Brad Peczka's Blog $ cat /dev/random > /dev/blog

The Fortigate and the 3G Modem

Say what you will about it, but I think that the Fortinet Fortigate 60B is a nice piece of gear.

For the purchase price, you get a grunty firewall with 2 WAN Ports, a dedicated DMZ Port, 6 Fast Ethernet Ports and a PCMCIA Slot. You also score two USB Ports, which can be used to power a USB 3G Modem. With the right type of 3G Service, this setup provides you with the perfect temporary office network - a situation where you only need basic services for few users who require access to the corporate LAN.

I'm going to quickly run through setting up the connection with some common Australian 3G Providers, and how to debug any issues that may arise.

For the purposes of this demo, I'm using:

• Fortinet Fortigate 60B (running FortiOS v4.1 Patch 1)
• Huawei E169G 3G USB Modem
• 3G Services provided by Three

Owing to some inconsistencies in the Administration Guide, this config will be entered using the CLI. Don't be scared - it won't bite!

Firstly, ensure that your modem is firmly plugged into a USB Port on the back of the Fortigate, and that you've power-cycled the unit to detect the modem. You'll need to enable the modem with the following command:

config system modem
set status enable
end

Next, try and detect the custom vendor and product IDs with the following command. Be sure to note it down, as you'll need it later!

FortiGate # diagnose sys modem wireless-id
vendor: 0x12d1, product: 0x1003, registered: yes

Next, we'll configure the modem settings in our FortiGate to activate the modem connection:

config system modem
set status enable
set status enable
set dial-on-demand enable
set connect-timeout 30
set wireless-custom-vendor-id 0x12d1
set wireless-custom-product-id 0x1003
set modem-dev1 pcmcia-wireless
set phone1 "*99#"
set username1 "3services" # Set this to your provider's APN
set altmode disable
end

Special Note: If you're a Virgin Broadband user, ensure you also configure set authtype1 pap. While every other provider has moved with the times, and utilise the more secure and robust CHAP Authentication (which is the default option on the FortiGate), Virgin still use PAP which needs to be manually configured to ensure a successful connection.

We're almost there! The last thing to do is to turn on debugging (to watch the progress of the dial), and to actually execute the dial:

diagnose debug enable
diagnose debug application ppp 255
diagnose debug app modemd 255

execute modem dial

With a little luck, and a little hope, you'll see the logs go rushing by, and the modem will establish a connection to your provider. You should now conduct tests to verify your connectivity (after establishing the appropriate firewall rules), or (if unsucessful) review the ppp and modemd logs to see if you can determine what fouled up. Common causes are the modem not being detected, the wrong APN being provided to the FortiGate, or (funnily enough) the SIM Card not being activated for the APN you're dialling!

Once you're done, don't forget to turn off your logging:

diagnose debug application modemd 0
diagnose debug application ppp 0
diagnose debug disable

And that's it!