
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.