- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- 30E multiple incoming public IPs and some forwardi...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
30E multiple incoming public IPs and some forwarding/NAT, etc
Got a shiny new fortigate 30e to handle behind a comcast CGA4131. There are 5 static ips coming in via the comcast, and "supposedly" that device has the entire firewall disabled. Everything in the office is behind the fortigate. I'd like to configure the fortigate to do a few things:
A) be a dhcp server to user machines and a wifi AP
B) do port forwarding from static ip/public port to a private ip/private port
C) do 1-1 NAT of a public IP to a private IP
D) have a public ip box
E) make sure I can access all of the public and private ips from inside the network
I've tried/done a few things:
For A) - is working correctly. Set dhcp server up on lan side to distribute 10.1.10.50-199 (reserving those lower and upper pieces for static ips in that subnet.) Lan side interface is 10.1.10.1/255.255.255.0
For B) - Set up a few ipv4 virtual ips to map public IPs/ports to private IPs/(different)port combos. Then set up an ipv4 virtual ip group, put those new virtual ips in there. Then, set up an ipv4 policy with that virtual ip group as the destination and ACCEPTed that.
For C) - Haven't done anything yet, as B wasn't working (and I believe C to be the same kind of config.)
For D) - Another box is already sitting behind a switch and the fortigate that has a public ip configured correctly. I actually moved that box to an empty port on the comcast router, and it is visible at that public IP. So it seems like comcast is passing the public ips thru.
For E) - B and C not working, so no data here yet.
For the fortigate wan side, right now it is set for dhcp, just because that's the only way I have been able to allow clients behind it to have connectivity. The comcast router is set for dhcp on a separate 10.0.0.1 network on that interface.
I tried giving the fortigate one of the public ips. No connectivity thru it to clients.
I tried turning off the comcast router dhcp and then giving the fortigate one of the public IPs. That doesn't provide connectivity.
I tried putting the comcast router in true bridge mode, but comcast told me that would wipe out all of my public ip addresses.
Do I need to do some sort of bridging on the fortigate wan side to make sure the public ip data comes to it from the comcast side?
What routing set up would be needed to make sure I can ssh between public ip and private ip boxes behind the fortigate (with the traffic not passing to the comcast router unnecessarily.)
TIA
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think some of your troubles stem from the fact that the FGT gets a dynamic WAN address. Your VIPs then have to have "0.0.0.0/0' as the external address, a wildcard.
Ignoring the Comcast DHCP and setting the WAN port to a static address from that subnet should work as well.
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ya, that's the weird part...I set the wan port of the FGT to one of the statics, turned dhcp off on the comcast, rebooted everything to hopefully clear some arp caches/tables/whatever, and no connectivity to the internet for downstream devices on dhcp via the FGT.
I do know the comcast box has two different entries on it for wan ip. One is "wan ip address" and the other is "wan static ip address". They are different numbers, and the second one if the gateway address of my public ip block. Do I need to set some sort of route on the FGT to point to that static ip?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just finishing this out...Comcast box needed to have all dhcp turned off (ipv4 and ipv6), along with shutting off firewall completely. FGT then got it's own static ip on the wan interface, and I just had to add a static route pointing to the static ip of the comcast gateway that was on my subnet (it listed two, but only one of them said "static"). After that, data started rolling thru.
Some of my port forwards still aren't working (which is strange how some do and some don't even though they are the same template of a rule and are in the same group.) Those aren't that big of a deal (yet), so I'll figure it out. And, now I need to figure out how to access the public ips from behind the FGT also. Again, no biggie so time on my side there.
Related Posts
Labels
-
FortiGate
6,521 -
FortiClient
1,300 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
414 -
5.6
362 -
FortiAP
333 -
FortiSwitch
332 -
FortiClient EMS
262 -
6.2
251 -
FortiMail
240 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
150 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
88 -
FortiGateCloud
87 -
FortiCloud Products
83 -
IPsec
73 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
58 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
24 -
FortiConnect
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
19 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
FortiAuthenticator
11 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
LDAP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Security profile
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.