FortiWiFi 90D - Network Design Change - Need Help

Question

We are moving to using Google Fiber with our FortiWiFi 90D, and the way Google handles static IPs and the way we currently have this device configured has us stumped.

{NOTES: This office has tenants that are each on their own VLAN for privacy. IPs are changed for the sake of the client's anonymity}

Current Setup

2 VDOMs

[ol]

Name: network[ol]

Port: WAN 1: manually sets its static IP (60.70.50.41)

Port: Interface 1: serves up the LAN for computers, etc in the 192.168.x.x range.[ol]

There are ~20 VLANS in this VDOM for each unique tenant in the office.

There are 3 machines down here with Virtual IP address like:[ol]

60.70.50.42 -> 192.168.18.2; 60.70.50.43 -> 192.168.18.3; 60.70.50.44 -> 192.168.18.4[/ol][/ol][/ol]

Name: phones[ol]

Port: WAN 2: manually sets its static IP (60.70.50.51)

Port: Interface 2: serves up all of the VOIP phones in the 192.168.100.x range on VLAN ID = 100.[/ol][/ol]

The VDOMs are given 50/50 priority. This setup was so the VOIP vendor has full control over their network... and has worked well for years. We did not set this up, the old IT vendor did.

New Setup Needed

Now that we are switching to Google Fiber, the way they hand out Static IPs is "funky". You get one static IP that you receive via DHCP. Then, the other 5 that we purchased are on a different subnet completely.

Example:

Static IP via DHCP: 23.228.140.27

Static IP LAN Subnet: 136.50.213.72/29

What I would *like* to do is assign 136.50.213.74 to be WAN 1. Use 136.50.213.75-77 to be my 3 Virtual IP addresses on point 1.2.2.1 above. And Use 136.50.213.78 for WAN 2.

But, I can't figure out how to get this to work. I currently have WAN 1 using 23.228.140.27 and forwarding 136.50.213.75-77 properly, but I can't get the "phones" / WAN 2 to route properly.

Since the routing from the 23.228.140.27 to the 136.50.213.72/29 is on the "network" VDOM, how can I use the last IP for WAN 2?

I really don't want to have to rebuild the entire network layout. Is there a way to do this? I'm not super verbose in the Forti OS and capabilities.

Any help would be GREATLY appreciated.

Thank you,

Hugh

Toshi_Esumi · Answer

The "funky" you described seems to be very common at least around my area (NW corner of the US) like CenturyLink fiber or Comcast: get one interface public IP and GW then get additional public subnet /29s when customers request. You just need to know if those specific internet destinations, like voip vendor, SMTP server, etc. are expecting packets sourced from one of those VIP IPs in additional subnets. If yes, like in many cases, you need to SNAT those outgoing packets with the same IP in VIP.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded