Fortinet Document Library

Version:


Table of Contents

Cookbook

6.2.0
Download PDF
Copy Link

Direct IP support for LTE/4G

Direct IP is a public IP address that is assigned to a computing device, which allows the device to directly access the internet.

When an LTE modem is enabled in FortiOS, a DHCP interface is created. As a result, the FortiGate can acquire direct IP (which includes IP, DNS, and gateway) from the LTE network carrier.

Since some LTE modems require users to input the access point name (APN) for the LTE network, the LTE modem configuration allows you to set the APN.

Note

LTE modems can only be enabled by using the CLI.

To enable direct IP support using the CLI:
  1. Enable the LTE modem:
    config system lte-modem
      set status enable
    end
  2. Check that the LTE interface was created:
    config system interface
      edit "wwan"
        set vdom "root"
        set mode dhcp
        set status down
        set distance 1
        set type physical
        set snmp-index 23
      next
    end

    Shortly after the LTE modem joins its carrier network, wwan is enabled and granted direct IP:

    # config system interface
    (interface) # edit wwan
    (wwan) # get
    name                : wwan
    ....
    ip                  : 100.112.75.43 255.255.255.248
    ....
    status              : up
    ....
    defaultgw           : enable
    DHCP Gateway        : 100.112.75.41
    Lease Expires       : Thu Feb 21 19:33:27 2019
    dns-server-override : enable
    Acquired DNS1       : 184.151.118.254
    Acquired DNS2       : 70.28.245.227
    ....

    PCs can reach the internet via the following firewall policy:

    config firewall policy
    ....
      edit 5
        set name "LTE"
        set uuid 61880e9a-36ce-51e9-a4f4-15cc3ffc25f3
        set srcintf "port9"
        set dstintf "wwan"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set fsso disable
        set nat enable
      next
    end

 

Sample LTE interface

When an LTE modem is enabled, you can view the LTE interface in the GUI and check the acquired IP, DNS, and gateway.

To view the LTE interface in the GUI:
  1. Go to Network > Interfaces.
  2. Double-click the LTE interface to view the properties.
  3. Look in the Address section to view the:
    1. Obtained IP
    2. Acquired DNS
    3. Default Gateway
  4. Click Return.

To configure the firewall policy that uses the LTE interface:
  1. Go to Policy & Objects > IPv4 Policy.
  2. Double-click the LTE policy. The Edit Policy pane opens.
  3. In the Outgoing Interface field, select the interface (wwan in this example).
  4. Configure the rest of the policy as needed.

  5. Click OK.

Limitations

  • Most LTE modems have a preset APN in their SIM card. Therefore, the APN does not need to be set in the FortiOS configuration. In cases where the internet cannot be accessed, consult with your carrier and set the APN in the LTE modem configuration (for example, inet.bell.ca):
    config system lte-modem
      set status enable
      set apn "inet.bell.ca"
    end
  • Some models, such as the FortiGate 30E-3G4G, have built-in LTE modems. In this scenario, the LTE modem is enabled by default. The firewall policy via the LTE interface is also created by default. Once you plug in a SIM card, your network devices can connect to the internet.
    Sample FortiGate 30E-3G4G default configuration:
    config system lte-modem
      set status enable
      set extra-init ''
      set manual-handover disable
      set force-wireless-profile 0
      set authtype none
      set apn ''
      set modem-port 255
      set network-type auto
      set auto-connect disable
      set gpsd-enabled disable
      set data-usage-tracking disable
      set gps-port 255
    end
    
    config firewall policy
    ....
      edit 3
        set uuid f7c77cc6-36d1-51e9-2899-a7040791330c
        set srcintf "internal"
        set dstintf "wwan"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set nat enable
      next
    end

Direct IP support for LTE/4G

Direct IP is a public IP address that is assigned to a computing device, which allows the device to directly access the internet.

When an LTE modem is enabled in FortiOS, a DHCP interface is created. As a result, the FortiGate can acquire direct IP (which includes IP, DNS, and gateway) from the LTE network carrier.

Since some LTE modems require users to input the access point name (APN) for the LTE network, the LTE modem configuration allows you to set the APN.

Note

LTE modems can only be enabled by using the CLI.

To enable direct IP support using the CLI:
  1. Enable the LTE modem:
    config system lte-modem
      set status enable
    end
  2. Check that the LTE interface was created:
    config system interface
      edit "wwan"
        set vdom "root"
        set mode dhcp
        set status down
        set distance 1
        set type physical
        set snmp-index 23
      next
    end

    Shortly after the LTE modem joins its carrier network, wwan is enabled and granted direct IP:

    # config system interface
    (interface) # edit wwan
    (wwan) # get
    name                : wwan
    ....
    ip                  : 100.112.75.43 255.255.255.248
    ....
    status              : up
    ....
    defaultgw           : enable
    DHCP Gateway        : 100.112.75.41
    Lease Expires       : Thu Feb 21 19:33:27 2019
    dns-server-override : enable
    Acquired DNS1       : 184.151.118.254
    Acquired DNS2       : 70.28.245.227
    ....

    PCs can reach the internet via the following firewall policy:

    config firewall policy
    ....
      edit 5
        set name "LTE"
        set uuid 61880e9a-36ce-51e9-a4f4-15cc3ffc25f3
        set srcintf "port9"
        set dstintf "wwan"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set fsso disable
        set nat enable
      next
    end

 

Sample LTE interface

When an LTE modem is enabled, you can view the LTE interface in the GUI and check the acquired IP, DNS, and gateway.

To view the LTE interface in the GUI:
  1. Go to Network > Interfaces.
  2. Double-click the LTE interface to view the properties.
  3. Look in the Address section to view the:
    1. Obtained IP
    2. Acquired DNS
    3. Default Gateway
  4. Click Return.

To configure the firewall policy that uses the LTE interface:
  1. Go to Policy & Objects > IPv4 Policy.
  2. Double-click the LTE policy. The Edit Policy pane opens.
  3. In the Outgoing Interface field, select the interface (wwan in this example).
  4. Configure the rest of the policy as needed.

  5. Click OK.

Limitations

  • Most LTE modems have a preset APN in their SIM card. Therefore, the APN does not need to be set in the FortiOS configuration. In cases where the internet cannot be accessed, consult with your carrier and set the APN in the LTE modem configuration (for example, inet.bell.ca):
    config system lte-modem
      set status enable
      set apn "inet.bell.ca"
    end
  • Some models, such as the FortiGate 30E-3G4G, have built-in LTE modems. In this scenario, the LTE modem is enabled by default. The firewall policy via the LTE interface is also created by default. Once you plug in a SIM card, your network devices can connect to the internet.
    Sample FortiGate 30E-3G4G default configuration:
    config system lte-modem
      set status enable
      set extra-init ''
      set manual-handover disable
      set force-wireless-profile 0
      set authtype none
      set apn ''
      set modem-port 255
      set network-type auto
      set auto-connect disable
      set gpsd-enabled disable
      set data-usage-tracking disable
      set gps-port 255
    end
    
    config firewall policy
    ....
      edit 3
        set uuid f7c77cc6-36d1-51e9-2899-a7040791330c
        set srcintf "internal"
        set dstintf "wwan"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set nat enable
      next
    end