Fortinet black logo

Admin Guide (Standalone)

Interface configuration guideline

Copy Link
Copy Doc ID 9e8a98cd-5de9-11ec-bdf2-fa163e15d75b:136078
Download PDF

Interface configuration guideline

The following are the general guidelines regarding system interface configurations.

Physical interface(s)

FortiExtender (Standalone) LAN interface(s) can be configured in DHCP or static IP addressing mode. When FortiExtender (Standalone) is in NAT mode, you can also configure a DHCP server to distribute IP addresses from the FortiExtender (Standalone) physical Ethernet interface to the devices behind it.

FortiExtender (Standalone) also comes with a WAN physical interface.

LTE interface

The LTE interface only works in DHCP mode and acquires IP addresses directly from wireless NSPs. See Cellular capabilities.

Tunnel interface

Tunnel interfaces are automatically created when IPsec VPN Tunnels are created. A tunnel interface is a Layer-3 interface which doesn’t have an IP address. All traffic sent to the tunnel interface is encapsulated in a VPN tunnel and received from the other end point of the tunnel. It can be used by firewall, routing, and SD-WAN, but cannot be used by VPN.

Virtual-WAN interface

A Virtual-WAN interface is an aggregation of multiple up-links. It works as a common interface because all traffic to it is load-balanced among multiple links.

It can be used by firewall, routing, but cannot be used by SD-WAN or VPN.

LAN interface configuration example:

# config system interface

(interface) # edit lan

(lan) # set type physical

(lan) # set status up

(lan) # set mode static

(lan) # set ip 192.168.2.1/24

(lan) # set mtu 1400

(lan) # set allowaccess http ping telnet

(lan) # end

WAN interface configuration example:
FX211E5919000009 # config system interface
FX211E5919000009 (interface) # edit wan
FX211E5919000009 (wan) # show
edit wan
    set type physical
    set status up
    set mode dhcp
    set mtu-override enable
    set mtu 1500
    set vrrp-virtual-mac enable
    config vrrp
        set status disable
    end
    set allowaccess
next

FX211E5919000009 (wan) # set allowaccess 
ping      
http      
telnet    
ssh       
https 
snmp    

FX211E5919000009 (wan) #

Interface configuration guideline

The following are the general guidelines regarding system interface configurations.

Physical interface(s)

FortiExtender (Standalone) LAN interface(s) can be configured in DHCP or static IP addressing mode. When FortiExtender (Standalone) is in NAT mode, you can also configure a DHCP server to distribute IP addresses from the FortiExtender (Standalone) physical Ethernet interface to the devices behind it.

FortiExtender (Standalone) also comes with a WAN physical interface.

LTE interface

The LTE interface only works in DHCP mode and acquires IP addresses directly from wireless NSPs. See Cellular capabilities.

Tunnel interface

Tunnel interfaces are automatically created when IPsec VPN Tunnels are created. A tunnel interface is a Layer-3 interface which doesn’t have an IP address. All traffic sent to the tunnel interface is encapsulated in a VPN tunnel and received from the other end point of the tunnel. It can be used by firewall, routing, and SD-WAN, but cannot be used by VPN.

Virtual-WAN interface

A Virtual-WAN interface is an aggregation of multiple up-links. It works as a common interface because all traffic to it is load-balanced among multiple links.

It can be used by firewall, routing, but cannot be used by SD-WAN or VPN.

LAN interface configuration example:

# config system interface

(interface) # edit lan

(lan) # set type physical

(lan) # set status up

(lan) # set mode static

(lan) # set ip 192.168.2.1/24

(lan) # set mtu 1400

(lan) # set allowaccess http ping telnet

(lan) # end

WAN interface configuration example:
FX211E5919000009 # config system interface
FX211E5919000009 (interface) # edit wan
FX211E5919000009 (wan) # show
edit wan
    set type physical
    set status up
    set mode dhcp
    set mtu-override enable
    set mtu 1500
    set vrrp-virtual-mac enable
    config vrrp
        set status disable
    end
    set allowaccess
next

FX211E5919000009 (wan) # set allowaccess 
ping      
http      
telnet    
ssh       
https 
snmp    

FX211E5919000009 (wan) #