Technical Tip: How to configure SNAT with IP pool
Description
This article describes how to use an IP pool and its type depending on the network's needs.
Scope
FortiGate.
Solution
Dynamic SNAT.
Dynamic SNAT maps the private IP addresses to the first available public address from a pool of addresses.
In the FortiGate firewall, this can be done by using IP pools.
IP pools is a mechanism that allows sessions leaving the FortiGate to use NAT.
An IP pool defines a single IP address or a range of IP addresses to be used as the source address for the duration of the session.
These assigned addresses are used instead of the IP address assigned to that FortiGate interface.
IP pool types.
FortiGate uses four types of IPv4 IP pools.
This recipe focuses on some of the differences between them.
Overload.
This type of IP pool is similar to static SNAT mode.
Defining an external IP range that contains one or more IP addresses is necessary.
When there is only one IP address, it is almost the same as static SNAT; the outgoing interface address is used.
When it contains multiple IP addresses, it is equivalent to an extended mode of static SNAT.
For instance, if an overload-type IP pool with two external IP addresses is defined (172.16.200.1—172.16.200.2), since there are 60,416 available port numbers per IP, this IP pool can handle 60,416*2 internal IP addresses.
The mapped IP address can be calculated from the source IP address.
The index number of the address in the pool is the remainder of the source IP address, in decimal, divided by the number of addresses in the pool.
To calculate the decimal value of the source IP address, either use an online calculator or use the following equation:
a.b.c.d = a * (256)3 + b * (256)2 + c * (256) + d
For example:
192.168.0.1 = 192 * (256)3 + 168 * (256)2 + 0 * (256) + 1 = 3232235521
If there is one IP pool, where:
- P1 = the first address in the IP pool.
- R1 = the number of IP addresses in the IP pool.
- X = the source IP address as a decimal number.
- Y = the mapped IP address.
Then the equation to determine the mapped address is:
Y = P1 + X mod R1
For example:
- Convert the source IP address to a decimal number.
192 * (256)3 + 168 * (256)2 + 1 * (256) + 200 = 3232235976
- Determine the number of IP addresses in the pool.
172.26.73.90 - 172.26.73.20 = 71
- Find the remainder of the source IP address divided by the number of addresses in the pool.
3232235976 mod 71 = 26
- Add the remainder to the first IP address in the pool.
172.26.73.20 + 26 = 172.26.73.46
So, the mapped IP address is 172.26.73.46.
If there are multiple IP pools, the calculation is similar to when only one pool exists.
If there are two IP pools, where:
- P1 = the first address in the first IP pool.
- P2 = the first address in the second IP pool.
- R1 = the number of IP addresses in the first IP pool.
- R2 = the number of IP addresses in the second IP pool.X = the source IP address as a decimal number.
- Y = the mapped IP address.
Then the equations to determine the mapped address are:
If X mod (R1 + R2) >= P1, then Y = P2 + X mod R2
If X mod (R1 + R2) < P1, then Y = P1 + X mod R1
If X mod (R1 + R2) < P1, then Y = P1 + X mod R1
For example:
- Convert the source IP address to a decimal number.
192 * (256)3 + 168 * (256)2 + 1 * (256) + 200 = 3232235976
- Determine the total number of IP addresses in the pools.
(172.26.73.90 - 172.26.73.20) + (172.26.75.50 - 172.26.75.150) = 71 + 101 = 172
- Find the remainder of the source IP address divided by the number of pool addresses.
3232235976 mod 172 = 108
- The remainder is greater than the number of addresses in pool01, so the address is selected from pool02, and the remainder is recalculated based only on pool02.
3232235976 mod 101 = 40
- Add the new remainder to the first IP address in pool02.
172.26.75.50 + 40 = 172.26.75.90
So, the mapped IP address is 172.26.75.90.
One-to-one.
This type of IP pool means that the internal IP address and the external (translated) IP address match one-to-one.
One-to-one.
This type of IP pool means that the internal IP address and the external (translated) IP address match one-to-one.
The port address translation (PAT) is disabled when using this type of IP pool.
For example, if a one-to-one type IP pool with two external IP addresses is defined (172.16.200.1 - 172.16.200.2), this IP pool only can only handle two internal IP addresses.
First-come, first-served basis, and the source port is not changed or translated.
First-come, first-served basis, and the source port is not changed or translated.
Note:
- In this scenario, each internal IP from the range 10.0.0.1 to 10.0.0.10 is mapped to the first available IP in the pool 20.0.0.1 to 20.0.0.10 for SNAT.
- When 10.0.0.2 tries to access the internet, the system checks the IP Pool for the first free IP, which is 20.0.0.1, and assigns that for the translation.
- So, the connection from 10.0.0.2 to the internet will appear as coming from 20.0.0.1.
