Multiple Subnets on a Single External Interface

pchludil · ‎10-31-2019

Hey everyone,

I have what I consider a little bit of an odd routing situation and I am not sure if the Fortigate's support it and how you do it. I haven't found it in the manual yet. I have personally never run into it before but I can't believe it is uncommon today.

So here is the situation:

[ul]

We currently run 200D Fortigates on 6.0.X.

At one of my locations I have a /29 on a WAN interface from our ISP.[ul]

I need to add additional IPs and we would like to do it by adding another /29. (I don't even know what you call this technically.) This amounts to supporting two subnets on the same external/WAN interface. This is something I have never done before but I am aware it can be done on other hardware.[/ul]

I saw some information for 4.x that appears to be relevant to internal routing but not from the outside in.[/ul]

Our options are Two /29s as described above or move to a new /28 and change everything that is on the existing /29. I would rather avoid moving to the /28 as it means outages and such. I don't see us needing more IPs for a while so another /29 would be more than sufficient.

Thanks in advance for any help you might be able to provide!

ede_pfau · ‎11-01-2019

hi,

and welcome to the forums.

I think you can solve this easily, by creating a secondary address a.b.c.d/29 on the WAN port. Your ISP will route this subnet to your primary WAN address so that routing is no issue.

There are subtle differences between primary and secondary addresses, mostly when it comes to services you offer on the WAN port.

For instance, IPsec VPN and SSL VPN per default listen on the primary WAN address - not on the whole subnet, nor on any secondary addresses. Fortunately, you can twist the config accordingly if you wish to use a secondary address for these services.

Depending on your use case, you could even emply Virtual Addresses (VIPs) instead of "physical". Nowadays they even respond to ARP if configured. On egress traffic, they will automatically source-NAT outbound traffic (what a misuse of language...).

IMHO, real secondary addresses are easier to use, are visible in GUI (this has not always been the case) and the concept is well known.

Ede

"Kernel panic: Aiee, killing interrupt handler!"

View solution in original post

Toshi_Esumi · ‎11-01-2019

Or, nothing additional config on the wan interface unless there are multiple devices hanging off of the ISP circuit and they share the /29 subnet with the FGT.

In many cases an ISP assigns a /30 for the interface (GW IP on their end) and route an additional /29 routable subnet to the main Interface IP as the customer's network needs grow. So the /29 can be used on the LAN side, or you can of course use each IP with VIPs on the FGT. This is a very common way with a L3 router.

So it's depending on your network requirement and the reason you got the /29 new subnet.

View solution in original post

ede_pfau · ‎11-01-2019

hi,

and welcome to the forums.

I think you can solve this easily, by creating a secondary address a.b.c.d/29 on the WAN port. Your ISP will route this subnet to your primary WAN address so that routing is no issue.

There are subtle differences between primary and secondary addresses, mostly when it comes to services you offer on the WAN port.

For instance, IPsec VPN and SSL VPN per default listen on the primary WAN address - not on the whole subnet, nor on any secondary addresses. Fortunately, you can twist the config accordingly if you wish to use a secondary address for these services.

Depending on your use case, you could even emply Virtual Addresses (VIPs) instead of "physical". Nowadays they even respond to ARP if configured. On egress traffic, they will automatically source-NAT outbound traffic (what a misuse of language...).

IMHO, real secondary addresses are easier to use, are visible in GUI (this has not always been the case) and the concept is well known.

Ede

"Kernel panic: Aiee, killing interrupt handler!"

pchludil · ‎11-01-2019

Ede,

Thanks for the reply AND the welcome!

We found the setting for the Secondary Address.

How would you "twist the config" to use a secondary address for VPN? We already have it on our primary block so this is just out of curiosity.

Toshi_Esumi · ‎11-01-2019

Or, nothing additional config on the wan interface unless there are multiple devices hanging off of the ISP circuit and they share the /29 subnet with the FGT.

In many cases an ISP assigns a /30 for the interface (GW IP on their end) and route an additional /29 routable subnet to the main Interface IP as the customer's network needs grow. So the /29 can be used on the LAN side, or you can of course use each IP with VIPs on the FGT. This is a very common way with a L3 router.

So it's depending on your network requirement and the reason you got the /29 new subnet.

pchludil · ‎11-01-2019

Toshi,

Thanks for the input. I follow what you are saying. They suggested something similar as a potential option but didn't sound like they were crazy about doing it. They were pushing toward two /29s or a completely fresh /28.

ede_pfau · ‎11-02-2019

For IPsec VPN, you specify "set local-gw n.n.n.n" in 'conf vpn ipsec phase1-interface' where n.n.n.n is one of the secondary IPs. For SSL VPN, I don't know by heart (as I use it much less often) but maybe someone else can supply the info whether this is configurable and how.

edit:

You might read this forum post for a working solution. Back in 2014 it was AFAIK the only way to redirect SSLVPN to a different IP. Post: [link]https://forum.fortinet.com/tm.aspx?m=111523[/link]

Ede

"Kernel panic: Aiee, killing interrupt handler!"