How to configure Wake On Lan with Fortigate

by

It can be useful to be able to remotely power on one of your computers.

In this procedure, we will see how to configure Wake On Lan, which allows you to send a “magic packet” to the powered-off machine to start it through the WAN.

Firstly, it’s important to understand that we will be working on layer two of the OSI model. Indeed, since the machine is off, it does not have an IP address.

Start by configuring the BIOS of your motherboard to find the WOL option.

This option is generally found in the power settings.

On mine, this option was under the name “Power On By PCI-E”.

On other boards, you might directly find the name Wake On Lan.

You will also need to disable fast startup so that the machine shuts down correctly for the proper reception of this famous packet.

If your computer is running Windows, you will need to make a modification to your network card.

Navigate to the device manager (as a reminder, right-click on the start menu) and then go to the properties of your network card to check the options under the “Power Management” tab.

Properties of a network card under Windows

On some cards, there’s also a Wake On Lan option to activate under the “Advanced” tab.

Open a command prompt on the Windows computer and run ipconfig /all to retrieve the MAC address of your network card.

ipconfig /all

Windows IP Configuration

Ethernet card :

   Connection-specific DNS Suffix. . . :
   Description. . . . . . . . . . . . . . : Intel(R) Ethernet Connection
   Physical Address . . . . . . . . . . . : AA-AA-AA-AA-AA-AA
   DHCP enabled. . . . . . . . . . . . . . : Yes
   Autoconfiguration Enabled. . . . . . . : Yes
   IPv4 Address. . . . . . . . . . . . . .: 10.10.2.1(preferred)

For this example, my MAC address will be AA-AA-AA-AA-AA-AA and the IP of the machine is 10.10.2.1

Log in to the Fortigate administration interface and create a new virtual IP under “Policy & Objects”.

The interface is the Wan.

The external IP address is the address of your Wan leg.

The mapped address is that of your machine that will receive the WOL packet.

We also activate port forwarding in UDP on port 9.

Editing a virtual IP on a Fortinet

We will create the WOL service to properly configure the IPV4 rule.

Creating the Wake On Lan service on Fortinet

Then we create the rule.

Choose your Wan interface for input and Lan for output.

We allow all sources, but for the destination, input the virtual IP that you created earlier.

Add the freshly created WOL service.

Be careful, no NAT activated!

Creation of the IPV4 filtering rule on Fortinet

Even if your machine has a static IP on the Fortigate’s DHCP, you still need to declare its MAC address to ensure the packet is properly routed to it.

Open the Fortigate CLI and enter the command “get system arp” to find out the name of your LAN interface to which the PC is connected.

Then “config system arp-table” with the parameters to declare the MAC address in the ARP table.

get system arp 
Address           Age(min)   Hardware Addr      Interface
10.10.2.1            10     AA:AA:AA:AA:AA:AA    lan


config system arp-table 
   edit 1                                      
        set interface "lan"
        set ip 10.10.2.1
        set mac AA:AA:AA:AA:AA:AA
    end

From this moment on, your infrastructure is correctly set up for Wake On Lan.

There are many mobile apps available to send the packet.

Personally, I use WolOn.

Leave a Comment