Skip to main content
daveoman
daveoman
New Member
June 19, 2020
Question

30E multiple incoming public IPs and some forwarding/NAT, etc

  • June 19, 2020
  • 1 reply
  • 4666 views

Got a shiny new fortigate 30e to handle behind a comcast CGA4131. There are 5 static ips coming in via the comcast, and "supposedly" that device has the entire firewall disabled. Everything in the office is behind the fortigate. I'd like to configure the fortigate to do a few things:

A) be a dhcp server to user machines and a wifi AP

B) do port forwarding from static ip/public port to a private ip/private port

C) do 1-1 NAT of a public IP to a private IP

D) have a public ip box

E) make sure I can access all of the public and private ips from inside the network

I've tried/done a few things:

For A) - is working correctly. Set dhcp server up on lan side to distribute 10.1.10.50-199 (reserving those lower and upper pieces for static ips in that subnet.) Lan side interface is 10.1.10.1/255.255.255.0

For B) - Set up a few ipv4 virtual ips to map public IPs/ports to private IPs/(different)port combos. Then set up an ipv4 virtual ip group, put those new virtual ips in there. Then, set up an ipv4 policy with that virtual ip group as the destination and ACCEPTed that.

For C) - Haven't done anything yet, as B wasn't working (and I believe C to be the same kind of config.)

For D) - Another box is already sitting behind a switch and the fortigate that has a public ip configured correctly. I actually moved that box to an empty port on the comcast router, and it is visible at that public IP. So it seems like comcast is passing the public ips thru.

For E) - B and C not working, so no data here yet.

For the fortigate wan side, right now it is set for dhcp, just because that's the only way I have been able to allow clients behind it to have connectivity. The comcast router is set for dhcp on a separate 10.0.0.1 network on that interface.

I tried giving the fortigate one of the public ips. No connectivity thru it to clients.

I tried turning off the comcast router dhcp and then giving the fortigate one of the public IPs. That doesn't provide connectivity.

I tried putting the comcast router in true bridge mode, but comcast told me that would wipe out all of my public ip addresses.

Do I need to do some sort of bridging on the fortigate wan side to make sure the public ip data comes to it from the comcast side?

What routing set up would be needed to make sure I can ssh between public ip and private ip boxes behind the fortigate (with the traffic not passing to the comcast router unnecessarily.)

 

TIA

    1 reply

    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    June 19, 2020

    I think some of your troubles stem from the fact that the FGT gets a dynamic WAN address. Your VIPs then have to have "0.0.0.0/0' as the external address, a wildcard.

    Ignoring the Comcast DHCP and setting the WAN port to a static address from that subnet should work as well.

    daveoman
    daveomanAuthor
    New Member
    June 19, 2020

    Ya, that's the weird part...I set the wan port of the FGT to one of the statics, turned dhcp off on the comcast, rebooted everything to hopefully clear some arp caches/tables/whatever, and no connectivity to the internet for downstream devices on dhcp via the FGT.

     

    I do know the comcast box has two different entries on it for wan ip.  One is "wan ip address" and the other is "wan static ip address".  They are different numbers, and the second one if the gateway address of my public ip block.  Do I need to set some sort of route on the FGT to point to that static ip?

    daveoman
    daveomanAuthor
    New Member
    June 23, 2020

    Just finishing this out...Comcast box needed to have all dhcp turned off (ipv4 and ipv6), along with shutting off firewall completely.  FGT then got it's own static ip on the wan interface, and I just had to add a static route pointing to the static ip of the comcast gateway that was on my subnet (it listed two, but only one of them said "static").  After that, data started rolling thru.

     

    Some of my port forwards still aren't working (which is strange how some do and some don't even though they are the same template of a rule and are in the same group.)  Those aren't that big of a deal (yet), so I'll figure it out.  And, now I need to figure out how to access the public ips from behind the FGT also.  Again, no biggie so time on my side there.

    Terms & ConditionsAccessibility statement