Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
IWMA
New Contributor

1 ISP, 4 static IP addresses, 4 different purposes

Hi all,

 

I recently switched from firewall brand. Now we use a Fortigate 61e. Before we used a Stormshield SN500. I like to deal with the following; our ISP (cablemodem) provides us with 4 static IP's. All 4 are meant to be used for different operations; voip, dmz, network, vpn.

The 61e has 2 WAN-ports, but as I noticed, they can be used for load-balancing or failover. So, at this moment I only use 1 static ip, connected to WAN1.  > interface LAN 1 > switch 1 & switch 2 POE: 2 switches are connected with LAN 1 (internal network cq 192.168.2.0). I need some advice how to configure 'static ip 2', which will be used for SIP-VOIP only (in a different subnet, cq 192.168.20.0). Is it possible to connect the cable-modem to WAN2 > interface LAN 2 > switch. If possible, a pbx will be connected to the switch and addressing the 192.168.20.0-network. All the void-phones will use this subnet.

 

Thanks in advance.

4 REPLIES 4
tanr
Valued Contributor II

I don't work with SIP/VOIP, but a couple notes.

 

1. You can define multiple Secondary IP Addresses or IP Pools on a single interface, so you could define all your static IPs on a single wan interface and just connect a single cable to your IPS's cablemodem. Depending on your use you may need to do source NAT or use VIPs.  You can also use the LAN ports as wan ports, so you could define some of them as your static IPs instead if you want these physically separated.

 

2. To route based on source or protocol you'll need to use policy routes, which redirect to specific static routes that you've created.  See http://help.fortinet.com/fos50hlp/56/Content/FortiOS/fortigate-networking/fortigate-advanced-routing... for details.  Note that to make this work you may need static routes that have the same distance but different priorities set.  See http://help.fortinet.com/fos50hlp/56/Content/FortiOS/fortigate-networking/fortigate-advanced-routing...

 

For the SIP/VOIP side, all I can do is point you to the docs which have some examples: 

http://help.fortinet.com/fos50hlp/56/Content/FortiOS/fortigate-voip-guide/HNATT-config-example.htm

http://help.fortinet.com/fos50hlp/56/Content/FortiOS/fortigate-voip-guide/ALG-NAT-snat-example.htm 

 

Hopefully somebody else with more experience on the VOIP side will chime in.

IWMA
New Contributor

Thanks for the input. I'll try the LAN-port option and use them physically. I also read the cookbook regarding voip traffic, so I hopefully I get the routing right.

 

Regards

icom
New Contributor

deleted

 

 

rwpatterson
Valued Contributor III

Your best bet would be to configure the one physical port and define the rest as virtual IP addresses. A virtual IP address will act as a physical interface would on the WAN interface, but does NOT need to be defined on the port (WANx). When you try to configure more than one IP on a single subnet on the firewall, you will get errors since there should only be one IP per subnet per interface. That IS the purpose of a firewall, isn't it? (VLANs although residing on a wire with the base VLAN are treated like separate interfaces)

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Labels
Top Kudoed Authors