Routing several WAN subnets

kurdam · ‎10-20-2020

Hi,

I'm having some problems understanding how to route multiple WAN subnets through my Fortigate.

I'm working in a datacenter and we have several WAN subnets to our disposal. 1 /24, 1 /25, 2 /26 and a /28 that are all routed to us.

I would like to use our fortigate 101F to route all this traffic to several VLANS and then use the multiple fortinet technologies to monitor and secure the connections.

The objective here is to have all the WAN adresses go through the port WAN1 of the fortigate and give to a VM in my LAN a public ip without doing NAT.

Thank you in advance for your help.

arnobolt · ‎10-20-2020

Hey there,

I'm currently facing the exact same issue.

Following this topic to see if anyone has a solution!

I know draytek is able to do this called: "IP Routed Subnet", however that must be a term only draytek uses.

Thanks in advance.

Toshi_Esumi · ‎10-20-2020

Wow, you must be in a big DC center. Nowadays it's very difficult to get an IPv4 /24 subnet from anybody.

Anyway, it's just a routing issue. Think the FGT as a router. The DC provider must have told you which subnet/IP you should have on the wan interface so that they can route the rest toward the IP. That one, you can't use it on LAN side unless you split it to multiple smaller subnets. You can still use those available IPs for VIPs though.

But for the rest of subnets, you can assign them to any LAN side interfaces including VLANs. Just take one from each subnet for the FGT's interface IP, which would be the GW for the devices in the subnet. Then each device can have another one, or multiple, from the subnet.

As long as the FGT has an IP from all subnets, you don't need any static routes because they're directly connected.

The rest is just policies you must be familiar with.

kurdam · ‎10-21-2020

Thank you a lot for your answer. Yes in the first time i try to use the fortigate as a simple router to route all our public IPs. The DC has an IP in each subnets in order for us to have a gateway out.

I tried declaring on WAN1 one IP in each subnets as a gateway for all the other ones and in the LAN giving an other IP on a VM.

It's pretty hard to explain it over text so i'm going to try to be precise and give you an example.

let's say we have two /24 at our disposal : 42.50.60.0/24 and 55.50.60.0/24

Our DC takes two IPs to give us a gateway: 42.50.60.254 and 55.50.60.254

On the fortigate i declare WAN 1 has two IPs : 42.50.60.253 and 55.50.60.253 (on the same interface i just do an alias (secondary IP))

And i want a VM located in my LAN:

NIC1: IP :192.168.1.54/24 (gateway 192.168.1.254)

to have a second NIC with a public IP:

NIC2: IP :55.50.60.5/24 and a gateway 55.50.60.253.

And to complete the example, I want another VM to have this configuration

NIC1 : IP:192.168.1.55/24 GW: 192.168.1.254

NIC2 : IP:42.50.60.5/24 GW:192.168.1.253

Both VMs in this example are connected to LAN1 on the fortigate and this interface has this IP: 192.168.200.254/24

I think i'm missing something because when i tried to do this it didn't worked and of course when i'm tring to do routes doesn't work or it creates a loop in the network.

Thank you again for your help

Toshi_Esumi · ‎10-21-2020

I don't understand why the DC side need to take one IP from every subnet they provide to you if only one physical link is connecting between you and them. I would negotiate with them to use the smallest subnet for the WAN link then they route the others to the WAN IP. That's easier and less resources taken for them.

You can't have the same subnet on both LAN and WAN(DC's GW). With the current arrangement, practically only VIPs (all public IPs reside in the FGT) would work to map those to local device IPs. You should explain how you want to use those public IPs and they would understand.