PFSense (Netgate 4100) Setup with a Fortigate

mofugga

This post is deleted!

bingo600

@mofugga
There is so much info missing here .....

First and most important:
Do you see any blocked packages on the pfSense interface where the fortigate is connected ?

**Then: **
1:
What pfSense interface did you connect the fortigate to.
What ip address does the pfSense interface have ?

2:
What ip address does the fortigate have ?
Does it have the "default gateway" set to the pfSense interface IP ?

3:
From your (missing) description i expect the fortigate to be the DHCP server for the Lan(s) behind the fortigate.
Does the PC get a "valid" dhcp address ?

4:
What DNS IP(s) have you set the fortigate DHCP server to hand out ?
Have the PC's gotteh that DNS info from the fortigate ?

Can your fortigate connected PC's ping the pfSense interface IP ?
Can they ping 8.8.8.8 ?

5:
Is your fortigate "Wan" setup as doing NAT/PAT on the "WAN" (pfSense connect) interface ?
If NOT , have you added a static route in the pfSense, routing the fortigate Lan(s) to the fortigate "Wan Ip" ?

etc .. etc ..

/Bingo

mofugga

1:
What pfSense interface did you connect the fortigate to.
There is an ethernet cable connecting the two devices via the PFSense appliance's VLAN1 and Fortigate's WAN1.
What ip address does the pfSense interface have ?
**I set the PFSense device to 192.168.2.1 so that it doesn't conflict with Fortigate's which is set to 192.168.1.X as well. **

2:
What ip address does the fortigate have ?
When looking through DHCP leases, the Fortigate device isn't being assigned a DHCP address but my Desktop is being assigned a DHCP address for some reason.

Does it have the "default gateway" set to the pfSense interface IP ?
When I connect my desktop to the PFsense device directly and run ipconfig in the command line, the default gateway shows 192.168.2.1 which is what I have my PFsense device configured to and I can access the internet fine. When I connect my desktop to my fortigate and connect my fortigate using the above interfaces (WAN1 fortigate and VLAN1 PFsense) my default gateway becomes 192.168.1.99 which is the Fortigate default gateway.

3:
From your (missing) description i expect the fortigate to be the DHCP server for the Lan(s) behind the fortigate.
I believe so, yes.
Does the PC get a "valid" dhcp address ?
When I connect my desktop to the fortigate I do get a valid DHCP address and the default gateway is 192.168.1.99 which is the fortigate itself, but I am unable to reach the internet.

4:
What DNS IP(s) have you set the fortigate DHCP server to hand out ?
Have the PC's gotteh that DNS info from the fortigate ?
I am not sure about this. I have it set to the factory default settings.

Can your fortigate connected PC's ping the pfSense interface IP ?
No.
Can they ping 8.8.8.8 ?
No.

5:
Is your fortigate "Wan" setup as doing NAT/PAT on the "WAN" (pfSense connect) interface ?
My fortigate "WAN1" I have been testing DHCP and manual. I did not test out PPPoE. I am not sure what NAT/PAT is. When I set my WAN1 to DHCP mode, it tries to connect to the DHCP server (which I am assuming is my PFsense device) but it shows "Failed"

If NOT , have you added a static route in the pfSense, routing the fortigate Lan(s) to the fortigate "Wan Ip" ?
There is a "Manual" option which I have tried setting to 192.168.2.1 but that isn't doing anything

bingo600

@mofugga
When you changed the pfSense interfce net from 192.168.1.x to 192.168.2.x , did you remember to change the ip addresses in the pfSense DHCP server too ?
That could be the reason the fortigate "WAN" won't take a DHCP IP.

And you never answered if you se any blocked packages in the pfSense , on the pfSense/fortigate "connect" interface ?

mofugga

@bingo600

Thanks for your help so far, but where should I check for blocked packages?

When you changed the pfSense interfce net from 192.168.1.x to 192.168.2.x , did you remember to change the ip addresses in the pfSense DHCP server too ?
That could be the reason the fortigate "WAN" won't take a DHCP IP.
When I go to Services / DHCP Server / LAN. My Subnet shows 192.168.2.0, subnet mask 255.255.255.0, available range, 192.168.2.1 - 192.168.2.254. The gateway is blank.

For:
Block private networks and loopback addresses

Blocks traffic from reserved IP addresses (but not RFC 1918) or not yet assigned by IANA.

These are both checked on WAN but not on LAN, WAN2, LAN2, LAN3, and LAN4. LAN2 is where the Fortigate interface is connected to the PFSense appliance but both of these are not checked on that interface.

viragomann

@mofugga
What if you configure the IP settings on the Fortigate WAN1 manually?

Fist shrink the DHCP range on pfSense. Then set a static WAN IP on the Fortigate. Consider also state a upstream gateway in this case.

Then try a ping to 8.8.8.8 from a client behind.

mofugga

@viragomann

I set the range to 192.168.2.10 - 192.168.2.25 and then I connected my desktop to my fortigate and then manually set the Fortigate WAN2 interface to 'Manual' configuration with 192.168.2.1/24 as the IP/subnet and still am unable to receive a DHCP lease.

viragomann

@mofugga
So you connected WAN2 to pfSense now?

Setting a static IP for the network interface doesn't result in a DHCP lease. A lease can only be assigned to a DHCP client.

interface to 'Manual' configuration with 192.168.2.1/24 as the IP/subnet

This is the IP of the pfSense LAN as you wrote above. You have the set it to some other like 192.168.2.2/24.

mofugga

@viragomann

Ah yes, I meant IP assignment, not DHCP lease. Yes I have the Fortigate WAN2 connected to the PFSense Appliance LAN2. The PFsense appliance is connected to the modem.

