Skip to main content
BWiebe
BWiebe
New Member
January 4, 2017
Question

Design Question - Nat/Route and Transparent Port

  • January 4, 2017
  • 3 replies
  • 21358 views

Building a firewall config for a client on a Fortigate 60E with 5.4.3.

 

The firewall is essentially set as NAT/Route mode with various internal interfaces acting as gateways for various VLANs.  The VLANs are in place for various items and various 3rd parties with gear at the site where the firewall will land.

 

Site will initially have a single WAN but this will likely change.  The single WAN will have 6 IPs available.

 

One of the 3rd party's requirements is that we give them a single port with one of the WAN IPs going through the firewall directly as passthrough.  This way we can protect their internet traffic at some level in and out (and the client by extension).  I was against this setup and wanted to just give them a VLAN switch port on an Internet VLAN and let them manage their internet protection, etc.

 

At any rate - I'm now at the point where I 'need' to make this work.  Essentially have their port act as a switch port on the ISP.

 

I had thought about using VDOM and putting a single port for them there, in transparent mode - but this seems to be a lot of trouble for this.

 

Maybe virtual wire pair could work for this sort of thing as well? 

 

Any thoughts on how best to implement this?

 

Thanks,

BWiebe

    3 replies

    SCSIraidGURU
    SCSIraidGURU
    New Member
    January 4, 2017

    You have a /29 registered subnet with 6 host addresses that will not be NAT.   Do you have layer 3 switches or will the 60E be your layer 3 device for routing.   At my house, I have a 60E.   WAN1 is bridged to my cable modem and gets the outside address.   I had to connect up to DMZ with my workstation (it has a 10.x.x.x network) to take the Internet 1 to 7 out of internet mode so use them separately.   So I have 9 available LAN ports and 1 WAN port.   Each VLAN will need a VLAN firewall gateway address.   If you are running Layer 3 switches,  each switch VLAN will need a VLAN switch gateway address.   in my Data Center, I use policy based routing on my HP 5800 layer 3 switches to do the next hop from the VLAN Switch Gateway to the VLAN Firewall Gateway on my 800C.   At home, 60E does my Layer 3 routing in a simple routing table.   You can assign multiple VLANs to each switch port.  On my 800C 10 Gbps port, I have 5 VLANs each with a VLAN Firewall Gateway address.   The address to reach the firewall on that VLAN.  Reason is so I don't violate Reverse Packet Spoofing rules.    The registered subnet will not be NAT outbound. 

    BWiebe
    BWiebeAuthor
    New Member
    January 4, 2017

    Switches are all layer 2, the firewall will manage the routing.

     

    The issue is we need to be transparent to the 3rd party but still protect their connection at some level.

     

    Thanks,

     

    SCSIraidGURU
    SCSIraidGURU
    New Member
    January 4, 2017

    Will the 60E be able to handle the job of being a firewall, IPS and router for their traffic?   At my home, 60E can do it.  It is mainly for my Cisco VIRL virtual lab I am building.  I need 5 subnets for it.   Will you have UTM, IPS and all other features enabled?  How many users, printers and servers will be on the 60E?   In my data center, I separate layer 3 routing from my 800C.  I have layer 3 switches to handle internal traffic on 13 VLANs.  Only traffic that is internet bound goes out the policy based routes to the 800C VLAN gateways.   Can they afford a layer 3 switch to do the routing and VLANs instead?   In the past we tried using a Cisco ASA for layer 3 and firewall.   It was too much.    Depending on the amount of traffic routed between VLANs will you need a 90E? 

     

    SCSIraidGURU
    SCSIraidGURU
    New Member
    January 4, 2017

    A FortiGate can operate in one of two modes: NAT/Route or Transparent. In NAT/Route mode, the most common operating mode, a FortiGate is installed as a gateway or router between two networks. In most cases, it is used between a private network and the Internet. This allows the FortiGate to hide the IP addresses of the private network using network address translation (NAT). NAT/Route mode is also used when two or more Internet service providers (ISPs) will provide the FortiGate with redundant Internet connections. A FortiGate in Transparent mode is installed between the internal network and the router. In this mode, the FortiGate does not make any changes to IP addresses and only applies security scanning to traffic. When a FortiGate is added to a network in Transparent mode, no network changes are required, except to provide the FortiGate with a management IP address. Transparent mode is used primarily when there is a need to increase network protection but changing the configuration of the network itself is impractical. For more information about Transparent Mode, see the Transparent Mode handbook.

     

    NAT/Route is what you want to control VLANs, DMZ, etc. 

    BWiebe
    BWiebeAuthor
    New Member
    January 5, 2017

    Right - I'm aware of this - I need the firewall to do both - so VDOMs may be my only option.

    SCSIraidGURU
    SCSIraidGURU
    New Member
    January 5, 2017

    You will want to isolate the traffic on a DMZ interface and configure a VLAN to isolate it.  Traffic comes in WAN and goes to a DMZ interface with a VLAN.   VDOM is a virtual domain.  I think you can do the same with VLAN and not allow it to route to the other interfaces by using a DMZ. 

    Terms & ConditionsAccessibility statement