Fortigate with TM UniFi

Your ads will be inserted here by

Easy Plugin for AdSense.

Please go to the plugin admin page to
Paste your ad code OR
Suppress this ad slot.

Recently UniFi subscriber are increasing from Home to Enterprise users and we received a lot of call from customer asking whether they can bypass Dlink router and dial up from Fortigate. The answer is “Yes”, they can and I do have a similar post that is for Cyberoam UTM firewall to replace Dlink router. The steps are pretty similar and i write up this guide just for Fortigate fans.

The following guide will show on how to configure Fortigate to make PPPoE connection on UniFi line without using the Dlink-615 Router.

1) Login to Fortigate Web GUI

2) Go to “System” -> “Network” -> “Interface”

3) Select either WAN 1 or 2 for Unifi connection and change the setting to use static IP then provide a dummy IP that does not clash with existing network on this interface.

4) Then click on “Create New” and the following screen appear, key in the according to the screenshot below

Your ads will be inserted here by

Easy Plugin for AdSense.

Please go to the plugin admin page to
Paste your ad code OR
Suppress this ad slot.

clip_image002

5) The following is the screenshot of the completed setting once you press “OK” button on steps 4 above.

clip_image004

You can see that Unifi is connected with the Public IP.

6) Once the connection is up, you need to create firewall policy for internal to Unifi as the WAN interface has changed from WAN 1 or 2 to Unifi. Hence all the firewall policy required to reflect on the new interface. If there is any Virtual IP previously set on using WAN 1 or 2 would required to change accordingly.

Wiring connection

The physical connection will be direct connection from the Telekom Huawei Fiber modem to Fortigate WAN 1 or 2 and remove all the cable connecting to DLink-615 router. If you need to use D-link wireless, then you need to change the setting on the D-link router.

17 thoughts on “Fortigate with TM UniFi”

  1. Hi Simon,

    Thanks for your guide, my Fortiwifi 50B is now able to connect to Unifi via vlan 500.

    However, the other problem arise as Unifi seems like dropping the SSL VPN request. Now my Forti VPN client unable to connect to the Unifi version, but ok with the Streamyx version. Did you encounter same problem?

    Cheer,
    Victor

  2. Hi Victor,

    Glad to hear that you manage to get it working on the UniFi, as for the issue on the SSL VPN you need to create the firewall rules for on the UniFi interface as well. Its just the same setup as for the existing Streamyx line.

    Hope I get it right for you and please do give it a try, let me know if it’s working.

  3. hai simon,
    question:
    a) does using UniFi support VPN , Voip needs? Like having a range of static ip?
    we do have a Call-Center environment here.

    tq

  4. Hi Simon,

    I use fortigate 30B, follow your instruction one by one. under create new interface, do it line by line same as per intruction. When finish and click ok, the error message “Input value is invalid” .

    Please help me …

    Thanks

  5. Hi Danish,

    Sorry for late reply, real busy for the past few month. As for your question, yes it does support VPN and others VOIP needs but if you’re still using the routers that provided by ISP in some cases would able to establish VPN. So i write up this guide to bypass it, hope I have answers to your question.

  6. Hi Zul,
    I have same experience with you. And my answer is FortiGate-30B do not support VLAN.
    It will show you “Input value is invalid”.

    I have also tried FortiGate-40C. that is no “Create New” button on “Interface” page.
    The only way to create VLAN is using CLi command.

  7. Can this apply to Fortinet 40C model to do direct connection to Huawei BTU..
    when create the New Interface still not able to set the VID 500 option(Never Appearance).

    Try to look the Firmware 4.3 OS but not availble for this model…

  8. Hi Wilson,

    I’ve not tried on the CLI for FG-40C as I do not have that unit to test on.

    Loke,

    Can you try to enable the VLAN on CLI as suggest from Wilson.

  9. ji simon,

    how to configure D-link Router wireless with fortigate? i need use this router..

  10. Hi Yuzairi,

    If i’m not understand wrongly that you need to use that Dlink wireless router just for wifi for your LAN, right? Since you have already bypass the Dlink router to have your UniFi connection from your Fortigate, so you just need to reset the Dlink router to factory default setting and change the LAN interface IP to be same range with your LAN and disable the DHCP option. After that plug in cable from your LAN switch to Dlink router LAN port and you’ll have the wifi working, don’t forget to set password for your Wifi else everyone will be using your free access.

    Cheers.

  11. Hi Simon,
    I’m try to follow your advise to setup the 50B, it is connect to unifi but I cannot browse the internet. I’m also follow the step 6.. still unable to browse. Please advise.

  12. hi simon,
    i using fortinet 60D.. vpn site to site is up, but cant ping internal ip. using unifi. is it tm router block..thanks in advance

  13. Hi Asyraf,

    TM router should not have block since you manage to up the VPN tunnel, could be your firewall policy that you have not use the correct interface. Else if you could paste your configuration file on the firewall policy to check on it.

  14. Hi BC,

    Sorry for late reply, if you have follow the steps and still can’t access to internet that could be you have not enable the “NAT” option on the firewall policy. You need to enable “NAT” in-order to access to internet, give it a try and let me know the outcome.

  15. Hi Heng,

    From what I get from your post is that you have 2 x 20Mb line and your existing firewall does not have enough port? What model that you currently using? WAN 1 & WAN 2 port being used? How about DMZ port?

    Actually you can use DMZ port as your WAN port and you just need to play around with the firewall policy. Hope that helps :).

Leave a Reply

Your email address will not be published. Required fields are marked *

*