- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Setting up a Dual NAT
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Setting up a Dual NAT
So let me preface that I'm not a Network guy... but I've been given the opportunity to dive in and learn with some stuff at home. One of those items is a Fortigate 60E that I'm going to sort of build my home lab behind (generally by trade I'm a VMWare guy). In the temporary, as this is on my primary home connection for the foreseeable future, I need to setup a double NAT type setup like the link below: https://chasechristian.com/blog/2016/04/consoles-enterprise-firewalls-and-upnp/ Essentially because I have kids, etc, and need to start "working" and tune as I learn I want to put the 60E on my edge so it can scan traffic, etc, and do its edge job... but then let the inside be a bit more squishy like my traditional home router so their XBOX's, apps, etc, all work immediately... and I can tune the entire design as I become more proficient. Can someone potentially point me on essentially creating the double NAT rule on the Fortigate 60E that passes all traffic to my router IP so I can get things working? I'm anxious to learn as I've always been a fan of knowing end to end (always better for your job, and just good to know) and this is the first step for me on the Network side. THANK YOU!
MOD: You can close the thread in the ROUTING forum as its likely a better spot here.
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi,
and welcome to the forums!
You'll find plenty of fellows here just starting into the Fortinet world so no need to apologize (except maybe for using SRXes...). Your plan sounds interesting, and is easy as pie to set up.
First off, to put the FGT at front towards your ISP is a wise decision. It needs a routable public address on it's WAN port, for authenticating against the FortiGuard servers for continuous UTM signature updates (and much more other stuff). So, I was relieved to see this.
Now the steps to set it up:
1- the FGT is configured to autheticate against your ISP via the 'wan1' port - DHCP, PPPoE, static address, whatever.
2- you make sure there is a default route pointing to the ISP's gateway (that is, destination '0.0.0.0/0'). DHCP and PPPoE deliver this automatically.
3- the internal ports only cater for a 'transfer net'. Any private address range will do, so like 172.16.x.1/24 or 192.168.x.1/24. This will be the (static) address of the 'internal' port(s). There is room for 253 other addresses but you will only need one other.
4- to make things easy configure a DHCP server on port 'internal' if it doesn't exist yet. This will assign a valid address, the gateway, the DNS and even the NTP server address if you like, to any host connecting to the 'internal' port and using DHCP requests.
In your case, this host will be the home router, more specifically, it's WAN port. Configure it to use DHCP.
5- Where is the double NAT? In the policy!
So now you create a policy on the FGT, from 'internal' to 'wan1', addresses 'all' to 'all', service 'ANY', NAT enabled, UTM enabled (at least AV). This will do the private transfer net-to-public NAT. Your home router will do the second NAT plus the Upnp stuff, like before.
So, in short, remember that in order to have traffic flowing across the FGT it needs
- both a route to the source and to the destination
- a policy connecting the inbound and outbound ports
Look up the current routes in Monitor/Routing. The FGT automatically creates a route for each subnet which is directly connected to one of it's ports. And for unknown destinations, there is the default route.
Your home router gets his gateway address through DHCP from the FGT - it's the address of the 'internal' port.
As the home router is NATting, the FGT doesn't need to know your true internal address space behind the home router.
This description seems a bit bloated, I apologize. I wanted to make sure you get it right the first time. The setup will take you less time than needed to read this. If you encounter any problems let us know.
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ede,
That is some EXTREMELY helpful information!
I'm going to give it a run through in a few mins, after I convince the kids its okay to have no internet for 15mins, and see if I can get it working.
Regardless if I figure it out or not that's one hell of a welcome, and some GREAT information! Thank you!
I'll let you know how it goes in a bit.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Question: Do I need to create a WAN to INTERNAL policy as well to accept traffic coming back and push it all to the router, or does the ANY/ANY from Internal to WAN cover that?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DaveK wrote:Question: Do I need to create a WAN to INTERNAL policy as well to accept traffic coming back and push it all to the router, or does the ANY/ANY from Internal to WAN cover that?
No need to create WANx-Internal policy/rule. FortiGate is a Statefull firewall.
Fortigate Newbie
Fortigate Newbie
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks! I thought so, after doing some tweaking to be sure, but wanted to ask.
So far so good. Easy as pie to setup as mentioned above, steps were 100% easy to follow, and so far things are going good.
I appreciate the help!
Related Posts
- Adding Standalone FortiSwitch to FortiManager Problem 119 Views
- Connect Fortigate to internet with 2... 205 Views
- FortiClient - irregular disconnect for no... 125 Views
- Fortigate 7.2 SDWAN + ADVPN 148 Views
- Connecting Two SIP Trunks with Different... 241 Views
Labels
-
FortiGate
6,461 -
FortiClient
1,290 -
5.2
801 -
5.4
639 -
FortiManager
562 -
6.0
416 -
FortiAnalyzer
411 -
5.6
362 -
FortiSwitch
331 -
FortiAP
327 -
FortiClient EMS
259 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
148 -
6.4
128 -
FortiNAC
103 -
FortiGuard
102 -
FortiGateCloud
86 -
FortiSIEM
85 -
FortiCloud Products
82 -
FortiToken
69 -
Customer Service
69 -
IPsec
68 -
4.0MR3
64 -
Wireless Controller
58 -
SSL-VPN
55 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
38 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
30 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
High Availability
21 -
FortiConverter
21 -
Firewall policy
20 -
VLAN
18 -
FortiPortal
17 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
SAML
11 -
BGP
11 -
DNS
11 -
Interface
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
Logging
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiAuthenticator
7 -
Admin
7 -
FortiGate v4.0 MR3
7 -
4.0
7 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
SSID
5 -
Security profile
5 -
Traffic shaping policy
5 -
Authentication
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
Static route
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
SSL SSH inspection
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
packet capture
3 -
FortiToken Cloud
3 -
Automation
3 -
Intrusion prevention
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
IPS signature
3 -
FortiDeceptor
2 -
FortiInsight
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
NAC policy
1 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
Zone
1 -
FortiManager-VM
1 -
Fabric connector
1 -
Internet Service Database
1 -
Fortinet Engage Partner Program
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.