fortinet · web viewfgt60c3g13027163 # get router info routing-table all codes: k - kernel, c -...
TRANSCRIPT
FortiGate防火墙 4G上网卡配置版本 1.0
时间 2014年 10月支持的版本 FortiOS v4.2.x, v4.3.x, v5.0.x
作者 TAC
状态 已审核反馈 [email protected]
------------------------------------------------------------------------------------------------------------------------------------------Fortinet公司 www.fortinet.com.cn
1
简介
本例介绍 FortiGate防火墙使用 4G上网卡连接中国移动和中国电信 4G网的配置方法。
一、 连接中国移动 4G网配置FortiOS版本 5.0.94G上网卡型号:Huawei E3276,USB接口
1. 配置方法没在命令行下配置开启Modem前,WEB管理界面网络接口部分不显示Modem接口。
在命令行下配置开启Modem,WEB管理界面网络接口部分显示Modem接口。config system modem set status enableend
------------------------------------------------------------------------------------------------------------------------------------------Fortinet公司 www.fortinet.com.cn
2
配置拨号方式和拨号号码*99***1#
命令行下配置拨号方式和拨号号码*99***1#config system modem set status enable set dial-on-demand enable set phone1 *99***1#end
配置内部接口到Modem接口做 NAT的防火墙策略。
------------------------------------------------------------------------------------------------------------------------------------------Fortinet公司 www.fortinet.com.cn
3
FGT60C3G13027163 # sho firewall policy 2config firewall policy edit 2 set srcintf "internal" set dstintf "modem" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set logtraffic disable set nat enable nextend
FGT60C3G13027163 #查看拨号成功后的Modem状态。
------------------------------------------------------------------------------------------------------------------------------------------Fortinet公司 www.fortinet.com.cn
4
查看Modem接口获得的 IP地址。
FGT60C3G13027163 # diagnose ip address list IP=192.168.1.99->192.168.1.99/255.255.255.0 index=3 devname=internalIP=10.10.10.1->10.10.10.1/255.255.255.0 index=6 devname=dmzIP=10.195.156.199->10.64.64.64/255.255.255.255 index=12 devname=modemIP=127.0.0.1->127.0.0.1/255.0.0.0 index=13 devname=rootIP=127.0.0.1->127.0.0.1/255.0.0.0 index=15 devname=vsys_haIP=127.0.0.1->127.0.0.1/255.0.0.0 index=17 devname=vsys_fgfm
FGT60C3G13027163 #
查看Modem接口获得的缺省路由。
------------------------------------------------------------------------------------------------------------------------------------------Fortinet公司 www.fortinet.com.cn
5
FGT60C3G13027163 # get router info routing-table allCodes: K - kernel, C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default
S* 0.0.0.0/0 [1/0] via 10.64.64.64, modemC 10.64.64.64/32 is directly connected, modemC 10.195.156.199/32 is directly connected, modemC 192.168.1.0/24 is directly connected, internal
FGT60C3G13027163 #FGT60C3G13027163 # diagnose sniffer packet any 'host 8.8.8.8' 4interfaces=[any]filters=[host 8.8.8.8]6.476906 internal in 192.168.1.110 -> 8.8.8.8: icmp: echo request6.477217 modem out 10.195.156.199 -> 8.8.8.8: icmp: echo request6.594701 modem in 8.8.8.8 -> 10.195.156.199: icmp: echo reply6.594958 internal out 8.8.8.8 -> 192.168.1.110: icmp: echo reply7.489471 internal in 192.168.1.110 -> 8.8.8.8: icmp: echo request7.489570 modem out 10.195.156.199 -> 8.8.8.8: icmp: echo request7.604699 modem in 8.8.8.8 -> 10.195.156.199: icmp: echo reply7.604875 internal out 8.8.8.8 -> 192.168.1.110: icmp: echo reply8.505198 internal in 192.168.1.110 -> 8.8.8.8: icmp: echo request8.505221 modem out 10.195.156.199 -> 8.8.8.8: icmp: echo request8.624693 modem in 8.8.8.8 -> 10.195.156.199: icmp: echo reply8.624860 internal out 8.8.8.8 -> 192.168.1.110: icmp: echo reply9.520865 internal in 192.168.1.110 -> 8.8.8.8: icmp: echo request------------------------------------------------------------------------------------------------------------------------------------------Fortinet公司 www.fortinet.com.cn
6
9.520972 modem out 10.195.156.199 -> 8.8.8.8: icmp: echo request9.634722 modem in 8.8.8.8 -> 10.195.156.199: icmp: echo reply9.634886 internal out 8.8.8.8 -> 192.168.1.110: icmp: echo reply
16 packets received by filter0 packets dropped by kernel
FGT60C3G13027163 #
2. 调试命令diagnose sys modem detect调试命令检查Modem是否连接正常。
FGT60C3G13027163 # diagnose sys modem detect modem is attached.dialtone is detected.FGT60C3G13027163 #Modem手工拨号命令 exec modem dial 。Modem手工挂断命令 exec modem hangup 。The modem can only be manually controlled in standalone mode.
