NAT Overload / PAT

Forum|Forum|13 years ago
January 23, 2013
6 replies
18280 views

I am having trouble with NAT Overload/PAT. This only seems to work if I choose to enable NAT and leave it on the default of using the destination interface. I would like to be able to use PAT on any valid IP address on the destination interface' s network, but I can' t seem to make that work. I assumed using an IP Pool with just 1 address would do the trick, but it appears that only the first host to access the policy and pool is allowed and all other traffic is blocked. Is this style of NAT Overload even possible? I' m running an FG 100D on v4 MR3 patch 8. Cheers, Rick

rwpatterson

New Member

That doesn' t make sense. I have over 1600 nodes behind a single IP address on my 1000A. Everyone surfs all day. There must be something else going on here behind the scenes.

Rick_HAuthor

New Member

Maybe I wasn' t clear? NAT Overload works just fine if I tell it to use the destination interface (the default for v4.3.8 when enabling NAT in a policy). That' s how it is working right now, actually. What isn' t working is specifying an IP Pool of just one address as an alternative to the destination interface' s address. Do you specify an alternate address for your PAT configuration? If so, how do you do it? Cheers, Rick

ede_pfau

SuperUser

What is known to be working is many-to-1 source NAT (source address translation) without port translation as well. This is done via an IPpool with just 1 address. It' s the direct equivalence to the default NAT which translates all source addresses to the interface' s address. If you fix both the address and the (outgoing) port then you' re restricted to one host being able to pass. That' s inherently so and not a property in FortiOS.

Rick_HAuthor

New Member

Ede, I' m working explicitly in the GUI right now and, to the best of my knowledge, fixed ports require a CLI command so I' m not sure I could even accidentally turn that on. So, it looks like I may have some other problem going on since both you and Bob seem to be confirm that the IP Pool should be working as I have described. I' ll further investigate and see what I can come up with. I was having an ARP problem with the upstream router (not under my control) where it was not letting go of my previous firewall' s MAC addresses. It' s possible that my ISP did not fully repair this problem when I had them on the phone. I' ll start there. Thanks to the both of you. Cheers, Rick

rwpatterson

New Member

If you know the prior device' s MAC address, you could spoof it in the CLI:

  config system interface      edit " wan1"           set vdom " root"           set mode dhcp          set distance 10          set allowaccess ping https ssh          set ddns enable          set type physical          set alias " Internet"           set defaultgw enable          set macaddr xx:xx:xx:xx:xx:xx          set ddns-server dyndns.org          set ddns-domain " user_account.dyndns.org"           set ddns-username " user_name"           set ddns-password ENC blah-blah-blah      next  end

networkingkool

New Member

The same with my company, I purchased fortigate 200B, a plug FTTH line to a port on FOtigate. Internet never up until I request a reset MAC from ISP. Some ISP like to secure MAC, some don' t like.

rwpatterson

New Member

Every time I changed devices (first from the E-net card on the PC directly to a D-Link router now to several FGTs...), I would just spoof the MAC. Waiting for the ISP is a pain where you sit...

networkingkool

New Member

My old router show the very basic info about WAN connection. So, are there other ways to discover the MAC used in wan interface?

rwpatterson

New Member

That info is usually on a sticker somewhere on the device.

Dave_Hall

New Member

@networkingkool If the mac address is not located on the old router itself and you could always try connecting the old router' s WAN port to your existing router (fgt) then after the old router grabs an IP address, check the DHCP lease pool for the mac address. If the old router is configured with an static IP, make the necessarily changes on the existing router (fgt) for the connection then check the arp table. (Could also try doing this with a pc.)

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded