Tillered Docs

Appearance

Fortinet Firewall

Tillered devices are designed to be connected to the network's side, not directly in the active path. This configuration allows the administrator to control which traffic passes through the Tillered Nodes. To set up a Tillered Entry Node (TEN) with your local network using Fortinet, follow these steps:

  1. Configure a Physical Fortinet Interface for Tillered Use:
    • Alias it to "Tillered"
    • Set the Role to "LAN" so it enabled DHCP

Tillered Interface

  1. Enable the DHCP Server on the Tillered Interface:
    • Specify the DNS servers you want the Tillered server to use.

DHCP Server

TIP

It is highly recommended to create reservations for the MAC and IP addresses for the Tillered interfaces. Each Exit/FTN node requires a unique IP.

  1. Create Firewall Policies:
    • Allow traffic from the Tillered Network to the Internet and your exit nodes.
    • Establish appropriate firewall policy rules to permit traffic from the LAN to the Tillered Network.
  2. Ensure Internet Access for Tillered Nodes:
    • The Tillered nodes require internet access for installation and ongoing configuration for the Tillered hub.

WARNING

Do NOT use SSL proxy. Customer certificates cannot be installed on our systems due to the risk of MITM attacks. We can provide a complete list of IP addresses and domains if needed.

  1. Open Necessary Ports:
    • For inbound traffic from another node, open ports 61000-61999/TCP and 61000-61999/UDP.
    • NAT these ports and set appropriate firewall rules.

Creating Policy Routes

  1. Navigate to Network\Policy Routes:

    • Go to Network\Policy routes and create a new policy route as needed for your network configuration.

  2. Example Policy Route for Azure Traffic:

    • Create a policy route to direct Azure traffic through the Tillered Node interface corresponding to your Azure exit node. This will route all traffic destined for Azure through that node.

Azure Traffic Policy Routes

  1. Example Policy Route for Transparent VPN Acceleration:
    • Create a policy route to route TCP traffic through the Tillered node interface that connects to a remote VPN site, enabling transparent acceleration.

Policy Route Transparent Mode

If you are using transparent mode, you may need to disable the RPF check. Refer to: Fortinet Technical Tip on RPF