FGT60C3G13027163 #diagnose debug application modemd -1和 diagnose debug enable调试命令检查Modem拨号过程。diagnose debug application modemd 0(或 diagnose debug reset)停止调试命令。
FGT60C3G13027163 # diagnose debug application modemd -1FGT60C3G13027163 # FGT60C3G13027163 # modemd: run_state_machine state 1(inactive)
FGT60C3G13027163 # FGT60C3G13027163 # modemd: run_state_machine state 1(inactive)modemd: Dial-on-demand detected unrouted traffic - launch modemmodemd: Begin dialing: redials left = 99999modemd: dev=/dev/ttyusb0 tel=*99***1#modemd: modem state changed: 1(inactive) -> 2(dialing)chat: abort on (BUSY)chat: abort on (NO DIAL TONE)chat: abort on (NO DIALTONE)chat: abort on (NO ANSWER)chat: abort on (ERROR)chat: send (atz^M)chat: expect (OK)chat: atz^M^Mchat: OKchat: -- got it------------------------------------------------------------------------------------------------------------------------------------------Fortinet公司 www.fortinet.com.cn
7
chat: send (ath0^M)chat: abort on (NO CARRIER)chat: expect (OK)chat: ^Mchat: ath0^M^Mchat: OKchat: -- got it
chat: send (ats7=90^M)chat: timeout set to 90 secondschat: expect (OK)chat: ^Mchat: ats7=90^M^Mchat: OKchat: -- got it
chat: send (atd*99***1#^M)chat: expect (CONNECT)chat: ^Mchat: atd*99***1#^M^Mchat: CONNECTchat: -- got it
chat: send (^M)modemd: modem_ppp_start:412 primarymodemd: run_state_machine state 2(dialing)lcp_reqci: returning CONFACK.lcp_up: with mtu 1500ipcp: returning Configure-NAKipcp: returning Configure-ACKipcp: up ppp:0x41004000 tun:(nil) ref 0Could not determine remote IP address: defaulting to 10.64.64.64Cannot determine ethernet address for proxy ARPlocal IP address 10.195.156.199remote IP address 10.64.64.64primary DNS address 221.130.33.60secondary DNS address 221.130.33.52modemd: primary PPP link is up.modemd: run_state_machine state 2(dialing)modemd: modem state changed: 2(dialing) -> 3(connected)modemd: run_state_machine state 3(connected)modemd: run_state_machine state 3(connected)
------------------------------------------------------------------------------------------------------------------------------------------Fortinet公司 www.fortinet.com.cn
8
FGT60C3G13027163 # FGT60C3G13027163 # get sys status Version: FortiGate-60C v5.0,build0292,140801 (GA Patch 9)
二、 连接中国电信 4G网配置FortiOS版本 5.0.9。4G上网卡型号:Huawei EC3372-871,USB接口。
1. 配置方法5.0.9版本对 Huawei EC3372 4G上网卡的支持需要定制Modem。
config system 3g-modem custom edit 1 set vendor "Huawei" set model "EC3372" set vendor-id 12d1 set product-id 1f01 set init-string "inquire=1 msg=55534243000000000000000000000011060000000000000000000000000000" next edit 2 set vendor "Huawei" set model "EC3372" set vendor-id 12d1 set product-id 1442 set class-id ff nextend
配置拨号方式和拨号号码*99#
------------------------------------------------------------------------------------------------------------------------------------------Fortinet公司 www.fortinet.com.cn
9
命令行下配置拨号方式和拨号号码*99#config system modem set status enable set dial-on-demand enable set phone1 *99#end
配置内部接口到Modem接口做 NAT的防火墙策略。
------------------------------------------------------------------------------------------------------------------------------------------Fortinet公司 www.fortinet.com.cn
