Description
This article explains the new feature that FortiOS 6.2 introduces, that is the Direct IP support when using LTE/4G modems.
Direct IP is a public IP address that is assigned to a computing device, which allows the device to directly access the Internet
Solution
When an LTE modem is enabled for FortiGate, a DHCP interface is created.
As a result, FortiGate can acquire direct IP, which includes IP, DNS, and gateway, from the carrier's LTE network.
Since some LTE modems require users to input the access point name for the LTE network, the LTE modem configuration allows Access Point Name (APN) to be set.
LTE modem can only be enabled by using the CLI.
To enable direct IP support using the CLI:
1) Enable LTE modem
This article explains the new feature that FortiOS 6.2 introduces, that is the Direct IP support when using LTE/4G modems.
Direct IP is a public IP address that is assigned to a computing device, which allows the device to directly access the Internet
Solution
When an LTE modem is enabled for FortiGate, a DHCP interface is created.
As a result, FortiGate can acquire direct IP, which includes IP, DNS, and gateway, from the carrier's LTE network.
Since some LTE modems require users to input the access point name for the LTE network, the LTE modem configuration allows Access Point Name (APN) to be set.
LTE modem can only be enabled by using the CLI.
To enable direct IP support using the CLI:
1) Enable LTE modem
#config system lte-modem2) Check that LTE interface is created
set status enable
end
#config system interface
edit "wwan"
set vdom "root"
set mode dhcp
set status down
set distance 1
set type physical
set snmp-index 23
next
end
Shortly after LTE modem joins carriers's network, wwan will be enabled and granted direct IP:
FortiGate-600D # config system interface
FortiGate-600D (interface) # edit wwan
FortiGate-600D (wwan) # get
name : wwan
....
ip : 100.112.75.43 255.255.255.248
....
status : up
....
defaultgw : enable
DHCP Gateway : 100.112.75.41
Lease Expires : Thu Feb 21 19:33:27 2019
dns-server-override : enable
Acquired DNS1 : 184.151.118.254
Acquired DNS2 : 70.28.245.227
....
PC can reach internet via the following firewall policy:
config firewall policy
....
edit 5
set name "LTE"
set uuid 61880e9a-36ce-51e9-a4f4-15cc3ffc25f3
set srcintf "port9"
set dstintf "wwan"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set utm-status enable
set fsso disable
set nat enable
next
end
With LTE modem enabled, use the GUI to view the LTE interface and check the acquired IP, DNS, and gateway:It's possible to configure the firewall policy that utilizes this LTE interface:Limitations:- Most LTE modems have a preset APN in the SIM card.As a result, the APN doesn't need to be set in FortiOS configuration. In cases the Internet cannot be accessed, consult with the carrier about APN (for example, inet.bell.ca) and set the APN in LTE modem configuration.#config system lte-modem- Some FortiGate units have built-in LTE modems, such as the FortiGate-30E-3G4G. This type of FortiGate has LTE modem enabled by default.
set status enable
set apn "inet.bell.ca"
endFirewall policy via LTE interface is also created by default. After the user plugs in a SIM card, the user's network devices can reach the Internet.
FWF-30E-3G4G default configuration:#config system lte-modem
set status enable
set extra-init ''
set manual-handover disable
set force-wireless-profile 0
set authtype none
set apn ''
set modem-port 255
set network-type auto
set auto-connect disable
set gpsd-enabled disable
set data-usage-tracking disable
set gps-port 255
end
#config firewall policy
....
edit 3
set uuid f7c77cc6-36d1-51e9-2899-a7040791330c
set srcintf "internal"
set dstintf "wwan"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set nat enable
next
end
