Acces The fortigate device from outside the site

ahazimeh94 · February 20, 2023, 1:21pm

Dears,

Hope you are doing well.
I configured my Mikrotik hex lite RB with the below, it worked normally with all the configurations.

# feb/20/2023 14:30:16 by RouterOS 6.45.9
# software id = C10M-FSIX
#
# model = RB750r2
# serial number = 

/interface bridge
add name=private-ip-lan protocol-mode=none
add name=public-ip-lan protocol-mode=none

/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 password=XXXXXXXXXXX use-peer-dns=yes user=F126580@ogeronet-2M.com

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot

/interface bridge port
add bridge=private-ip-lan interface=ether2
add bridge=public-ip-lan interface=ether3

/ip address
add address=192.168.88.1/24 interface=private-ip-lan network=192.168.88.0
add address=public-IP/29 interface=public-ip-lan network=public-IP-network

/ip firewall filter
add chain=input protocol=icmp
add chain=input connection-state=established
add chain=input connection-state=related
add action=drop chain=input in-interface=pppoe-out1
add chain=input comment="permit incoming RIP packets" dst-port=520 in-interface=pppoe-out1 protocol=udp
add action=drop chain=input
add action=fasttrack-connection chain=forward connection-state=established,related
add chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid
add chain=forward in-interface=public-ip-lan
add chain=forward in-interface=private-ip-lan
add action=drop chain=forward

/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1 src-address=192.168.88.0/24

/routing prefix-lists
add chain=output prefix=public-IP-network/32 prefix-length=29
add action=discard chain=output prefix=0.0.0.0/32 prefix-length=0

/routing rip
set redistribute-connected=yes

/routing rip interface
add interface=pppoe-out1 out-prefix-list=output receive=v2

/routing rip network
add
/system clock
set time-zone-name=Asia/Beirut

My issue is that I have connected the ether3 to the Fortigate wan1 port and I put one of the public IPs on the wan1 interface, the internet worked normally on my local and wireless network but I can’t access the Fortigate device from outside my site with this public IP.
Can you please help me to solve this issue?

Best Regards,

Sob · February 20, 2023, 3:58pm

I can’t say about RIP part, I don’t know much about that. Only in firewall, when you drop all incoming packets on pppoe-out1, then allowing something after that is useless, because it will never get there (so you need to swap those rules). Other than that, I don’t see any problem.

ahazimeh94 · February 21, 2023, 7:53am

Dears,

I swapped this rule with another one, I permitted all input access to the PPPoE-out1, and still didn’t work
Screenshot 2023-02-21 095238.jpg
kindly check the attached screenshot.

Best regards,

Sob · February 21, 2023, 12:44pm

Ok, I lied. Not intentionally, I probably got misled by RIP and overlooked the obvious. If you want to access something connected to public-ip-lan interface from outside, of course you need to allow it (this will allow full unlimited access, you may or may not want to limit it in some way):

/ip firewall filter
add chain=forward in-interface=pppoe-out1 out-interface=public-ip-lan action=accept