Fortigate 100D internet on VLAN wan port

Question

I am fairly new towards Fortigate firewalls and I am trying to set up one FortiGate 100D running firmware v5.0 as a router for a hotel network. I have 2 ISPs using PPPoE connection that runs on VLAN 500. I created VLANs for both wan1 and wan2 (assuming ISP_A_vlan and ISP_B_vlan) with all ISPs' credential set and I am able to connect and obtain an IP from the ISP, which is fine.

Of the 16 ports I have, I've separated it into 8 different networks in pair of 2 ports per network with DHCP enabled, where it serves different IP in different network pair. For example, Office_lan @ 10.1.1.1/24 and Access_point @ 10.1.0.1/24

Next, I created a policy for both ISP_A_vlan and ISP_B_vlan with the following configuration:

policy type: firewall
policy subtype: address
incoming interface: Access_point
source address: all
outgoing interface: ISP_A_vlan, ISP_B_vlan 
destination address: ALL
schedule: always
service: all
enable NAT: true (use destination interface address)

Similarly for Office_lan:

policy type: firewall
policy subtype: address
incoming interface: Office_lan
source address: all
outgoing interface: ISP_A_vlan, ISP_B_vlan 
destination address: ALL
schedule: always
service: all
enable NAT: true (use destination interface address)

but when I inspect the Foward Traffic log, there are no internet connection from either Office_lan or Access_point. They are able to negotiate an IP from the DHCP server as well as obtained a DNS server from the ISP itself.

With the similar setup, instead of running PPPoE on vlan wan ports, I took 2 routers (assuming wan1 for Router_A and wan2 for Router_B), configured the ISP's credential in routers then connecting both of the routers to wan1 and wan2 with almost similar configuration as follow:

policy type: firewall
policy subtype: address
incoming interface: Access_point
source address: all
outgoing interface: wan1, wan2 
destination address: ALL
schedule: always
service: all
enable NAT: true (use destination interface address)

Similarly for Office_lan:

policy type: firewall
policy subtype: address
incoming interface: Office_lan
source address: all
outgoing interface: wan1, wan2 
destination address: ALL
schedule: always
service: all
enable NAT: true (use destination interface address)

and everything works fine. Am I missing something right here?

This is late but to start of with you should upgrade to 5.4 at least, 100D is a powerful device, no reason to use v5.0. Also i'm confused about your vlans, have you configured vlans on the wan ports facing your isp or the lan ports facing your inside? If you add a diagram here using draw.io or some such site, it'll be way easy to understand this. — allwynmasc, Jun 14 '17 at 10:13
Just to verify: ISP_A_vlan and ISP_A_vlan are VLAN interfaces that you've created on each (physical) WAN interface with the required VLAN 500? — Zac67, Jul 14 '17 at 13:15
Why do you set VLANs in the WAN interfaces? Like recommended I would definitely update to 5.4.4, a lot has been fixed since 5.0. Can you show your static routes? — Elias, Sep 12 '17 at 14:35
Did any answer help you? If so, you should accept the answer so that the question doesn't keep popping up forever, looking for an answer. Alternatively, you can post and accept your own answer. — Ron Maupin, Jan 05 '21 at 01:48

score 2 · Answer 1 · answered May 23 '18 at 20:16

In my Fortigate with 5.x firmware I must configure the log options in the relevant policies I want to monitor to see anything in the Forwarding log. Enabling log in the policy by default only logs security events and not all the traffic.

Do you test if there is traffic with other net utilities (ping, tracert/traceroute, nmap...)? In the CLI console you can monitor packets using the diag command:

diag sniffer packet PORT "FILTER" TYPE

PORT=interface, FILTER=condition to show packet, TYPE=4 to show detected interface. For example, to see every packet:

diag sniffer packet any "" 4

o to show packets to/from 8.8.8.8 thru ISP_A_vlan:

diag sniffer packet ISP_A_vlan "host 8.8.8.8" 4

FILTER follows the tcpdump sintax. Press Ctrl-C to stop the sniffing.

score 0 · Answer 2 · answered May 15 '17 at 08:10

0

This could be a routing issue.

When you set up the interfaces and configure PPPoE, did you check "Retrieve default gateway from server"? When using the "wan1" port you do not use PPPoE, so you have to set a static default route yourself. Make sure that you don't have two of them (Routing Monitor).
Check routing by pinging from the FGT console. If that is working, and ping from PCs doesn't, check the PCs' gateway setting.

answered May 15 '17 at 08:10

user1016274

880
7
10

Yes I did select "Retrieve default gateway from server" while in PPPoE mode. I will give your suggestions a try and hopefully it works. Also I realized that I've made some slight confusion on my question. It should be **ISP_A_vlan @ wan1** and **ISP_B_vlan @ wan2** – Kenny Yap May 16 '17 at 05:13

Fortigate 100D internet on VLAN wan port

2 Answers2