Skip to main content
leoiaco
leoiaco
New Member
June 9, 2015
Solved

New IP Public Range on same WAN interface

  • June 9, 2015
  • 12 replies
  • 31245 views

Hi all,

we have a Fortigate-VM with only one Interface dedicated for WAN and a public IPs range (/28) configured with IP Pools

Now we have a new different public IPs range (/28) belong to different public subnet (maybe same router?) and we want to configure this new public range on the same wan interface.

Important: other interfaces are already configured.

Can I accomplish this task as fast as possible without reconfigure virtual appliance (is not possible in production environment)?

Thanks

Leo

Best answer by Paul_S

leoiaco, I have many subnets routed to my WAN interface. My ISP handles all the WAN routing. I just make sure all my policies, LAN Routing, etc.. are correct.

 

If I were you, I would proceed like this:

 

Phase1 - talk with ISP, run "diag sniffier packet" command on fortigate. This will all you to confirm when packets to the new range is hitting your firewall.

 

Phase2 - now that ISP is routing WAN traffic for both ranges and you have confirmed with sniffer command. Start setting up VIPs and policies. then test.

12 replies

Johan_Witters
Johan_Witters
New Member
June 9, 2015

Not sure if it is the same on Fortigate_VM, but on the hardware boxes you can configure a "secundary ip" address on the interface.

 

Go to "Network > Interfaces" and edit the interface, at the bottom of the page you should have a check box "secundary ip address" if the interface has a manually assigned ip address. In the box that appears, type in the new ip address for your FGT, only 1 address is necessary..

leoiaco
leoiacoAuthor
New Member
June 9, 2015

Hi Johan,

I've already configured new IP as secondary address on wan interface.

Is necessary to configure static route? VIP?

What test can i do to verify this?

Thanks.

Regards

 

 

 

Johan_Witters
Johan_Witters
New Member
June 9, 2015

It depends on what you need to do:

- outbound connections will by default take the wan interface ip address for natting. If you need to access the internet with an address from the new ip range, you need to create a "ip pool" and use this pool as NAT ip on your internal -> outside security policies

- if you need inbound connections on the new ip pack, you need to configure vips for these addresses/ports and use them in outside -> internal policies.

 

If you need more info, just give me a sign.

leoiaco
leoiacoAuthor
New Member
June 9, 2015

Hi Johan,

let me configure server and policy for test, i will update you as soon as possible.

Thanks a lot.

Regards.

 

L.

leoiaco
leoiacoAuthor
New Member
June 11, 2015

Hi,

i need configure static route like shown in jpg file attached?

Thanks in advance

L.

Johan_Witters
Johan_Witters
New Member
June 11, 2015

No it normally isn't necessary, the ISP will use the original ip as path to the outside world as they will also have configured a 2ndary ip on their box. So you would use only the original default route that was already configured.

Having 2 default routes with the same metric would also put your FGT in "load balancing", sending packets out with source address 1.1.1.1 for 1 packet and 2.2.2.2 for the next. It would cause you troubles with outbound mail etc where the source ip is checked.

 

You would need to a a 2nd default route in case you have this setup:

 

FGT    <->      switch     <->     router isp1

                                   <->     router isp2

leoiaco
leoiacoAuthor
New Member
June 13, 2015

Hi Johan,

it doesn't work [&:].

Secondary IP on WAN interface-> Configured

IP Pool -> Configured

2nd default route-> (same distance, different priority)Configured

I'm in this scenario FGT    <->      switch     <->     router isp1 (first route Distance:10, Priority: 0)                                    <->     router isp2 (second route Distance:10, Priority: 10)

 

Policy Outside with NAT -> Configured

Can you help me?

Thanks

 

Leo

 

ashukla_FTNT
Staff
ashukla_FTNT
Staff
June 16, 2015

leoiaco wrote:

Hi Johan,

it doesn't work [&:].

Secondary IP on WAN interface-> Configured

IP Pool -> Configured

2nd default route-> (same distance, different priority)Configured

I'm in this scenario FGT    <->      switch     <->     router isp1 (first route Distance:10, Priority: 0)                                   <->     router isp2 (second route Distance:10, Priority: 10)

 

Policy Outside with NAT -> Configured

Can you help me?

Thanks

 

Leo

 

Second route will not be active as priority is 10, so only first default route will be active.

You can achieve in two way:

Create policy route to push certian traffic through second isp

Make the priority 0, so even second default route will be up ( but you can't decide which traffic will go to which wan)

leoiaco
leoiacoAuthor
New Member
June 16, 2015

Nobody can help me?

Thanks.

L.

pushpendra11
pushpendra11
New Member
June 17, 2015

Hi Leo ,

 

We can add secondary ip address to an interface on fortigate , you can configure the new public ranges on the same wan 

interface ,these new subnets can be configured as part of secondary subnets. 

 

 

oliverlag
oliverlag
New Member
June 17, 2015

Hi! 

if ISP is the same and they take care of routing of the secondary /28 you can avoid to configure a secondary ip address on the wan interface. 

Simply configure VIPs and assign them to the ACL. 

 

I tried twice and it works fine!

 

ciao

 

Show more replies
Terms & ConditionsAccessibility statement