Static routing example

This is an example of a typical small network configuration that uses only static routing.

This network is in a dentist office that includes a number of dentists, assistants, and office staff. The size of the office is not expected to grow significantly in the near future, and the network usage is very stable—there are no new applications being added to the network.

The users on the network are:

  • Admin staff - access to local patient records, and perform online billing
  • Dentists - access and update local patient records, research online from desk
  • Assistants - access and update local patient records in exam rooms

The distinction here is mainly that only the admin staff and dentist’s office need access to the Internet—all the other traffic is local and doesn’t need to leave the local network. Routing is only required for the outbound traffic, and the computers that have valid outbound traffic.

note icon Configuring routing only on computers that need it acts as an additional layer of security by helping prevent malicious traffic from leaving the network.

This section includes the following topics:

Network layout and assumptions

The computers on the network are admin staff computers, dentist office computers, and dental exam room computers. While there are other devices on the local network such as printers, they do not need Internet access or any routing.

This networked office equipment includes 1 admin staff PC, 3 dentist PCs, and 5 exam room PCs. There are also a network printer, and a router on the network as well.

Assumptions about these computers, and network include:

  • The FortiGate unit is a model with interfaces labeled port1 and port2.
  • The FortiGate unit has been installed and is configured in NAT/Route mode.
  • VDOMs are not enabled.
  • The computers on the network are running MS Windows software.
  • Any hubs required in the network are not shown in the network diagram.
  • The network administrator has access to the ISP IP addresses, and is the super_admin administrator on the FortiGate unit.
Static routing example device names, IP addresses, and level of access
Device Name(s) IP address Need external access?
Router 192.168.10.1 YES
Admin 192.168.10.11 YES
Dentist1-3 192.168.10.21-23 YES
Exam1-5 192.168.10.31-35 NO
Printer 192.168.10.41 NO

General configuration steps

The steps to configuring routing on this network are:

  1. Get your ISP information such as DNS, gateway, etc.
  2. Configure FortiGate unit
  3. Configure Admin PC and Dentist PCs
  4. Testing network configuration

Get your ISP information such as DNS, gateway, etc.

Your local network connects to the Internet through your Internet Service Provider (ISP). They have IP addresses that you need to configure your network and routing.

The addresses needed for routing are your assigned IP address, DNS servers, and the gateway.

Configure FortiGate unit

The FortiGate unit will have two interfaces in use—one connected to the internal network and one connected to the external network. Port1 will be the internal interface, and port2 will be the external interface.

To configure the FortiGate unit:

  1. Configure the internal interface (port1)
  2. Configure the external interface (port2)
  3. Configure networking information
  4. Configure basic security policies
  5. Configure static routing

Configure the internal interface (port1)

To configure the internal interface (port1) - web based manager
  1. Go to Network > Interfaces. Highlight port1 and select Edit.
  2. Enter the following:
Addressing Mode Manual
IP/Netmask 172.100.1.1/255.255.255.0
Administrative Access HTTPS, PING, TELNET
Description Internal network
To configure the internal interface (port1) - CLI

config system interface

edit port1

set IP 192.168.10.1 255.255.255.0

set allowaccess https ping telnet

set description “internal network”

end

end

Configure the external interface (port2)

The external interface connects to your ISP’s network. You need to know the IP addresses in their network that you should connect to. Use their addresses when you get them, however for this example we will assume the address your ISP gave you is 172.100.20.20 will connect to the gateway at 172.100.20.5 on their network, and their DNS servers are 172.11.22.33 and 172.11.22.34.

To configure the internal interface (port2) - web based manager
  1. Go to Network > Interfaces. Highlight port2 and select Edit.
  2. Enter the following:
Addressing Mode Manual
IP/Netmask 172.100.20.20/255.255.255.0
Administrative Access HTTPS, PING, TELNET
Description Internal network
To configure the internal interface (port2) - CLI

configure system interface

edit port2

set IP 172.100.20.20 255.255.255.0

set allowaccess https ping telnet

set description “internal network”

end

end

Configure networking information

Networking information includes the gateway, and DNS servers. Your FortiGate unit requires a connection to the Internet for antivirus and other periodic updates.

