I ran into some very strange behaviour on a BT Business Fiber connection with PPPoE and static IPs assigned by the ISP on a Fortigate firewall.

A site-to-site IPSec VPN was required, however the tunnel kept terminating as BT assign a dynamic address with the PPPoE connection, then the static IPs are typically ingested through the use of Virtual-IPs on the fortigate unit, however IPSec requires the use of the router WAN address and it needs to be static.

Setting the unnumbered IP on the Fortigate to one of the assigned static IP addresses from the ISP should have presented the firewall on this address to the outside world, but not so.

I stumbled upon a CLI parameter that was used to remedy non-standard PPPoE implementations in Japan on an article linked below and gave it a go:

set pppoe-unnumbered-negotiate disable

This will reset the WAN connection when saved, however in place of the dynamically assigned IP you should now be able to access the firewall remotely with the ISP static IP you just assigned.


Why not follow @mylesagray on Twitter ↗ for more like this!