10
FGT60C3G13027163 # sho firewall policy 2config firewall policy edit 2 set srcintf "internal" set dstintf "modem" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set logtraffic disable set nat enable nextend
FGT60C3G13027163 #查看拨号成功后的Modem状态。
查看Modem接口获得的 IP地址。
------------------------------------------------------------------------------------------------------------------------------------------Fortinet公司 www.fortinet.com.cn
11
FGT60C3G13027163 # diagnose ip address list IP=192.168.1.99->192.168.1.99/255.255.255.0 index=3 devname=internalIP=10.10.10.1->10.10.10.1/255.255.255.0 index=6 devname=dmzIP=10.160.36.100->10.64.64.64/255.255.255.255 index=12 devname=modemIP=127.0.0.1->127.0.0.1/255.0.0.0 index=13 devname=rootIP=127.0.0.1->127.0.0.1/255.0.0.0 index=15 devname=vsys_haIP=127.0.0.1->127.0.0.1/255.0.0.0 index=17 devname=vsys_fgfm
FGT60C3G13027163 #查看Modem接口获得的缺省路由。
FGT60C3G13027163 # get router info routing-table allCodes: K - kernel, C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default------------------------------------------------------------------------------------------------------------------------------------------Fortinet公司 www.fortinet.com.cn
12
S* 0.0.0.0/0 [1/0] via 10.64.64.64, modemC 10.64.64.64/32 is directly connected, modemC 10.160.36.100/32 is directly connected, modemC 192.168.1.0/24 is directly connected, internal
FGT60C3G13027163 #
2. 调试命令diagnose debug application modemd -1和 diagnose debug enable调试命令检查Modem拨号过程。diagnose debug application modemd 0(或 diagnose debug reset)停止调试命令。
FGT60C3G13027163 # diagnose debug application modemd -1modemd: run_state_machine state 1(inactive)modemd: run_state_machine state 1(inactive)modemd: run_state_machine state 1(inactive)modemd: run_state_machine state 1(inactive)modemd: Dial-on-demand detected unrouted traffic - launch modemmodemd: Begin dialing: redials left = 99999modemd: dev=/dev/ttyusb0 tel=*99#modemd: modem state changed: 1(inactive) -> 2(dialing)chat: abort on (BUSY)chat: abort on (NO DIAL TONE)chat: abort on (NO DIALTONE)chat: abort on (NO ANSWER)chat: abort on (ERROR)chat: send (atz^M)chat: expect (OK)chat: atz^M^Mchat: OKchat: -- got it
chat: send (ath0^M)chat: abort on (NO CARRIER)chat: expect (OK)chat: ^Mchat: ath0^M^Mchat: OKchat: -- got it
chat: send (ats7=90^M)chat: timeout set to 90 seconds------------------------------------------------------------------------------------------------------------------------------------------Fortinet公司 www.fortinet.com.cn
13
chat: expect (OK)chat: ^Mchat: ats7=90^M^Mchat: OKchat: -- got it
chat: send (atdt*99#^M)chat: expect (CONNECT)chat: ^Mchat: atdt*99#^M^Mchat: CONNECTchat: -- got it
