divide a public pool subnet (i think)

Forum|Forum|6 years ago
May 4, 2020
2 replies
6344 views

hi all. i'm not sure i'm aiming the question correctly, but i'll try

my goal is to expose a server with a fixed public ip address. a real one, not by 1:1 nat like today.

i've read that maybe there is a way to do that by subneting a public ip pool?

meaning, breaking for example a 64 ip pool, into smaller chunks, lets say i take 1 chunk and break it to a 4 pool

so i have a broadcast address, 2 usable addresses, and a network address. and i'm not sure which should be the gateway address for the host in such a setup. to my understanding, i'm supposed to represent them somehow to make the lan host "think" that the fortigate is it's public isp gateway by using this method. as stated, the end result is to setup a fixed real public ip directly on the host's NIC, same way i would do if i was to take the physical feed directly from the isp and have the ip settings provided by him setup directly on this nic. i'm aware of the fact that in order to do that, i'll to lose some addresses from my pools, but still...

is such a thing possible?

thank you

Dave_Hall

New Member

If your company was assigned a small block range of IPs (say 4 IPs) and one of them is assigned as a public IP for your fgt, but also want the fgt to listen/pass traffic for an internal server that is using one of the other public IPs - you may want to set up a VIP from WAN to Internal network using one of the public Ips as source and dest is an internal IP for the server, then you need a firewall rule from the server's internal IP to WAN using a one-to-one nat IP pool to change the internal IP of the server to it's public IP on the out (WAN). (And of course the fgt's manage ports need to be changed to accommodate this.)

There may be other ways to accomplish what you want rather than above. But if you are are going to have multiple devices using the public IP addresses assigned to your company, but don't really need to have them all behind the fgt - you may be better off sticking a switch between the ISP gateway device and the fgt and connect the other "public" devices to the other ports on the switch. IMO.

Perhaps someone has other suggestions.

fortinetuser2020Author

New Member

thank you. yeah, i've thought of that, but then i'll have a problem limiting the bandwidth of those other public ip consumers

Toshi_Esumi

SuperUser

Why do you think it would be a problem? L3 routing/router feature is separated from FW features. As long as you can identify the traffic by IP addresses, services, etc., you can apply traffic shaping on it.

You said totally 64 IPs, that's a /26 subnet. You can divide it whatever you want like 2 x /27s, or 1 x /27 + 2 x /28s, and so on. Then assign one of available IPs in each subnet on the FGT's interface (maybe a VLAN int if a switch is behind) to be a GW, or even just pass them down to a downstream L3 router or a route/switch, which would handle the entire subnets.

axlmac

New Member

"my goal is to expose a server with a fixed public ip address. a real one, not by 1:1 nat like today. i've read that maybe there is a way to do that by subneting a public ip pool?"

Yes you can, it all depends on how you will achieve that goal, because as somebody else has already stated you may need extra HW. But... the role of that extra hardware might be played by a VDOM just dedicate for routing. If you don't have VDOMs enables then it's tricky because I guess you will have to start the configuration from scratch, but eventually your system will be more flexible. BTW: "...to make the lan host "think" that the fortigate is it's public isp gateway by using this method."

Try to get rid of any T9 or the likes because sometimes suggestions are really annoying and make the read difficult. My 2 cents and of course is I's suggestion ;-) Alex P.S.

If you shared your range in an anonimazed way we might be able to help you better .

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded