Skip to main content
NORVIN
NORVIN
New Member
September 5, 2016
Question

Fortinet FortiGate 200B Allow Multiple ISP IPs On 1 Port

  • September 5, 2016
  • 1 reply
  • 22022 views

We have a Fortinet FortiGate 200B.  Our ISP gave us 5 IPs to use.  The first is our main address assigned to the 200B's MAC address.  They also have 3 IPs looking for our DVR security systems also by MAC address.  Here is the set up:

 

X.X.X.150 = Our main IP.

X.X.X.151 = DVR #1.

X.X.X.152 = DVR #2. X.X.X.153 = DVR #3.

X.X.X.154 = Nothing used yet.

 

My question is how do I set up the Fortinet FortiGate 200B to see all 5 of these IPs coming from the modem?

 

There are no WAN ports so I sat up Port 11 as DHCP for the ISP.

 

I pretty much followed these directions:

 

http://kb.kaminskiengineering.com/node/377

 

I went to Firewall Objects > Virtual IP > Virtual IP and created the ports that need to be forwarded to.  There are four ports needed for each DVR.  The port numbers are the same for each DVR, but the external IP is different.  Therefore, there are 12 entries.

 

I then went to Firewall Objects > Virtual IP > VIP Group and created three groups for each DVR using the four ports forwarded to for each group.

 

Last of all, I want to Policy > Policy > Policy and created a Port 11 > The Switch and added each VIP Group in this order:

[ul]
  • Port 11
  • all
  • The Switch
  • VIP Group #1
  • always
  • ANY
  • ACCEPT[/ul]

    No boxes are checked.

      • 1 reply

      ede_pfau
      SuperUser
      ede_pfau
      SuperUser
      September 5, 2016

      Hi,

       

      and welcome to the forums.

      When I first read your post I won

      ered what your question was. Everything should be working now, your config is correct.

      There are 2 ways a FGT can handle multiple IP addresses on a port:

      1- via VIP

      2- as secondary address

       

      Going the VIP path here is 100% the way to go, as you need port forwarding as well, and as you use more than 2 addresses. Remember that a port-forwarding VIP will not respond to ping, only to ARP and the specified services/ports (UDP or TCP). [the exception being FortiOS v5.4 where you can additionally allow ICMP]

       

      So if you have difficulties or more questions feel free to post here.

      NORVIN
      NORVINAuthor
      New Member
      September 5, 2016

      Thanks for the welcome.  Mainly I was just wondering if I was doing something wrong in my setup.

       

      Yeah I thought that would be the right way to do it.  I even did an IP Pool of the extra ISP-provided IPs on an individual basis and that didn't work.  The IP Pool made no difference and probably isn't needed so I deleted it.

       

      I am starting to wonder if it is because the ISP has them going to the MAC addresses of the DVRs.  I am not sure how they would set it up on their end so it works on our end.

       

      The way it is is now, the extra IPs going to the DVRs are not working.

      Toshi_Esumi
      SuperUser
      Toshi_Esumi
      SuperUser
      September 5, 2016

      Is the main IP .150 pulled via DHCP? You mentioned about DHCP so I was wondering. Then the rest might not work.

      Terms & ConditionsAccessibility statement