Static routing example
This is an example of a typical small network configuration that uses only static routing.
This network is in a dentist office that includes a number of dentists, assistants, and office staff. The size of the office is not expected to grow significantly in the near future, and the network usage is very stable—there are no new applications being added to the network.
The users on the network are:
- Admin staff - access to local patient records, and perform online billing
- Dentists - access and update local patient records, research online from desk
- Assistants - access and update local patient records in exam rooms
The distinction here is mainly that only the admin staff and dentist’s office need access to the Internet—all the other traffic is local and doesn’t need to leave the local network. Routing is only required for the outbound traffic, and the computers that have valid outbound traffic.
|
Configuring routing only on computers that need it acts as an additional layer of security by helping prevent malicious traffic from leaving the network. |
This section includes the following topics:
- Network layout and assumptions
- General configuration steps
- Configure FortiGate unit
- Configure Admin PC and Dentist PCs
- Testing network configuration
Network layout and assumptions
The computers on the network are admin staff computers, dentist office computers, and dental exam room computers. While there are other devices on the local network such as printers, they do not need Internet access or any routing.
This networked office equipment includes 1 admin staff PC, 3 dentist PCs, and 5 exam room PCs. There are also a network printer, and a router on the network as well.
Assumptions about these computers, and network include:
- The FortiGate unit is a model with interfaces labeled port1 and port2.
- The FortiGate unit has been installed and is configured in NAT/Route mode.
- VDOMs are not enabled.
- The computers on the network are running MS Windows software.
- Any hubs required in the network are not shown in the network diagram.
- The network administrator has access to the ISP IP addresses, and is the super_admin administrator on the FortiGate unit.
Static routing example device names, IP addresses, and level of access
| Device Name(s) | IP address | Need external access? |
|---|---|---|
| Router | 192.168.10.1 | YES |
| Admin | 192.168.10.11 | YES |
| Dentist1-3 | 192.168.10.21-23 | YES |
| Exam1-5 | 192.168.10.31-35 | NO |
| Printer | 192.168.10.41 | NO |
General configuration steps
The steps to configuring routing on this network are:
- Get your ISP information such as DNS, gateway, etc.
- Configure FortiGate unit
- Configure Admin PC and Dentist PCs
- Testing network configuration
Get your ISP information such as DNS, gateway, etc.
Your local network connects to the Internet through your Internet Service Provider (ISP). They have IP addresses that you need to configure your network and routing.
The addresses needed for routing are your assigned IP address, DNS servers, and the gateway.
Configure FortiGate unit
The FortiGate unit will have two interfaces in use—one connected to the internal network and one connected to the external network. Port1 will be the internal interface, and port2 will be the external interface.
To configure the FortiGate unit:
- Configure the internal interface (port1)
- Configure the external interface (port2)
- Configure networking information
- Configure basic security policies
- Configure static routing
Configure the internal interface (port1)
To configure the internal interface (port1) - web based manager
- Go to System > Network > Interfaces. Highlight port1 and select Edit.
- Enter the following:
| Addressing Mode | Manual |
| IP/Netmask | 172.100.1.1/255.255.255.0 |
| Administrative Access | HTTPS, PING, TELNET |
| Description | Internal network |
To configure the internal interface (port1) - CLI
config system interface
edit port1
set IP 192.168.10.1 255.255.255.0
set allowaccess https ping telnet
set description “internal network”
end
end
Configure the external interface (port2)
The external interface connects to your ISP’s network. You need to know the IP addresses in their network that you should connect to. Use their addresses when you get them, however for this example we will assume the address your ISP gave you is 172.100.20.20 will connect to the gateway at 172.100.20.5 on their network, and their DNS servers are 172.11.22.33 and 172.11.22.34.
To configure the internal interface (port2) - web based manager
- Go to System > Network > Interfaces. Highlight port2 and select Edit.
- Enter the following:
| Addressing Mode | Manual |
| IP/Netmask | 172.100.20.20/255.255.255.0 |
| Administrative Access | HTTPS, PING, TELNET |
| Description | Internal network |
To configure the internal interface (port2) - CLI
configure system interface
edit port2
set IP 172.100.20.20 255.255.255.0
set allowaccess https ping telnet
set description “internal network”
end
end
Configure networking information
Networking information includes the gateway, and DNS servers. Your FortiGate unit requires a connection to the Internet for antivirus and other periodic updates.