To configure networking information - web-based manager
  1. Go to Network > DNS.
  2. Enter the primary and secondary DNS addresses.
  3. Select Apply.
To configure networking information - CLI

config system global

set dns_1 172.11.22.33

set dns_2 172.11.22.34

end

Configure basic security policies

For traffic to flow between the internal and external ports in both directions, two security policies are required as a minimum. More can be used to farther limit or direct traffic as needed, but will not be included here.

Before configuring the security policies, a firewall address group is configured for the PCs that are allowed Internet access. This prevents PC without Internet privileges from accessing the Internet.

The security policy assumptions are:

  • Only the basic networking services have been listed as allowed for added security. Others can easily be added as the users require them.
  • In this example to keep things simple, both incoming and outgoing security policies are the same. In a real network there are applications that are allowed out but not in, and vice versa.
  • Endpoint control has been enabled to ensure that all computers on the local network are running FortiClient and those installs are up to date. This feature ensures added security on your local network without the need for the network administrator to continually bother users to update their software. The FortiGate unit can store an up to date copy of the FortiClient software and offer a URL to it for users to install it if they need to.
To configure security policies - web-based manager
  1. Go to Policy & Objects > Objects > Addresses.
  2. Create a new Firewall Address entry for each of:
PC Name IP Address Interface
Admin 192.168.10.11 port1
Dentist1 192.168.10.21 port1
Dentist2 192.168.10.22 port1
Dentist3 192.168.10.23 port1
  1. Go to Policy & Objects > Objects > Addresses.
  2. Select the dropdown arrow next to Create New and select Address Group.
  3. Name the group Internet_PCs.
  4. Add Admin, Dentist1, Dentist2, and Dentist3 as members of the group.
  5. Select OK.
  6. Go to Policy & Objects > Policy > IPv4.
  7. Select Create New.
  8. Enter the following: DH - port2(external) -> port1(internal)
Incoming Interface port2
Source Address all
Outgoing Interface port1
Destination Address Internet_PCs
Schedule always
Service Multiple.



Select DHCP, DNS,FTP, HTTP, HTTPS, NTP, POP3, SMTP, SSH.
Action ACCEPT
Log Allowed Traffic Enabled
  1. Select OK.
  2. Select Create New.
  3. Enter the following:
Incoming Interface port1
Source Address Internet_PCs
Outgoing Interface port2
Destination Address all
Schedule always
Service Multiple.



Select DHCP, DNS,FTP, HTTP, HTTPS, NTP, POP3, SMTP, SSH.
Action ACCEPT
Log Allowed Traffic Enabled
  1. Select OK.
To configure security policies - CLI

config firewall address

edit "Admin"

set associated-interface "port1"

set subnet 192.168.10.11 255.255.255.255

next

edit "Dentist1"

set associated-interface "port1"

set subnet 192.168.10.21 255.255.255.255

next

edit "Dentist2"

set associated-interface "port1"

set subnet 192.168.10.22 255.255.255.255

next

edit "Dentist3"

set associated-interface "port1"

set subnet 192.168.10.23 255.255.255.255

end

config firewall addrgrp

edit Internet_PCs

set member Admin Dentist1 Dentist2 Dentist3

end

config firewall policy

edit 1

set srcintf port1

set dstintf port2

set srcaddr Internet_PCs

set dstaddr all

set action accept

set schedule always

set service "DHCP" "DNS" "FTP" "HTTP" "HTTPS" "NTP" "POP3" "SMTP" "SSH"

set logtraffic enable

set label "Section2"

set endpoint-restrict-check no-av db-outdated

next

edit 2

set srcintf port2

set dstintf port1

set srcaddr all

set dstaddr Internet_PCs

set action accept

set schedule always

set service "DHCP" "DNS" "FTP" "HTTP" "HTTPS" "NTP" "POP3" "SMTP" "SSH"

set logtraffic enable

set label "Section2"

set endpoint-restrict-check no-av db-outdated

end

end

Configure static routing

With the rest of the FortiGate unit configured, static routing is the last step before moving on to the rest of the local network. All traffic on the local network will be routed according to this static routing entry.