@viragomann said in PFSense (Netgate 4100) Setup with a Fortigate:

This is the IP of the pfSense LAN as you wrote above. You have the set it to some other like 192.168.2.2/24.

I tried setting the WAN2 interface on my Fortigate to have a 'Manual' configuration with 192.168.2.2/24 and still unable to connect

viragomann

@mofugga
Does the Fortigate show even a connection on that interface?

Can you ping pfSense from it?
I assume, you have the default rule on pfSense LAN, which allow any traffic.

mofugga

@viragomann

Yes, I have my PFsense rules on LAN set like this:

Screenshot 2022-12-06 175705.png

My Fortigate WAN2 interface was set like this:

Screenshot 2022-12-06 175925.png

When looking at the WAN2 interface in the fortigate CLI and running 'diag sniffer packet wan2 port 67 or port 68' I get this:

Screenshot 2022-12-06 180241.png

It is still not seeing the pfsense appliance I don't think.

viragomann

@mofugga said in PFSense (Netgate 4100) Setup with a Fortigate:

When looking at the WAN2 interface in the fortigate CLI and running 'diag sniffer packet wan2 port 67 or port 68' I get this:

Seems to be a wrong syntax.
Anyway you won't see any packets on these ports, since there is no DHCP client enabled now.

But again, can you ping 192.168.1.1?

Apart from the IP and mask you also have to state the pfSense IP as upstream gateway.

mofugga

@viragomann

When I try to ping 192.168.1.1 I get this:

Screenshot 2022-12-06 181712.png

@viragomann said in PFSense (Netgate 4100) Setup with a Fortigate:

Apart from the IP and mask you also have to state the pfSense IP as upstream gateway.

What do you mean state the pfSense IP as upstream gateway? I think I may know what you mean but I am not sure how to do this. My desktop sees 192.168.1.99 as the gateway which is my fortigate device. However I want it to be 192.168.2.1 which is my pfsense appliance. Perhaps my fortigate device is not seeing my pfsense appliance?

viragomann

@mofugga
I was talking about the Fortigate.
Run the ping on the Fortigate. I assume, there is a possibility to do this.

And you have to set the default gateway on the Fortigate to 192.168.1.1.

mofugga

@viragomann

I added a static route to the fortigate to try to go to 192.168.2.1 which is what I have the pfsense appliance to.

Screenshot 2022-12-06 183226.png

And then I checked the WAN2 interface on the fortigate. The fortigate and PFsense appliance are connected on the fortigate WAN2 and PFsense LAN2.

Screenshot 2022-12-06 183348.png

And then I went to the fortigate CLI to try to ping the pfsense appliance from the fortigate. Still not connectivity.

Screenshot 2022-12-06 183309.png

bingo600

@mofugga
Show your pfSense "Connect interface definition" , where the fortigate is connected.

Always check the Firewall logs , when having issues.
Find it here: Status --> System Logs --> Firewall

Imho you should concentrate on : Getting the fortigate to ping the pfSense IF on the connect net (192.168.2.1)
Remember to allow ICMP on that connect interface , or the pfSense would drop the packages.

Edit: Why does the fortigate show WAN2 .... Do you have a WAN1 Active on the fortigate ???

mofugga

This post is deleted!

mofugga

@bingo600

EDIT: Deleted and reposted for formatting.

Here are my PFSense Interfaces. Because the Fortigate has a default IP address of 192.168.1.99 and default subnet of 192.168.1.X I changed the PFsense subnet to 193.169.2.X:

PFsense Interfaces
Screenshot 2022-12-08 175403.png

PFSense LAN2 Rules (Where the PFSense LAN2 Interface is connected to the Fortigate WAN1 inteface
Screenshot 2022-12-08 175044.png
I have the "Log packets that are handled by this rule" box checked for all rules here.

LAN2 Attempting DHCP Configuration Screenshot 2022-12-08 175155.png

However, when I attempt to physically connect my desktop to my Fortigate and initiate an outbound connection in this configuration. I can see in my Fortigate logs that traffic is being sent out correctly, but return traffic is being stopped further upstream, presumably at my PFSense appliance.

This is the configuration I mean.

My desktop is connected to the fortigate's LAN port 4, the fortigate WAN1 is connected to the PFSense appliance VLAN2, and the PFsense appliance is connected to the modem.

When running in this configuration and making a browser request to google.com I am still not getting and response back.
Screenshot 2022-12-08 180028.png .

When checking the Fortigate logs, I can see the outbound traffic being sent, but that 0 bytes are being received:
Screenshot 2022-12-08 180058.png .
However, I do not think this is because of my Fortigate firewall policy. This is the only policy I have from my internal traffic to WAN1:
Screenshot 2022-12-08 180141.png .

I do have Squid setup on my PFsense device.

I am still unable to ping the PFSense appliance from my Fortigate device even though I changed all of the rules on LAN2 of the PFSense appliance to accept IPv4+6 TCP/UDP/ICMP traffic and to log all captured packets. DHCP works fine in this configuration when I remove the Fortigate from the equation entirely:

.

The DHCP lease is also assigned correctly when I have it in this configuration as well. 192.169.2.11 is my desktop. Screenshot 2022-12-08 182416.png . But for whatever reason, the testing I have done to have PFSense and Fortigate find each other on the network either when I set the interface on the Fortigate to MANUAL or DHCP - they still seem to be unable to find eachother.

mofugga

@mofugga

Never mind. I figured it out. I had to configure the LAN interface to have the appropriate rules. Thanks everyone for your help.