To configure networking information - web-based manager
- Go to System > Network > DNS.
- Enter the primary and secondary DNS addresses.
- Select Apply.
To configure networking information - CLI
config system global
set dns_1 172.11.22.33
set dns_2 172.11.22.34
end
Configure basic security policies
For traffic to flow between the internal and external ports in both directions, two security policies are required as a minimum. More can be used to farther limit or direct traffic as needed, but will not be included here.
Before configuring the security policies, a firewall address group is configured for the PCs that are allowed Internet access. This prevents PC without Internet privileges from accessing the Internet.
The security policy assumptions are:
- Only the basic networking services have been listed as allowed for added security. Others can easily be added as the users require them.
- In this example to keep things simple, both incoming and outgoing security policies are the same. In a real network there are applications that are allowed out but not in, and vice versa.
- Endpoint control has been enabled to ensure that all computers on the local network are running FortiClient and those installs are up to date. This feature ensures added security on your local network without the need for the network administrator to continually bother users to update their software. The FortiGate unit can store an up to date copy of the FortiClient software and offer a URL to it for users to install it if they need to.
To configure security policies - web-based manager
- Go to Policy & Objects > Objects > Addresses.
- Create a new Firewall Address entry for each of:
| PC Name | IP Address | Interface |
| Admin | 192.168.10.11 | port1 |
| Dentist1 | 192.168.10.21 | port1 |
| Dentist2 | 192.168.10.22 | port1 |
| Dentist3 | 192.168.10.23 | port1 |
- Go to Policy & Objects > Objects > Addresses.
- Select the dropdown arrow next to Create New and select Address Group.
- Name the group Internet_PCs.
- Add Admin, Dentist1, Dentist2, and Dentist3 as members of the group.
- Select OK.
- Go to Policy & Objects > Policy > IPv4.
- Select Create New.
- Enter the following: DH - port2(external) -> port1(internal)
| Incoming Interface | port2 |
| Source Address | all |
| Outgoing Interface | port1 |
| Destination Address | Internet_PCs |
| Schedule | always |
| Service | Multiple. Select DHCP, DNS,FTP, HTTP, HTTPS, NTP, POP3, SMTP, SSH. |
| Action | ACCEPT |
| Log Allowed Traffic | Enabled |
- Select OK.
- Select Create New.
- Enter the following:
| Incoming Interface | port1 |
| Source Address | Internet_PCs |
| Outgoing Interface | port2 |
| Destination Address | all |
| Schedule | always |
| Service | Multiple. Select DHCP, DNS,FTP, HTTP, HTTPS, NTP, POP3, SMTP, SSH. |
| Action | ACCEPT |
| Log Allowed Traffic | Enabled |
- Select OK.
To configure security policies - CLI
config firewall address
edit "Admin"
set associated-interface "port1"
set subnet 192.168.10.11 255.255.255.255
next
edit "Dentist1"
set associated-interface "port1"
set subnet 192.168.10.21 255.255.255.255
next
edit "Dentist2"
set associated-interface "port1"
set subnet 192.168.10.22 255.255.255.255
next
edit "Dentist3"
set associated-interface "port1"
set subnet 192.168.10.23 255.255.255.255
end
config firewall addrgrp
edit Internet_PCs
set member Admin Dentist1 Dentist2 Dentist3
end
config firewall policy
edit 1
set srcintf port1
set dstintf port2
set srcaddr Internet_PCs
set dstaddr all
set action accept
set schedule always
set service "DHCP" "DNS" "FTP" "HTTP" "HTTPS" "NTP" "POP3" "SMTP" "SSH"
set logtraffic enable
set label "Section2"
set endpoint-restrict-check no-av db-outdated
next
edit 2
set srcintf port2
set dstintf port1
set srcaddr all
set dstaddr Internet_PCs
set action accept
set schedule always
set service "DHCP" "DNS" "FTP" "HTTP" "HTTPS" "NTP" "POP3" "SMTP" "SSH"
set logtraffic enable
set label "Section2"
set endpoint-restrict-check no-av db-outdated
end
end
Configure static routing
With the rest of the FortiGate unit configured, static routing is the last step before moving on to the rest of the local network. All traffic on the local network will be routed according to this static routing entry.
To configure Fortinet unit static routing - web-based manager
- Go to Router > Static > Static Routes.