To configure Fortinet unit static routing - web-based manager
  1. Go to Network > Static Routes.
  2. Select Edit for the top route on the page.
  3. Enter the following:
Destination IP/Mask 172.100.20.5
Device port2
Gateway 172.100.20.5
Distance 10
  1. Select OK.
To configure Fortinet unit static routing - CLI

configure routing static

edit 1

set gateway 172.100.20.5

set distance 10

set device port2

set dst 0.0.0.0

end

end

Configure Admin PC and Dentist PCs

With the router configured, next we need to configure the computers that need Internet access. These computers need routing to be configured on them. As the other computers do not require routing, they are not included here.

The procedure to configure these computers is the same. Repeat the following procedure for the corresponding PCs.

note icon The Windows CLI procedure does not configure the DNS entries. It just adds the static routes.
To configure routing and DNS on Admin and Dentist PCs - Windows GUI
  1. On PC, select Start > Control Panel > Network Connections.
  2. Right click on the network connection to your local network that has a status of Connected, and select Properties.
  3. Under the General tab, from the list select TCP/IP, and Properties.
  4. Under Gateway, enter the FortiGate unit address (192.168.10.1).
  5. Enter the primary and secondary DNS server addresses from your ISP (172.11.22.33 and 172.11.22.34).
  6. Select OK.
To configure routing on Admin and Dentist PCs - Windows CLI
  1. On PC, select Start > Run, enter “cmd”, and select OK.
  2. At the command prompt, type

route ADD 0.0.0.0 MASK 0.0.0.0 172.100.20.5 METRIC 10

route ADD 192.168.10.0 MASK 255.255.255.0 192.168.10.1 METRIC 5

 

  1. Confirm these routes have been added. Type:

route PRINT

If you do not see the two routes you added, try adding them again paying attention to avoid spelling mistakes.

  1. Test that you can communicate with other computers on the local network, and with the Internet. If there are no other computers on the local network, connect to the FortiGate unit.

Configure other PCs on the local network

The PCs on the local network without Internet access (the exam room PCs) can be configured now.

As this step does not require any routing, details have not been included.

Testing network configuration

There are three tests to run on the network to ensure proper connectivity.

  • To test that PCs on the local network can communicate
  • Test that Internet_PCs on the local network can access the Internet
  • Test that non-Internet_PCs can not access the Internet

Test that PCs on the local network can communicate

  1. Select any two PCs on the local network, such as Exam4 and Dentist3.
  2. On the Exam4 PC, at the command prompt enter ping 192.168.10.23.

The output from this command should appear similar to the following.

Pinging 192.168.10.23 with 32 bytes of data:

 

Reply from 192.168.10.23: bytes=32 time<1m TTL=255

Reply from 192.168.10.23: bytes=32 time<1m TTL=255

Reply from 192.168.10.23: bytes=32 time<1m TTL=255

 

  1. At the command prompt enter exit to close the window.
  2. On the Dentist3 PC, at the command prompt enter ping 192.168.10.34.

The output from this command should appear similar to the following.

Pinging 192.168.10.34 with 32 bytes of data:

 

Reply from 192.168.10.34: bytes=32 time<1m TTL=255

Reply from 192.168.10.34: bytes=32 time<1m TTL=255

Reply from 192.168.10.34: bytes=32 time<1m TTL=255

 

  1. At the command prompt enter exit to close the window.
  2. Repeat these steps for all PCs on the local network.

If the output does not appear similar to above, there is a problem with the network configuration between these two PCs.

To test that Internet_PCs on the local network can access the Internet

The easiest way to access the Internet is with an Internet browser. However, if that doesn’t work its best to do a traceroute to see at what point the problem is. This can help determine if it is a networking problem such as cabling, or if its an access problem such as this PC not having Internet access.

  1. Select any PC on the local network that is supposed to have Internet access, such as Admin.
  2. On the Admin PC, open an Internet browser and attempt to access a website on the Internet such as http://www.fortinet.com.

If this is successful, this PC has Internet access.

  1. If step2 was not successful, at the command prompt on the PC enter traceroute 22.11.22.33.

The output from this command should appear similar to:

Pinging 22.11.22.33 with 32 bytes of data:

 

Reply from 22.11.22.33: bytes=32 time<1m TTL=255

Reply from 22.11.22.33: bytes=32 time<1m TTL=255

Reply from 22.11.22.33: bytes=32 time<1m TTL=255