- This process ensures efficient utilization of the IP Pool by assigning the earliest available IP to each internal IP as needed.
Fixed port range.
For the overload and one-to-one IP pool types, it is not necessary to define the internal IP range.
For the overload and one-to-one IP pool types, it is not necessary to define the internal IP range.
For the fixed port range type of IP pool, both the internal IP range and the external IP range can be defined.
1 public IP can support 60416 port translations; it will be divided based on the number of internal IPs.
1 public IP can support 60416 port translations; it will be divided based on the number of internal IPs.
Since each external IP address and the number of available port numbers is a specific number, if the number of internal IP addresses is also determined, it is possible to calculate the port range for each address translation combination.
So this type of fixed port range is called.
This type of IP pool is a type of port address translation (PAT).
For instance, if it is defined as one external IP address (172.16.200.1) and ten internal IP addresses (10.1.100.1-10.1.100.10), there is an IP+Port combination like the following table.
For instance, if it is defined as one external IP address (172.16.200.1) and ten internal IP addresses (10.1.100.1-10.1.100.10), there is an IP+Port combination like the following table.
Port block allocation.
This type of IP pool is also a type of port address translation (PAT).
This type of IP pool is also a type of port address translation (PAT).
It gives users a more flexible way to control the way external IPs and ports are allocated.
Users need to define Block Size/Block Per User and the external IP range.
Block Size means how many ports each Block contains. Block per User means how many blocks each user (internal IP) can use.
The following is a simple example:
- External IP Range: 172.16.200.1—172.16.200.1.
- Block Size: 128.
- Block Per User: 8.
Result.
- Total-PBAs: 472 (60416/128).
- Maximum ports can be used per User (Internal IP Address): 1024 (128*8).
- How many internal IPs can be handled: 59 (60416/1024 or 472/8).
Sample configuration.
To configure the overload IP pool from the GUI.
- In Policy & Objects -> IP Pools and select 'Create New'.
- Select the IPv4 Pool and then select Overload.
To configure the overload IP pool from the CLI.
config firewall ippool
edit "Overload-ippool"
set startip 172.16.200.1
set endip 172.16.200.1
next
end
edit "Overload-ippool"
set startip 172.16.200.1
set endip 172.16.200.1
next
end
To configure a one-to-one IP pool using the GUI.
- In Policy & Objects -> IP Pools, select 'Create New'.
- Select the IPv4 Pool and then select 'One-to-One'.
To configure a one-to-one IP pool from the CLI.
config firewall ippool
edit "One-to-One-ippool"
set type one-to-one
set startip 172.16.200.1
set endip 172.16.200.2
next
end
edit "One-to-One-ippool"
set type one-to-one
set startip 172.16.200.1
set endip 172.16.200.2
next
end
To configure a fixed port range IP pool from the GUI.
- In Policy & Objects -> IP Pools, select 'Create New'.
- Select IPv4 Pool and then select Fixed Port Range.
To configure a fixed port range IP pool from the CLI.
config firewall ippool
edit "FPR-ippool"
set type fixed-port-range
set startip 172.16.200.1
set endip 172.16.200.1
set source-startip 10.1.100.1
set source-endip 10.1.100.10
next
end
edit "FPR-ippool"
set type fixed-port-range
set startip 172.16.200.1
set endip 172.16.200.1
set source-startip 10.1.100.1
set source-endip 10.1.100.10
next
end
To configure port block allocation IP pool from the GUI.
- In Policy & Objects -> IP Pools, select 'Create New'.
- Select the IPv4 Pool and then select Port Block Allocation.
To configure port block allocation IP pool from the CLI.
config firewall ippool
edit PBA-ippool
set type port-block-allocation
set startip 172.16.200.1
set endip 172.16.200.1
set block-size 128
set num-blocks-per-user 8
next
end
edit PBA-ippool
set type port-block-allocation
set startip 172.16.200.1
set endip 172.16.200.1
set block-size 128
set num-blocks-per-user 8
next
end
Once the IP pool is created, map it to the policy as below:
Notes:
- In the case of Multiple dynamic IP pools, FortiGate picks the IP pool randomly. It will not follow any sequential approach.
- In most versions (except v6.4.9, v7.0.1 to v7.0.12, v7.2.0 to v7.2.5, and v7.4.0), if the IP pool is configured with 'set arp-reply enable', FortiGate will consider it as a local address and not forward the traffic according to the routing table. This can cause traffic to be terminated at FortiGate.
- Refer to this document for more details: Technical Tip: IP pool and virtual IP behavior changes in FortiOS v6.4, v7.0, v7.2, and v7.4
- If the configured IPPOOL is not mapped in the policy, then traffic will be dropped as the iprope check fail drop.
- A randomized port selection algorithm has been introduced for PBA and FPR IPPOOLs. Refer to this document for more details: Support for randomized port selection in IP pool mechanisms.