- Select Edit for the top route on the page.
- Enter the following:
| Destination IP/Mask | 172.100.20.5 |
| Device | port2 |
| Gateway | 172.100.20.5 |
| Distance | 10 |
- Select OK.
To configure Fortinet unit static routing - CLI
configure routing static
edit 1
set gateway 172.100.20.5
set distance 10
set device port2
set dst 0.0.0.0
end
end
Configure Admin PC and Dentist PCs
With the router configured, next we need to configure the computers that need Internet access. These computers need routing to be configured on them. As the other computers do not require routing, they are not included here.
The procedure to configure these computers is the same. Repeat the following procedure for the corresponding PCs.
|
|
The Windows CLI procedure does not configure the DNS entries. It just adds the static routes. |
To configure routing and DNS on Admin and Dentist PCs - Windows GUI
- On PC, select Start > Control Panel > Network Connections.
- Right click on the network connection to your local network that has a status of Connected, and select Properties.
- Under the General tab, from the list select TCP/IP, and Properties.
- Under Gateway, enter the FortiGate unit address (192.168.10.1).
- Enter the primary and secondary DNS server addresses from your ISP (172.11.22.33 and 172.11.22.34).
- Select OK.
To configure routing on Admin and Dentist PCs - Windows CLI
- On PC, select Start > Run, enter “
cmd”, and select OK. - At the command prompt, type
route ADD 0.0.0.0 MASK 0.0.0.0 172.100.20.5 METRIC 10
route ADD 192.168.10.0 MASK 255.255.255.0 192.168.10.1 METRIC 5
- Confirm these routes have been added. Type:
route PRINT
If you do not see the two routes you added, try adding them again paying attention to avoid spelling mistakes.
- Test that you can communicate with other computers on the local network, and with the Internet. If there are no other computers on the local network, connect to the FortiGate unit.
Configure other PCs on the local network
The PCs on the local network without Internet access (the exam room PCs) can be configured now.
As this step does not require any routing, details have not been included.
Testing network configuration
There are three tests to run on the network to ensure proper connectivity.
- To test that PCs on the local network can communicate
- Test that Internet_PCs on the local network can access the Internet
- Test that non-Internet_PCs can not access the Internet
Test that PCs on the local network can communicate
- Select any two PCs on the local network, such as Exam4 and Dentist3.
- On the Exam4 PC, at the command prompt enter
ping 192.168.10.23.
The output from this command should appear similar to the following.
Pinging 192.168.10.23 with 32 bytes of data:
Reply from 192.168.10.23: bytes=32 time<1m TTL=255
Reply from 192.168.10.23: bytes=32 time<1m TTL=255
Reply from 192.168.10.23: bytes=32 time<1m TTL=255
- At the command prompt enter
exitto close the window. - On the Dentist3 PC, at the command prompt enter
ping 192.168.10.34.
The output from this command should appear similar to the following.
Pinging 192.168.10.34 with 32 bytes of data:
Reply from 192.168.10.34: bytes=32 time<1m TTL=255
Reply from 192.168.10.34: bytes=32 time<1m TTL=255
Reply from 192.168.10.34: bytes=32 time<1m TTL=255
- At the command prompt enter
exitto close the window. - Repeat these steps for all PCs on the local network.
If the output does not appear similar to above, there is a problem with the network configuration between these two PCs.
To test that Internet_PCs on the local network can access the Internet
The easiest way to access the Internet is with an Internet browser. However, if that doesn’t work its best to do a traceroute to see at what point the problem is. This can help determine if it is a networking problem such as cabling, or if its an access problem such as this PC not having Internet access.
- Select any PC on the local network that is supposed to have Internet access, such as Admin.
- On the Admin PC, open an Internet browser and attempt to access a website on the Internet such as https://www.fortinet.com.
If this is successful, this PC has Internet access.
- If step2 was not successful, at the command prompt on the PC enter
traceroute 22.11.22.33.
The output from this command should appear similar to:
Pinging 22.11.22.33 with 32 bytes of data:
Reply from 22.11.22.33: bytes=32 time<1m TTL=255
Reply from 22.11.22.33: bytes=32 time<1m TTL=255
Reply from 22.11.22.33: bytes=32 time<1m TTL=255
Copyright © 2018 Fortinet, Inc. All Rights Reserved. | Terms of Service | Privacy Policy