chat: send (^M)modemd: modem_ppp_start:412 primarymodemd: run_state_machine state 2(dialing)lcp_reqci: returning CONFACK.lcp_up: with mtu 1400ipcp: returning Configure-NAKipcp: returning Configure-ACKipcp: up ppp:0x41004000 tun:(nil) ref 0Could not determine remote IP address: defaulting to 10.64.64.64Cannot determine ethernet address for proxy ARPlocal IP address 10.160.32.191remote IP address 10.64.64.64primary DNS address 219.141.136.10secondary DNS address 219.141.140.10modemd: primary PPP link is up.modemd: run_state_machine state 2(dialing)modemd: modem state changed: 2(dialing) -> 3(connected)modemd: run_state_machine state 3(connected)modemd: run_state_machine state 3(connected)modemd: run_state_machine state 3(connected)
FGT60C3G13027163 # FGT60C3G13027163 # modemd: run_state_machine state 3(connected)
FGT60C3G13027163 # modemd: run_state_machine state 3(connected)
FGT60C3G13027163 # diagnose ip amodemd: run_state_machine state 3(connected)ddress modemd: run_state_machine state 3(connected)list IP=192.168.1.99->192.168.1.99/255.255.255.0 index=3 devname=internalIP=10.10.10.1->10.10.10.1/255.255.255.0 index=6 devname=dmz------------------------------------------------------------------------------------------------------------------------------------------Fortinet公司 www.fortinet.com.cn
14
IP=10.160.32.191->10.64.64.64/255.255.255.255 index=12 devname=modemIP=127.0.0.1->127.0.0.1/255.0.0.0 index=13 devname=rootIP=127.0.0.1->127.0.0.1/255.0.0.0 index=15 devname=vsys_haIP=127.0.0.1->127.0.0.1/255.0.0.0 index=17 devname=vsys_fgfm
FGT60C3G13027163 # modemd: run_state_machine state 3(connected)
FGT60C3G13027163 # FGT60C3G13027163 # diagnose ip address listmodemd: run_state_machine state 3(connected)diagnose debug enablemodemd: run_state_machine state 3(connected)application modemd 0
FGT60C3G13027163 #FGT60C3G13027163 # diag sni pac any 'host 8.8.8.8' 4interfaces=[any]filters=[host 8.8.8.8]2.642852 internal in 192.168.1.110 -> 8.8.8.8: icmp: echo request2.642982 modem out 10.160.36.100 -> 8.8.8.8: icmp: echo request2.981942 modem in 8.8.8.8 -> 10.160.36.100: icmp: echo reply2.982094 internal out 8.8.8.8 -> 192.168.1.110: icmp: echo reply3.658920 internal in 192.168.1.110 -> 8.8.8.8: icmp: echo request3.659033 modem out 10.160.36.100 -> 8.8.8.8: icmp: echo request3.978404 modem in 8.8.8.8 -> 10.160.36.100: icmp: echo reply3.978558 internal out 8.8.8.8 -> 192.168.1.110: icmp: echo reply4.674670 internal in 192.168.1.110 -> 8.8.8.8: icmp: echo request4.674780 modem out 10.160.36.100 -> 8.8.8.8: icmp: echo request5.018418 modem in 8.8.8.8 -> 10.160.36.100: icmp: echo reply5.018576 internal out 8.8.8.8 -> 192.168.1.110: icmp: echo reply5.690345 internal in 192.168.1.110 -> 8.8.8.8: icmp: echo request5.690440 modem out 10.160.36.100 -> 8.8.8.8: icmp: echo request6.018462 modem in 8.8.8.8 -> 10.160.36.100: icmp: echo reply6.018620 internal out 8.8.8.8 -> 192.168.1.110: icmp: echo reply
16 packets received by filter0 packets dropped by kernel
FGT60C3G13027163 #FGT60C3G13027163 # get sys status Version: FortiGate-60C v5.0,build0292,140801 (GA Patch 9)
------------------------------------------------------------------------------------------------------------------------------------------Fortinet公司 www.fortinet.com.cn
15
------------------------------------------------------------------------------------------------------------------------------------------Fortinet公司 www.fortinet.com.cn
16