NATed mode + Transparent mode with public IPs

Forum|Forum|10 years ago
June 30, 2015
4 replies
8066 views

Hi everyone.

I'm aware, that there were similar topics, but I couldn't find any relevant "enough" to what I want to do. And I have to say that I'm a newbie to Fortigates, so spare me :)

Anyway, what I have is Fortigate 200B (firmware - v 5.2.3) and a bunch of 14 public IP addresses from one pool (/28). What I want to achieve is having some Fortigate ports (let's say half) NATed and other half should be in Transparent mode. Ports in Transparent mode are for devices that have to use public IP but of course I want to secure access to those devices. As far as I know - this can be done with VDOMs, and as someone told me - for each server in transparent mode I need 2 ports (one Internet facing and one connected to server).

Now, the problem is - is it really possible to do? When I tried to configure something like this and was trying to setup new transparent VDOM, I have to provide Management IP and Gateway IP. I don't know how to deal with this and I cannot get around the problem. Can I have something like a group of two bridged ports with no "management IP"? I want to configure everything using only one public IP - the one that is in front of NAT.

I'd either like to have it

- like on the picture on the left side - two ports grouped together

- or, even better, like on the picture on the right side - one port is Internet facing and others are bridged with it, less ports used

I'd really appreciate your help.

Thank you

Lucas

fortigate.jpg

5.2

iJake

New Member

Would it not be possible to put a switch on the "inside" port with all your devices connected to it, then the bridged port used for the "outside".

LK_KTAuthor

New Member

Hi Jake.

Well, it's not about if I can place a switch in the internal network part (although I would prefer to use ports that Fortigate already have), but rather if I can do things that I want to do, and if "yes" then how it can be done.

iJake

New Member

You can create a switch interface on the FortiGate grouping multiple ports, you could use this as the internal, then pair with the external port.

emnoc

New Member

I will caution you on the following,

1: not all ports are accelerated on a 200B, this may or may not be a issue but you should be aware regardless

2: not sure you could even do what your attempting or wanting, and by running transparent and nat-routed in a dual vdom with just one /28 block between the 2

3: you will need to research this fully and see or change your plan or design. I personally would just place NAT_POOLS for the singles hosts that need direct public and interface nat overload for all of the other. Assign private address and getaway from running dual-vdoms but that's just what I would do.

BTW; I believe you can't create multiple switch-controller groups ( somebody can confirm this based on 5.2.3 and a 200B )

iJake

New Member

emnoc wrote:
I will caution you on the following,

1: not all ports are accelerated on a 200B, this may or may not be a issue but you should be aware regardless
2: not sure you could even do what your attempting or wanting, and by running transparent and nat-routed in a dual vdom with just one /28 block between the 2

3: you will need to research this fully and see or change your plan or design. I personally would just place NAT_POOLS for the singles hosts that need direct public and interface nat overload for all of the other. Assign private address and getaway from running dual-vdoms but that's just what I would do.

BTW; I believe you can't create multiple switch-controller groups ( somebody can confirm this based on 5.2.3 and a 200B )

You're right, there may well be limitations. That being said, you should be able to create a VLAN sub-interface on the switched-interface and assign that to a VDOM. I haven't tested this myself.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded