New Member

Question

Double routing on one interface

Forum|Forum|14 years ago
February 10, 2012
10 replies
12512 views

Hi, I have a new pair of FGT 60-C' s that Im configuring with a new ISP (e10-fibre connection) My question is similar to this post: http://support.fortinet.com/forum/tm.asp?m=79153&p=2&tmode=1&smode=1 in which my ISP has given me a " CE - Customer Edge" IP address to be configured on the router as well as a block of public IPs for my use. This is what I have: ISP Network IP Address: 1.1.1.216 255.255.255.252 ISP Broadcast IP Address: 1.1.1.219 ISP Default Gateway IP Address: 1.1.1.217 (Assigned to the ISP provider edge [PE] router customer facing interface) ISP IP Address: 1.1.1.218 (To be assigned to the customer edge [CE] router ISP facing interface) Customer Network IP Address: 2.2.2.144 255.255.255.240 CustomerBroadcast IP Address: 2.2.2.159 CustomerAssignable IP Addresses: 2.2.2.145 - 2.2.2.158 (To be assigned however you like) Im a little confused on how to setup the WAN interface. How do I setup my WAN interface (with the 2.2.2.x IPs) to use the 1.1.1.217 gateway? From what I see, it looks like I need 2 routers, one to route to the ISP and one for my public block. Can i configure this on the FGT60? Any help appreciated! Thanks

ede_pfau

SuperUser

No you don' t need 2 routers (you won' t ever need anything but a Fortigate :-) - configure your wan interface with a static IP, 1.1.1.218/30. - create a default route to 0.0.0.0/0 using the wan interface (just the interface - not the gateway IP, leave that at ' 0.0.0.0' ). - to use the public IP addresses from the 2.2.2.144 subnet, create VIPs (virtual IPs). The FGT maps the VIP' s address to an internal (server) address, and it will react to the ISP' s side as if it were a real IP (keyword: proxy arp). As the VIP are ' local' a.k.a. ' directly connected' IPs you don' t need an explicit route for them.

jtfinley

New Member

No you don' t need 2 routers (you won' t ever need anything but a Fortigate :-)

Unless the ISP hands off at smarkjack :)

nsantinAuthor

New Member

Thanks Ede, I' ll give that a try. Four outbound on a specific IP would it still work the same in which I' d setup a Dynamics IP Pool using my 2.2.2.2.x address and set the NAT option/Select IP Pool on the firewall rule? Also, one other question, I need to split the incomming connection to my Phone System outside of the fortinet, (SIP Trunking). Originally I was planning on having the cable from the media converter goto a switch, then split the cable off to the fortinet and the phone swich (this is how it is today on my T1). If the fortinet is now my " ISP Router" , can I still do this and use the 1.1.1.218 address as the gateway on the phone system? Will the fortinet allow a packet to come in on the WAN1 interface and route it back out on the same interface? Or will I need to put the phone system behind the fortinet on the internal side (I' ve heard of a lot of issues with SIP trunks going through Fortinets whcih is why I' m trying to keep it out of the mix) thanks for your help!!

ede_pfau

SuperUser

1. outbound IP: yes, to change the source IP of traffic originating on your LAN use an IP pool with just 1 IP address. If you have a VIP in place, AND it' s not port-forwarding, then the Fortigate will source NAT outgoing traffic automatically, even if the traffic originates from inside. As soon as you use port forwarding you will have to add an IP pool and check the NAT option in the policy. 2. I agree that to avoid trouble with your PBX system it would be easier to place it outside of the firewall. But I would use 2 different public IPs for both firewall and PBX. You cannot use the same IP if both devices are wired to the same switch. 3. routing in and out: if a packet arrives at WAN1, the Fortigate opens a session if the traffic is allowed. Using this session table entry it will try to route the reply traffic back via the same interface. Only (static) routes or policy routing can force the FGT to route the reply traffic to a different interface. HTH.

nsantinAuthor

New Member

Hi Ede, thank you for all of your assistance. With regards to the phone, my intention is to give it a dedicated address in the 1.1.1.1 subnet. That' s my only confusuion right now, what would the gateway be in that situation? Do I need to give the WAN1 interface a secondary IP in that subnet as well?The fgt would be the next-hop for the pbx. (The 1.1.1.x IPs are all public IPs) The techs are comming tomorrow to install the media converter, so I' ll start to play with it then. Luckily I have until mar 1 to get this running and swap out my older pair of fgt60' s!

ede_pfau

SuperUser

For WAN traffic, you can set up the PBX' s gateway to be 1.1.1.218. This way, the FGT sees the traffic. If you put in the 1.1.1.217, the WAN traffic goes straight to your ISP, that would be feasable as well. I' d even prefer the latter one. But a PBX has 2 ends: one WAN port and LAN port(s). How is the LAN side related to the FGT?

nsantinAuthor

New Member

Hi Ede, Have this kind-of working. Im able to get traffic moving fine with the IPs I want on the fortinet. When I bring my PBX into the mix things get weird. If I have the PBX use the fortigate as a gateway on the WAN1 interface, then it works, if I have the PBX connect to the upstream rotuer then everything dies. I suspect there is something upstream on the ISP that is preventing multiple devices to talk to the next hop. I' ve reversed the order (had PBX connect, then introduce the FGT, and the connection dies as well) so I think something is amiss upstream. With that, im think Im going to try to convert one of my older FGTs to a pure router (transparent mode) and use that as the gateway for the 2.2.2.x addresses. That should eliminate any SIP packet issues when using the FGT in NAT mode ( I hope). So my new layout will be: MediaConverter | FGT #1 (1.1.1.218 gw:1.1.1.217) | Switch------------------- |-FGT#2/3 cluster |-PBX (Cisco UC540) WAN ip:2.2.2.145-157 -ip:2.2.2.158 GW: 1.1.1.218 GW: 1.1.1.218 I image that should work, only concern is SIP going through the FGT #1, albeit in router mode, so hopefully it' s OK. I was really hoping to get my PBX a direct conection, but this shoudl be OK.

ede_pfau

SuperUser

Looks OK, except that the (inside) gateway address for FGT#2 and the PBX would be the internal port IP address of FGT#1. That should be from the 2.2.2.x subnet, right?

nsantinAuthor

New Member

I did get this working until I introduced my PBX into the mix. I tried to have the FGT act as a router to the PE gateway and I couldn' t get it to work. Then if I tried to have the PBX directly connect to the ISP with the FGT I would have mixed results. So I had to abandon this and put a spare cisco 1841 router I had in front of the FGT and PBX. Everything works like a charm now, except I did lose and IP address on my block as it became the internal gateway on the cisco.

jtfinley

New Member

What Ive done in the past was vdom and use transparent together. Perhaps when you get spare time or a window to play with it again...let me know and I' ll share my config.

Roman_Redl

New Member

This worked like a charm, just set up one IP-Pool per external IP from the routed net and select external IPÂ´s easly. I was told by the ISP the reason for this setup is to change the DHCP-given IP any time without the need to change the rest of he customer setup (like MX etc.). One thing: how to setup the vpn (site to site as well as dial-up) with this IP-Range ? regards, Roman

Roman_Redl

New Member

according to this post http://support.fortinet.com/forum/tm.asp?m=79153&p=2&tmode=1&smode=1 your default route should be se to 2.2.2.144 . in my case this adress is stated as the gateway of the customer net, but of course not pingable, should it be, when used as gateway ? regards, Roman

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded