Thanks for your reply, the direction from internal to wan 1.

and it is private network to the internet.

 

 

Best Regards,

If that is the case, then you need to have NAT enabled. Your ISP will drop all connections to the Internet with private IP addresses. You have to provide a routable, public IP address if you want your traffic to be present outside your walls. The only way you can do that is to have your own subnet(s), or to NAT your traffic to the IP address that your ISP provides you. (That is if they give you a public. Some only provide private IP addresses on a transit network to you.)

 

See the link for a definition/list of private IP address ranges

 

https://tools.ietf.org/html/rfc1918

 

There is a newer one, but I don't recall the RFC number.

 

The latest is here:

 

https://tools.ietf.org/html/rfc5735

 

Hi, It seems I didn't explain the case very well. The fortigate's wan interface is connected to internet through another gateway. And from the fortigate I can ping the internal IP of the gatewa,y and can ping any address on internet. But in case I disabled the nat mode from the policy, the computers which are connected on internal interface of fortigate is loosing the connectivity to internet. Regarding routing I have default rout to the gateway only. Could you please advise.

You are right in assuming you didn't supply relevant information on your setup.

 

When you disable NAT on the FGT packets with private source addresses arrive at the gateway router. The router will send them out, but on arrival of the replies it doesn't know where to forward them.

 

You need a static route on the gw router pointing the private subnet addresses (like 192.168.xxx.0/24) to the WAN interface of the FGT.

 

The FGT already knows about that range as it is directly connected (check this in the Routing monitor).

It worked thank you so much, yes this is the missing ring.

really appreciated. 

:)

 

You're welcome, I'm glad I could help.