Port forwarding with multiple IP's

191

Configuring port forwarding on a 60B is a several step process. First you need to create a Virtual IP for the interface (WAN2) and IP (I assume 10.1.10.10) you want to forward. Then you have to add a firewall rule allowing traffic from the virtual IP to the internal interface. Can you confirm you've already done both of these?

Also, you mention that your static IP (with Comcast) remained the same. If this is the IP of the modem, I'd expect it to be an external IP, ie not in the 10.xx subnet. Yet the WAN2 interface of your Fortigate has a 10.xx address. This suggests you've got a double-NAT setup.

If this is the case you can fix it in one of two ways:

  1. Setup port forwarding/NAT on the modem (ie actually use double NAT - not nice)
  2. Change the modem to 'bridge mode' and have the Fortigate get the external IP as its WAN2 IP (better).

Note that with 2 if your Comcast connection is eg ADSL w PPP, you'll need to configure the Fortigate to do do the PPPoE authentication.

Double-NAt would also explain why changing the router broke things - the old router had port forwarding/NAT configured, but the new one didn't.

Edit:

It really sounds like my guess at the double-NAT scenario is correct. The DSL modem connected to WAN1 is getting the external IP address, and is assigning a 10.1.10.xx address to the Fortigate's WAN1 interface via DHCP. If the old modem definitely didn't have port forwarding then it was probably in bridge mode.

If you can't access the newly added modem via your internal network, I recommend you take the following steps:

  1. Connect to the modem directly with an ethernet cable to eg your laptop
  2. From your laptop, access the modem's configuration web interface. If you cant reach it, reset the modem to factory defaults and point your web browser at its factory set IP. This is guaranteed to get you to a config page, but will wipe existing settings.
  3. Within the interface, set the modem's IP address to something inside your internal network's IP range.
  4. Access the modem at the new IP, configure all the ADSL related settings (not authentication, just lower layer settings like encapsulation, VPI/VCI etc. Get these from Comcast if you dont have them.
  5. Set the modem to 'bridge' mode. This is the important step.
  6. If your ADSL connection uses PPPoE authentication, access the Fortigate admin page, and under Network -> Interfaces -> WAN1, select PPPoE and enter your ADSL username and password.

If this all works, you'll see WAN1 on the fortigate get an external IP address.

Share:
191

Related videos on Youtube

Aswin
Author by

Aswin

Updated on September 17, 2022

Comments

  • Aswin
    Aswin over 1 year

    Is it possible to change the default property of faded area color/background while showing a custom dialog.

    I know for complete transparency in faded area. But want to change the color of it.

  • Jon
    Jon about 14 years
    Thank you very much for the detailed response. First, I do have port forwarding configured as you described, with both a virtual IP setup as well as a policy configured for it. The Virtual IP is setup for the WAN2 interface with an IP of 10.1.10.50. This had been working fine with the old modem. Right, the external static IP remained the same. But you're correct that that external IP isn't visible anywhere in Fortigate, only 10.1.10.10 under system status. I am positive the old modem did not use port forwarding, as I never accessed that modem to add forwarding, only the Fortigate.
  • Jon
    Jon about 14 years
    I am not sure why the WAN2 interface has an internal IP address. It was setup like that (before I worked here). Our WAN1 interface, a backup DSL, shows the external IP. The WAN1 subnet is 255.255.255.248 and the WAN2 subnet is 255.255.255.0.
  • Jon
    Jon about 14 years
    Thanks! I hadn't thought of the simple solution of just connecting directly to the modem. Once I did so, I found the router was apparently assigned the ip 10.1.10.10 (the modem is 10.1.10.1), so that's where I was getting two IP's from. I just added the router to the DMZ, and I'm able to just do all the port forwarding config from the router itself.