Skip to main content
IWMA
IWMA
New Member
September 26, 2018
Question

1 ISP, 4 static IP addresses, 4 different purposes

  • September 26, 2018
  • 2 replies
  • 6477 views

Hi all,

 

I recently switched from firewall brand. Now we use a Fortigate 61e. Before we used a Stormshield SN500. I like to deal with the following; our ISP (cablemodem) provides us with 4 static IP's. All 4 are meant to be used for different operations; voip, dmz, network, vpn.

The 61e has 2 WAN-ports, but as I noticed, they can be used for load-balancing or failover. So, at this moment I only use 1 static ip, connected to WAN1.  > interface LAN 1 > switch 1 & switch 2 POE: 2 switches are connected with LAN 1 (internal network cq 192.168.2.0). I need some advice how to configure 'static ip 2', which will be used for SIP-VOIP only (in a different subnet, cq 192.168.20.0). Is it possible to connect the cable-modem to WAN2 > interface LAN 2 > switch. If possible, a pbx will be connected to the switch and addressing the 192.168.20.0-network. All the void-phones will use this subnet.

 

Thanks in advance.

    2 replies

    tanr
    tanr
    New Member
    September 26, 2018

    I don't work with SIP/VOIP, but a couple notes.

     

    1. You can define multiple Secondary IP Addresses or IP Pools on a single interface, so you could define all your static IPs on a single wan interface and just connect a single cable to your IPS's cablemodem. Depending on your use you may need to do source NAT or use VIPs.  You can also use the LAN ports as wan ports, so you could define some of them as your static IPs instead if you want these physically separated.

     

    2. To route based on source or protocol you'll need to use policy routes, which redirect to specific static routes that you've created.  See http://help.fortinet.com/fos50hlp/56/Content/FortiOS/fortigate-networking/fortigate-advanced-routing/Routing_Advanced_Static/Policy_Routing.htm for details.  Note that to make this work you may need static routes that have the same distance but different priorities set.  See http://help.fortinet.com/fos50hlp/56/Content/FortiOS/fortigate-networking/fortigate-advanced-routing/Routing_Advanced_Static/Routing_Concepts.htm

     

    For the SIP/VOIP side, all I can do is point you to the docs which have some examples: 

    http://help.fortinet.com/fos50hlp/56/Content/FortiOS/fortigate-voip-guide/HNATT-config-example.htm

    http://help.fortinet.com/fos50hlp/56/Content/FortiOS/fortigate-voip-guide/ALG-NAT-snat-example.htm 

     

    Hopefully somebody else with more experience on the VOIP side will chime in.

    IWMA
    IWMAAuthor
    New Member
    September 26, 2018

    Thanks for the input. I'll try the LAN-port option and use them physically. I also read the cookbook regarding voip traffic, so I hopefully I get the routing right.

     

    Regards

    icom
    icom
    New Member
    November 13, 2018

    deleted

     

     

    rwpatterson
    rwpatterson
    New Member
    November 13, 2018

    Your best bet would be to configure the one physical port and define the rest as virtual IP addresses. A virtual IP address will act as a physical interface would on the WAN interface, but does NOT need to be defined on the port (WANx). When you try to configure more than one IP on a single subnet on the firewall, you will get errors since there should only be one IP per subnet per interface. That IS the purpose of a firewall, isn't it? (VLANs although residing on a wire with the base VLAN are treated like separate interfaces)

    Terms & ConditionsAccessibility statement