Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mcdaniels
New Contributor

SOLVED: Main IP / additional subnet / only one port

Hi Forti-Gurus ;)

 

I have got a Forti VM. The WAN-Port of the Forti (IP 62.1.2.3) is connected to a Cablemodem (=GW: 62.1.1.1).

There are a hand full of policies which define how to handle outgoing and incoming traffic (VIP, PAT, NAT).

 

Now we got an additional subnet from our provider, which is used via the same Cablemodem. These IPs are not in the 62.1.1.1 subnet. Lets say an IP from the additional subnet is 195.3.3.3.

 

We would like to configure a VIP / PAT which says: If there is a request via WAN to the IP 195.3.3.3 use VIP / PAT to connect to a server in the DMZ (for example: 10.0.0.3).

 

The Problem: We can do this with the 62.1.2.3 - IP, but the IPs from the Subnet cannot be used. (No answer, even when setting up policies with VIP / PAT.)

 

How can I make the Fortigate to react to the IPs from the additional Subnet. There is only one WAN Port, only one connection to the cablemodem.

 

Thanks a lot!

 

11 REPLIES 11
rwpatterson
Valued Contributor III

Try adding a second IP to the WAN port on that second subnet. That is a shot in the dark. There should be a route at your provider's router back to your router with a good IP address or subnet.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
mcdaniels

Hello,

thanks for the answer.

 

If I give the WAN-Port one of the subnet-ips as secondary IP and tick "Ping", I cannot ping this IP.

 

I assume that it should reply to the ping, if it would work that way.

 

 

tanr
Valued Contributor II

Just to clarify, the cable modem only provides you a single port?  Or is it that you only have a single port available from the Forti VM?

 

If the cable modem only provides a single port, how is the ISP separating out the subnets for it?  Are they using vlans?  If they're using tagged vlans (at least a tagged vlan for the new IP) they you can just create matching vlans on your wan interface.

rwpatterson
Valued Contributor III

Something I just thought of: Perhaps you need to add the second default gateway now that you have a second IP subnet on the WAN? Keep the same distance and priority as the first. Otherwise asymmetric routing will fail unless otherwise programmed.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
mcdaniels

Hi there!

 

@tanr: I called the ISP multiple times: The cablemodem has only one Port. One of the techs told me that the modem is in bridged mode, another one told me that I have to configure the additional IPs at the devices behind the modem, which is what I would like to to (device behind the modem is my fortigate) and that the ISP routes all subnet-IPs to the IP 62.1.2.3.

 

There are no VLANS, if they told me the right story.

 

@rwpatterson: I did not receive a second default GW for the subnet.

 

To me this all is very strange.

 

My thoughts are:

If I have a second subnet which is routed to  the 62.1.2.3 , shouldn't it be possible to tell the fortigate to use VIP saying: IP from Subnet:80 -> translate -> 10.0.0.1:80?

 

I also thought, If I use the subnet IP as second IP on the Wan-Interface, I should be able to ping it

 

For me it would sound logical If the Cable Modem has an addidional port for the Subnet. Then I will connect this port to an additional port of the Forti (lets say WLAN2) and have some fun with it...

 

but that way it is weird.

 

 

 

 

mcdaniels

Some Update:

I had Forti OS 5.6.0 running, which sometimes did strange things. So I updated to the 5.6.2 version. After that, I created a VIP, saying: IP from subnet:80 -> LAN: server: 80.

 

Followed by a policy: Incoming WAN, Outgoing LAN, Services All, Source ALL, Destination: VIP (no NAT).

 

Now I can reach the internal server via the IP from the subnet. (Seems like there was some bug in the OS).

 

Which leads me to the next problem. Incoming is ok, but outgoing is routed via our second ISP now (haven't mentioned that yet, cause I thought it  isn't relevant). After thinking about it, it is logical to me: The server which I am connecting to via the VIP uses another internetconnection for outbound connections)

 

I can force this outbound connection to use the correct ISP via policy-routing, but then it uses the main-ip of this internetconnection and not the ip of the subnet.

 

So in fact this would be a problem, if the internal server is an mailserver (official IP <-> FQDN != outgoing ip).

 

Can I tell the connection to use the ip from the subnet, even for outgoing connections?

 

Thanks!

 

 

dmcquade
New Contributor III

The ISP is probably routing the additional subnet to the Cable modem. If you can manage the Cable modem, you can set a static route for the new subnet pointing to the Firewall's WAN address. You may also be able to request your provider to route the subnet to the firewall's address.

 

HTH

d

mcdaniels

Hi,

yes, the provider routes the subnet to the "main ip". This ip is set up on the Foritgates WAN1.

If I set up VIP which does DNAT (subnet IP -> LAN) it works.

But the Server on the LAN uses the default route (which points to another ISP, and is connected to WAN2).

 

My Question is: How can I do SNAT, so that the server appears with the subnet-ip when connecting to the internet?

 

Do I have to use IP-Pools in connection with an outgoing policy?

mcdaniels

Ok, I came to the following solution now.

1.) Set up VIP (direction WAN1 -> LAN means: Subnet-IP:80 -> LAN-Server:80)

2.) Set up policy for this VIP (WAN1 - LAN)

3.) As there are 2 ISPs connected to the Firewall and I would like the LAN-Server to use the Subnet-IP  (WAN1-Port) when connecting to the internet I set up a policy route which says: Connection from LAN -> Address of Server -> Use WAN1-Port + GW. (Now the server appears with the main-ip to the internet, not the subnet-ip).

4.) To make the server appear with the subnet-IP to the internet, I set up an ip-pool (with the subnet - ip).

5.) Finally I created a policy: (direction LAN : IP of Server -> WAN -> NAT -> choose the IP Pool -> Activate NAT.

 

Seems to work.

Labels
Top Kudoed Authors