issue when disable Nat 80f behind isp firewall

becchir2003 · ‎01-10-2024

hi community

first time with non nat config i substitute a 30e (i will discribe his config from provider later)with a new 80f to control wifi with 231ap (20) and local admin lan .

the isp gives me a 172.17.20.1/29 as gateway .

i setup my wan 1 interface 172.17.20.2/29 as address.

setup a static route to the isp cisco gb b 0 address

i configured the 80f switch port 6 as 192.168.1.254 and assign the dhcp and configured the policy from local to wan (192.168.1.0/24 to wan1)

i configured the wireless ssid guestwifi (172.16.0.1/24) and all his policy .all works great with 24portpoe fortiswitch .

my issue is i want to access my fortigate from external.my provider tell me to disable nat from my fortigate ,so i disabled nat from all my policies and added a policy from wan to administration lan without nat .but when i desactivate nat internet is dropped on all interfaces.only thing the fortigate cli can ping to 8.8.8.8 but not in my local machines.im confused

please help i need external access to my lan from outside and no solution with isp he won't disable his vdom and don't give me any support.

Toshi_Esumi · ‎01-10-2024

When you disable NAT, your ISP's router need to have routes for 192.168.1.0/24 and 172.16.0.0/24 toward your FGT (172.17.20.2). You need to tell them that. If they can't, you have to keep the NAT.

For the remote access from the internet, they have to set up port fowardings at the router (NAT device). For that part, it shouldn't be a matter if you have NAT for your internal subnets or not. They just need to map TCP 443 and/or 22 to 172.17.20.2.

Toshi

becchir2003 · ‎01-10-2024

after several tries i found login password for the old 30e. this is the policy table.lan connect to internet with nat disabled with same subnet address as the 80f.

when i connect laptop on lan 3 and lan 2 gives me different wan ip x.x.x.20 and x.x.x.19.

i'm really confused please give me a clarification.