Technical Tip: Route certain traffic through dedicated static ISP IP address
Description
This article explains how to route the LAN IP Requests through one of the assigned IP addresses provided by the ISP.
In the general configuration, the traffic is configured to be routed to the Outgoing interface (WAN).
When an ISP provides a range of IP addresses or an IP address, it's possible to configure them as a Dynamic IP pool (Dynamic SNAT), where in the traffic it would be routed via the Dynamic IP pool.
This configuration is useful when the Mail Server or Media server, or any other specific traffic needs to be routed only via the Dynamic IP pool.
Scope
FortiGate.
Solution
Follow the steps below:
- Create the Dynamic IP pool. In the Dynamic IP pool, only the IP address is mentioned. However, the range of the IP address can also be mentioned if needed.
- Create the IPV4 policy and bind the Dynamic IP pool.
- To check the traffic flow, enable the following commands:
diagnose sniffer packet any "host 8.8.8.8" 4
interfaces=[any]
filters=[host 8.8.8.8]
44.109959 port3 in 172.31.135.74 -> 8.8.8.8: icmp: echo request
44.110608 port1 out 10.5.21.101 -> 8.8.8.8: icmp: echo request
45.121066 port1 in 8.8.8.8 -> 10.5.21.101: icmp: echo reply
45.121141 port3 out 8.8.8.8 -> 172.31.135.74: icmp: echo reply
diagnose sys session filter clear
diagnose debug flow filter daddr 8.8.8.8
diagnose debug flow trace start 100
diagnose debug enable
id=20085 trace_id=11232 func=fw_forward_handler line=751 msg="Allowed by Policy-1: SNAT"
interfaces=[any]
filters=[host 8.8.8.8]
44.109959 port3 in 172.31.135.74 -> 8.8.8.8: icmp: echo request
44.110608 port1 out 10.5.21.101 -> 8.8.8.8: icmp: echo request
45.121066 port1 in 8.8.8.8 -> 10.5.21.101: icmp: echo reply
45.121141 port3 out 8.8.8.8 -> 172.31.135.74: icmp: echo reply
diagnose sys session filter clear
diagnose debug flow filter daddr 8.8.8.8
diagnose debug flow trace start 100
diagnose debug enable
id=20085 trace_id=11232 func=fw_forward_handler line=751 msg="Allowed by Policy-1: SNAT"