NO internet connection when using static ip ?

morana · ‎04-27-2024

hello every one

i am wondering why internet connection not working in fortigate 70f when i config the wan port ip manually ??

i try to exec ping google.com but not resolved

but when i change to dhcp to take an ip from the tplink router ,everything works just fine and i am able to ping anything from CLI .

with static ip config

i try to add static route :

0.0.0.0 172.16.16.1 (tplink gateway)

i also added dns

8.8.8.8 (unreachable )

8.8.4.4 (unreachable )

i can ping the gateway only 17.16.16.1

------------------------

i need the internet only to setup VPN site to site NOT to provide internet access to the local workstations .

as i mentioned it works only if i use DHCP not static IP . as u know DHCP not a good choice for my case ,if anything happened like power loss or restarting, it will obtain a new WAN IP address and the other site will not be able to access the database .

AEK · ‎04-28-2024

Good.. Now please set it manually as you did before then share the same command:

get router info routing-table all

AEK

morana · ‎04-28-2024

this is Manually

Routing table for VRF=0
S* 0.0.0.0/0 [10/0] is directly connected, wan1, [1/0]
[10/0] via 192.168.1.1, wan2, [1/0]
C 16.16.16.0/24 is directly connected, wan1
C 192.168.1.0/24 is directly connected, wan2
C 192.168.10.0/24 is directly connected, internal
S 192.168.20.0/24 [10/0] via 16.16.16.2, wan1, [1/0]
S 192.168.30.0/24 [10/0] via 16.16.16.3, wan1, [1/0]
S 192.168.40.0/24 [10/0] via 16.16.16.4, wan1, [1/0]
S 192.168.50.0/24 [254/0] is a summary, Null, [1/0]

AEK · ‎04-28-2024

So in summary:

When using DHCP for wan2:

S* 0.0.0.0/0 [5/0] via 192.168.1.1, wan2, [1/0]

That's because distance is 5, so wan1 route is removed.

When using manually added static route:

S* 0.0.0.0/0 [10/0] is directly connected, wan1, [1/0]
             [10/0] via 192.168.1.1, wan2, [1/0]

Both are in the routing table because both have same distance (10).

On the other hand I find the wan1 route quite strange.

What is the IP address of wan1?
Please share a screenshot from menu: Network > Static Routes

AEK

morana · ‎04-28-2024

WAN1 is static IP ===> 16.16.16.1

ok i will share it once i am there .

AEK · ‎04-28-2024

~~Anyway, you want IPsec VPN through WAN2, right? Then the following should work for you:~~

~~Add static IP to WAN2 as you did before~~
~~Add static route like this:~~
- ~~destination: 0.0.0.0/0~~
- ~~gateway: 192.168.1.1~~
- ~~interface: wan2~~
- ~~distance: 9~~

~~Know that this config will make your wan2 the active interface for all WAN traffic and IPsec VPN as well, while wan1 gateway will be disabled.~~

~~Again if you want to use both interfaces it is much simpler to configure SD-WAN.~~

~~https://docs.fortinet.com/document/fortigate/7.4.3/administration-guide/889544/sd-wan-quick-start~~

~~https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-add-the-interface-in-SD-WAN-member-...~~

~~If you don't want SD-WAN then set both default routes to the same distance and use policy routes to manage your internet traffic (less interesting option).~~

Edit: That was not a good solution.

AEK

morana · ‎04-28-2024

Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default

Routing table for VRF=0
S* 0.0.0.0/0 [5/0] via 192.168.1.1, wan2, [1/0]
C 16.16.16.0/24 is directly connected, wan1
C 192.168.1.0/24 is directly connected, wan2
C 192.168.10.0/24 is directly connected, internal
S 192.168.20.0/24 [10/0] via 16.16.16.2, wan1, [1/0]
S 192.168.30.0/24 [10/0] via 10.10.10.3, wan1, [1/0]
S 192.168.40.0/24 [10/0] via 10.10.10.4, wan1, [1/0]
S 192.168.50.0/24 [254/0] is a summary, Null, [1/0] <<----------

the last line is the new subnet remote office ,that i am trying to reach for site to site

morana · ‎04-28-2024

some1 told me to use dynamic ip with ddns in order to make it work but, fortiddns.com or any dns server in the list not working cannot ping from CLI to any dns servers even with success domain created : example.branch.fortiddns.com

atakannatak · ‎04-28-2024

Hello @morana,

@Toshi_Esumi has already explained all possible scenarios to match your situation. However, I would like to add a few more points:

1- Firstly, you need to configure Port Address Translation (PAT) on your TP-Link modem because the remote site reaches your firewall through this modem. You must redirect UDP port 4500 to your firewall; otherwise, the IPSec tunnel will not establish.

2- Secondly, you mentioned that your sites do not have a public address directly. Your firewall is behind your TP-Link modem, which means your public address does not belong to you and will change continuously. To handle this unstable public address condition, you can configure a dial-up IPSec instead of the DDNS solution.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-a-FortiGate-as-IPsec-VPN-...

In addition, please follow these steps to ensure your routing and other network components work as expected:

1- Add a specific route such as 9.9.9.9/32 to use your WAN2 port.

2- Try pinging the first next-hop, which is the TP-Link modem's interface IP address. If it fails, ensure connectivity between the TP-Link modem and the firewall.

3- If successful, try pinging 9.9.9.9. If it fails, please check the TP-Link modem's configuration, as step 2 indicated that packets already reached the TP-Link modem.

4- If successful, everything seems good for internet connection via this WAN2.

5- At this point, consider @Toshi_Esumi ' s and the above feedback. Run the below troubleshoot commands, and the please share the community of this output.

--First CLI Screen--

exec traceroute-options source a.b.c.d (it's your wan2 ip address)
exec traceroute x.y.z.t (remote peer ip address)
get router info routing table details x.y.z.t (remote peer ip address)

dia vpn ike log-filter dst-addr4 x.y.z.t

dia de app ike -1
dia de en

--Second CLI Screen--

diag sniff packet any "host x.y.z.t" 4 0 a

--Third CLI Screen--

You must be ensure the what's the source and the destination before the run below commands. For example; in the above redirection if you try to ping 9.9.9.9 and your source ip is a.b.c.d then the commands must like that. Please run this and the second screen commands during the Step 3 which means pinging the 9.9.9.9 situation. I asked because your firewall rule might not have been correctly configured, possibly due to mistakenly enabling NAT.

diagnose debug disable
diagnose debug flow trace stop
diagnose debug flow filter clear
diagnose debug reset
diag debug console timestamp enable
diagnose debug flow filter saddr a.b.c.d

diagnose debug flow filter daddr 9.9.9.9
diagnose debug flow show function-name enable
diagnose debug flow trace start 9999
diagnose debug enable

Best Regards.

Atakan Atak

morana · ‎04-28-2024

thanks for reply , i will try that for both tplinks home router for site A and site B

but as i mentioned site A fortigate no internet connection when using manually static ip only can get internet when change it to DHCP .and site B fortigate internet works fine if configure it as static ip !!

thank u guys all , i appreciate your effort to help me ,and i will try all ur suggestions

Toshi_Esumi · ‎04-28-2024

That's probably because Site-B doesn't have two internet circuits on both wan1 and wan2.

What is the public IP at the Site-B when someone on-site search "What is my IP" at Google? That's the IP you need to set a staitc route toward wan2 and the IPsec phase1 is connecting to. Private IPs like 192.168.x.x are not reachable over the internet.

Toshi