Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
pdfsmail
New Contributor

Created on ‎05-02-2018 11:20 AM

Public IP block to different subnets

Using a FortiWiFi 50E-2R

OS: 5.6

 

I have a public IP block with 5 usable IPs (see below). I have WAN1 set up with this block.

My company has a need to have:

[ol]
  • One of the Public IPs on the WAN provide internet connection to 3 subnets (on ports 1,2 & 3) on the Fortigate. (All NAT, Fortigate controls DHCP for each)
  • I need another of the public IPs to have one internal IPrange (Port 4, Also NAT & DHCP)
  • The third Public IP needs to map directly to an internal server IP with access from the outside.[/ol]

     

    Example (IPs are examples but should give you the idea):

     

    PUBLIC IPs:

    x.x.x.81 > Gateway

    x.x.x.82-86 > USABLE Public IP Range

    /29 (255.255.255.248)

     

    .82 >> Port 1, 2 & 3 (Nat each: port 1 > 10.0.0.0/24; port 2 > 192.168.1.1/24; port 3 > 10.1.0.0/24)

    .83 >> Port 4 (NAT: 172.16.0.0/24)

    .84 >> Port 5 (maps to server 10.99.1.10)

     

    I have the first one working by applying ip range to each port and then creating Policies to allow traffic to wan1 and created static route (0.0.0.0/0) to wan1

    Not sure how to get the 2nd and 3rd to work and use a different public IP each

     

    If possible details on how to set it up would be helpful (using gui)

    Thank you in advance for your help!

    • 3545
    0 Kudos
    2 REPLIES 2
    ede_pfau
    SuperUser
    SuperUser

    Created on ‎05-03-2018 02:01 AM

    hi,

     

    and welcome to the forums.

    You've set up ports 1-3 already. This is the way to go.

    Port5 will be serviced by an address/port translation = destination NAT. In FortiOS, this is done with a VIP (virtual IP). Create a VIP mapping the external address to the server's address, do not specify to translate the port (in this case, you could test the access with 'ping').

    Port4 is a bit more difficult. There is only one default route per FGT. If that is OK for you (gateway from the same ISP) then you only need to exchange the source address from port4 LAN addresses to a different WAN IP. You enable NAT in the policy 'port4 -> wan' but you do not use the default WAN address. Instead, you define an 'IP pool' with just one address, the other WAN address you intend to use. You specify it in the outgoing policy.

     

    You will find all of this, including screen shots and CLI commands, in the FortiOS Handbook, on docs.fortinet.com. Really, really recommended to look into.

    Try it out for yourself. If you get stuck post the relevant config parts here and you'll get more help.


    Ede

    "Kernel panic: Aiee, killing interrupt handler!"
    Ede"Kernel panic: Aiee, killing interrupt handler!"
    1328
    0 Kudos
    pdfsmail
    New Contributor
    In response to ede_pfau

    Created on ‎05-08-2018 08:47 AM

    This worked great, we are up and running!

    Thanks for the help!!

     

     

    1328
    0 Kudos
    Labels
    Top Kudoed Authors
    View all
    Broad. Integrated. Automated.

    The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

    Social Media
    Security Research
    Company
    News & Articles
    Contact Us

    Copyright 2024 Fortinet, Inc. All Rights Reserved.