Hey everyone,
Here’s a quick update on my firewall adventure. I’ve successfully transitioned from my old OPNSense virtual machine firewall to a shiny new FortiGate appliance. This switch was part experimentation and part necessity, and it’s been a fantastic learning experience since I hadn’t worked with FortiGate before.
The transition went mostly smoothly. I got most of my rules set up, but I did overlook a couple of critical ones—like allowing traffic from Production to Storage and even to this very blog. Luckily, most of the groundwork was already laid out.
However, I’ve hit a bit of a snag. My smart home devices, particularly my Google Homes, are having trouble connecting to the internet. They’re getting IP addresses from my DHCP server, and the FortiGate firewall is recognizing their MAC addresses and serial numbers. Despite this, they keep saying they can’t reach the internet. On my old OPNSense setup, I needed to allow UDP traffic for these devices, but I’m not seeing any UDP issues on the FortiGate. I’ve also made sure that the firewall can ping the gateway.
To troubleshoot, I created an “Allow All” rule for the IoT subnet and placed it at the top of my rule set. A policy lookup confirmed that the policy was being applied correctly. Despite this, the issue persisted, leading me to dig deeper.
After turning on logging for every rule, I discovered the problem: my NAT Translation for the IoT network was showing “noop,” which meant I had forgotten to configure NAT translation for the additional subnets. I had only set it up for the Production subnet. As a result, while the firewall was accepting valid traffic, it had no way to route it externally, causing packet drops. Some devices with dual NICs managed to failover or didn’t require external access, masking the issue.
Once I added the appropriate SNAT rules for my additional subnets, everything started working correctly. Now with an explicit “Deny All” rule in place, I can methodically test and open up the network in a controlled manner.
Sometimes, you just need a break from troubleshooting! But with this fix in place, I’m back on track and ready to keep refining my setup.
Stay tuned for more updates as I continue to navigate the world of FortiGate!