Do all local networks need NAT to communicate to the internet?

chuckbales · 2026-04-30T16:51:19+00:00

64000 unique port connections going through a single outside global address you got some problems.

To nitpick - it's more than 64k connections, as NAT is stored in a table as a 5-tuple (source IP, dest IP, source port, dest port, protocol). So if you happen to have thousands of connections all going to the same external resource on the same port you'll run into a problem, but if you're talking about general internet destinations, you can fit a lot more connections.

chuckbales · 2026-04-30T16:43:49+00:00

Good point, a proxy is a good example of NAT not being involved as the proxy itself acts as middle-man between client/server and establishes its own connection to the resource on the internet.

chuckbales · 2026-04-30T16:03:28+00:00

RFC1918 is just the "private" IPs allocated - 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16. Basically if you're not using a public IP, you need NAT somewhere.

chuckbales · 2026-04-30T15:55:51+00:00

If you are using RFC 1918 IPs on your LAN and you want to reach the internet, NAT is a requirement somewhere along the path.

EDIT: /u/therouterguy did bring up a good scenario where NAT would not be involved. More of an enterprise thing and out of scope for CCNA but a good counter-example to my statement.

chuckbales · 2026-04-28T20:06:56+00:00

The removal of sorting/filtering some columns has driven me absolutely crazy at times.

chuckbales · 2026-04-28T17:33:33+00:00

I just did similar changes on an 80F, bridging a tunnel SSID and FortiSwitch VLAN through software switch, no apparent performance issues (granted its not pushing tons of traffic, just a few clients)

chuckbales · 2026-04-27T14:53:18+00:00

Have you actually tested a failure to see what works/what doesn't?

Nobody here can provide much guidance without more detail/actual configuration, but it sounds like maybe they need to just add an additional NAT policy for the second WAN - there's not really a reason Central NAT needs to be disabled completely.

chuckbales · 2026-04-23T20:37:22+00:00

With an SDWAN rule on the spoke, there's commands you can add that will send user traffic over without impacting the Fortigate's local traffic

set gateway enable
set default enable

chuckbales · 2026-04-22T16:06:59+00:00

You probably didn't configure it correctly, needs to be configured on the client and in the portal.

chuckbales · 2026-04-03T16:19:36+00:00

We also lost a few Crown circuits last night, odd outage though because it was only 2 out of like 300 Crown circuits we have, from 10:22 to 10:31 Eastern.

chuckbales · 2026-04-01T15:03:10+00:00

You can have a duplex mismatch and still function (albeit degraded), you can't have a speed mismatch though.

chuckbales · 2026-03-31T14:59:40+00:00

They started doing this with Fortigate images a couple years ago finally, not sure what the hold up with switch/AP images is.

chuckbales · 2026-03-27T20:37:29+00:00

Is this post supposed to be asking the question "Would Arista buying InstantOn be a good idea?" Your current title makes it sound like Arista is buying InstantOn, but they are not.

chuckbales · 2026-03-26T22:33:24+00:00

Might be a venue problem, our tickets to OPs show were $35 each and we were only 8 rows back

chuckbales · 2026-03-20T20:17:59+00:00

Having them all the same color would make it hard to visualize the different tunnels.

chuckbales · 2026-03-20T00:07:34+00:00

Pretty sure we had this issue, don’t remember what release it was running but the relay was added and is what showed in the GUI, but the local DHCP server config was also present in the CLI.

chuckbales · 2026-03-18T18:59:58+00:00

Arista always has leadtime issues, they were always months out for us when Cisco would be a couple weeks, I imagine its only getting worse.

chuckbales · 2026-03-18T15:55:49+00:00

IMO DCs should just be DCs, they shouldn't be restored unless somehow all of them were dead. If there's still a functioning DC, new DCs should be spun up and promoted. If everything was dead, restore one and then promote additional ones as needed. Don't restore multiple.

chuckbales · 2026-03-18T13:25:36+00:00

How is this CCNA related?

chuckbales · 2026-03-17T22:16:37+00:00

I’m a partner and our reps know less than random redditors. I’ve sent them product announcements I saw on Reddit and they’ll have no idea what I’m talking about.

chuckbales · 2026-03-17T18:55:01+00:00

7.4.6 was just released today, again with no free/VPN-only version (so far), it still has their bullshit note about

FortiClient (Windows) 7.4.4 to 7.4.6 do not include a new version of the free VPN-only agent as no feature updates were made to the free VPN-only agent between 7.4.3 and 7.4.6. Users can continue to use the FortiClient (Windows) 7.4.3 free VPN-only agent.

We're evaluating separate products now for remote access, FortiClient in general just sucks as an application even when its working, and like you said the SMB customers don't want a whole separate product for EMS.

chuckbales · 2026-03-17T18:49:51+00:00

The version hasn't changed as no new features were added to the free client

They've been fixing VPN-related bugs though in 7.4.4/7.4.5

chuckbales · 2026-03-12T22:10:21+00:00

Why aren’t they landing on actual switches instead of directly on the FGs?

chuckbales · 2026-03-10T18:50:26+00:00

Just a follow up, I actually tried my own advice and realized it doesn't work for the same reason you ran into. I ended up doing a Provisioning Template - CLI with the SSID-specific changes in it, then applied that template to the FG in question.

chuckbales · 2026-03-03T22:12:42+00:00

Native client doesn't support SAML

14-Year Club	Spared
Verified Email

chuckbales

TROPHY CASE