Fortinet black logo

New Features

Direct IP Support for LTE/4G

Copy Link
Copy Doc ID 761d83e3-4a7b-11e9-94bf-00505692583a:576705
Download PDF

Direct IP Support for LTE/4G

This project introduces Direct IP support when using LTE/4G modems.

Direct IP is a public IP address that is assigned to a computing device, which allows the device to directly access the Internet.

When an LTE modem is enabled for FortiGate, a DHCP interface is created. As a result, FortiGate can acquire direct IP, which includes IP, DNS, and gateway, from the carrier's LTE network.

Since some LTE modems require users to input the access point name for the LTE network, the LTE modem configuration allows Access Point Name (APN) to be set.

LTE modem can only be enabled by using the CLI.

To enable direct IP support using the CLI:
  1. Enable LTE modem.

    config system lte-modem

    set status enable

    end

  2. Check that LTE interface is created.

    config system interface

    edit "wwan"

    set vdom "root"

    set mode dhcp

    set status down

    set distance 1

    set type physical

    set snmp-index 23

    next

    end

    Shortly after LTE modem joins carriers's network, wwan will be enabled and granted direct IP:

    FortiGate-600D # config system interface

    FortiGate-600D (interface) # edit wwan

    FortiGate-600D (wwan) # get

    name : wwan

    ....

    ip : 100.112.75.43 255.255.255.248

    ....

    status : up

    ....

    defaultgw : enable

    DHCP Gateway : 100.112.75.41

    Lease Expires : Thu Feb 21 19:33:27 2019

    dns-server-override : enable

    Acquired DNS1 : 184.151.118.254

    Acquired DNS2 : 70.28.245.227

    ....

    PC can reach internet via the following firewall policy:

    config firewall policy

    ....

    edit 5

    set name "LTE"

    set uuid 61880e9a-36ce-51e9-a4f4-15cc3ffc25f3

    set srcintf "port9"

    set dstintf "wwan"

    set srcaddr "all"

    set dstaddr "all"

    set action accept

    set schedule "always"

    set service "ALL"

    set utm-status enable

    set fsso disable

    set nat enable

    next

    end

With LTE modem enabled, you can use the GUI to view the LTE interface and check the acquired IP, DNS, and gateway:

You can configure the firewall policy that utilizes this LTE interface:

Limitations:

  • Most LTE modems have a preset APN in the SIM card. As a result, the APN doesn't need to be set in FortiOS configuration. In cases where the Internet cannot be accessed, you can consult with your carrier about APN (for example, inet.bell.ca) and set the APN in LTE modem configuration.

    config system lte-modem

    set status enable

    set apn "inet.bell.ca"

    end

  • Some FortiGate units have built-in LTE modems, such as the FortiGate-30E-3G4G. This type of FortiGate has LTE modem enabled by default. Firewall policy via LTE interface is also created by default. After the user plugs in a SIM card, the user's network devices can reach the Internet.

    FWF-30E-3G4G default configuration:

    config system lte-modem

    set status enable

    set extra-init ''

    set manual-handover disable

    set force-wireless-profile 0

    set authtype none

    set apn ''

    set modem-port 255

    set network-type auto

    set auto-connect disable

    set gpsd-enabled disable

    set data-usage-tracking disable

    set gps-port 255

    end

    config firewall policy

    ....

    edit 3

    set uuid f7c77cc6-36d1-51e9-2899-a7040791330c

    set srcintf "internal"

    set dstintf "wwan"

    set srcaddr "all"

    set dstaddr "all"

    set action accept

    set schedule "always"

    set service "ALL"

    set nat enable

    next

    end

Direct IP Support for LTE/4G

This project introduces Direct IP support when using LTE/4G modems.

Direct IP is a public IP address that is assigned to a computing device, which allows the device to directly access the Internet.

When an LTE modem is enabled for FortiGate, a DHCP interface is created. As a result, FortiGate can acquire direct IP, which includes IP, DNS, and gateway, from the carrier's LTE network.

Since some LTE modems require users to input the access point name for the LTE network, the LTE modem configuration allows Access Point Name (APN) to be set.

LTE modem can only be enabled by using the CLI.

To enable direct IP support using the CLI:
  1. Enable LTE modem.

    config system lte-modem

    set status enable

    end

  2. Check that LTE interface is created.

    config system interface

    edit "wwan"

    set vdom "root"

    set mode dhcp

    set status down

    set distance 1

    set type physical

    set snmp-index 23

    next

    end

    Shortly after LTE modem joins carriers's network, wwan will be enabled and granted direct IP:

    FortiGate-600D # config system interface

    FortiGate-600D (interface) # edit wwan

    FortiGate-600D (wwan) # get

    name : wwan

    ....

    ip : 100.112.75.43 255.255.255.248

    ....

    status : up

    ....

    defaultgw : enable

    DHCP Gateway : 100.112.75.41

    Lease Expires : Thu Feb 21 19:33:27 2019

    dns-server-override : enable

    Acquired DNS1 : 184.151.118.254

    Acquired DNS2 : 70.28.245.227

    ....

    PC can reach internet via the following firewall policy:

    config firewall policy

    ....

    edit 5

    set name "LTE"

    set uuid 61880e9a-36ce-51e9-a4f4-15cc3ffc25f3

    set srcintf "port9"

    set dstintf "wwan"

    set srcaddr "all"

    set dstaddr "all"

    set action accept

    set schedule "always"

    set service "ALL"

    set utm-status enable

    set fsso disable

    set nat enable

    next

    end

With LTE modem enabled, you can use the GUI to view the LTE interface and check the acquired IP, DNS, and gateway:

You can configure the firewall policy that utilizes this LTE interface:

Limitations:

  • Most LTE modems have a preset APN in the SIM card. As a result, the APN doesn't need to be set in FortiOS configuration. In cases where the Internet cannot be accessed, you can consult with your carrier about APN (for example, inet.bell.ca) and set the APN in LTE modem configuration.

    config system lte-modem

    set status enable

    set apn "inet.bell.ca"

    end

  • Some FortiGate units have built-in LTE modems, such as the FortiGate-30E-3G4G. This type of FortiGate has LTE modem enabled by default. Firewall policy via LTE interface is also created by default. After the user plugs in a SIM card, the user's network devices can reach the Internet.

    FWF-30E-3G4G default configuration:

    config system lte-modem

    set status enable

    set extra-init ''

    set manual-handover disable

    set force-wireless-profile 0

    set authtype none

    set apn ''

    set modem-port 255

    set network-type auto

    set auto-connect disable

    set gpsd-enabled disable

    set data-usage-tracking disable

    set gps-port 255

    end

    config firewall policy

    ....

    edit 3

    set uuid f7c77cc6-36d1-51e9-2899-a7040791330c

    set srcintf "internal"

    set dstintf "wwan"

    set srcaddr "all"

    set dstaddr "all"

    set action accept

    set schedule "always"

    set service "ALL"

    set nat enable

    next

    end