Technical Tip: Mixed NAT pools for single IP policy
Description
This article describes the behaviour of the FortiGate when multiple IP pool with different options (one-to-one and overload) are associated.
Solution
First IP pool will be used first until fully utilized before it uses the second one.
For one-to-one, each internal IP address is mapped to an external IP address. It is first-come-first-serve basis.
For overload, each source port number represents a tcp/udp/sctp connection. It will be used until all source ports are fully utilized.
Number of Available connections (source ports) for Overload depends on 4 elements:
- IP protocol : Different IP protocol(TCP, UDP or SCTP) provides possibility to use same "source port"(SNAT port).
- Number of IP addresses for SNAT (SNAT IP):
- Destination port. Different Destination Port provides possibility to use same 'source port'(SNAT port).
First pool in IP-pool list of fw policy must be used first until exhausted before using second pool in IP-pool list of fw policy
Example.
1st Example in SNAT in overload:
- In this example, both packets from local lan are using same layer-4 protocol, SNAT IP but different Destination IP address, different Destination port.
This provides the possibility of using same 'source port'(SNAT port).
- After SNAT translation, both packets are using same 'source port'(SNAT port).
2nd Example in SNAT in overload:
- In this example, both packets are using same layer-4 protocol, SNAT IP, Destination IP address and same Destination port.
- Therefore, this case does not provide any possibility to use same 'source port'(SNAT port)
- After SNAT translation, both packets are using different 'source port'(SNAT port)
This article describes the behaviour of the FortiGate when multiple IP pool with different options (one-to-one and overload) are associated.
Solution
First IP pool will be used first until fully utilized before it uses the second one.
For one-to-one, each internal IP address is mapped to an external IP address. It is first-come-first-serve basis.
For overload, each source port number represents a tcp/udp/sctp connection. It will be used until all source ports are fully utilized.
Number of Available connections (source ports) for Overload depends on 4 elements:
- IP protocol : Different IP protocol(TCP, UDP or SCTP) provides possibility to use same "source port"(SNAT port).
- Number of IP addresses for SNAT (SNAT IP):
- Each IP address provides 60,416 source ports [5117;65533]. N x 60,416 source ports.
- Different SNAT IP provides possibility to use same 'source port'(SNAT port)
- Destination port. Different Destination Port provides possibility to use same 'source port'(SNAT port).
First pool in IP-pool list of fw policy must be used first until exhausted before using second pool in IP-pool list of fw policy
Example.
# config firewall policyIn this example, ip-pool 'overload' will be used until exhausted before using ip-pool 'one-to-one'.
edit 71
set srcintf "port1"
set dstintf "port2"
set nat enable
set ippool enable
set poolname "overload" "one-to-one"
next
end
1st Example in SNAT in overload:
- In this example, both packets from local lan are using same layer-4 protocol, SNAT IP but different Destination IP address, different Destination port.
This provides the possibility of using same 'source port'(SNAT port).
- After SNAT translation, both packets are using same 'source port'(SNAT port).
2nd Example in SNAT in overload:
- In this example, both packets are using same layer-4 protocol, SNAT IP, Destination IP address and same Destination port.
- Therefore, this case does not provide any possibility to use same 'source port'(SNAT port)
- After SNAT translation, both packets are using different 'source port'(SNAT port)