Skip to main content
cybernoid
cybernoid
New Member
February 15, 2016
Question

New user, Fortigate 200D, IP address is in same subnet as the others

  • February 15, 2016
  • 1 reply
  • 8493 views

Hi, another newbie here, first time Fortigate user.

 

We have Fortigate 200D as firewall on our new infrastructure in ISP's Data Center. ISP has set firewall at 97.221.81.162 and has gave us 15 IP addresses for servers behind firewall. If I set our server with one IP from this pool (for example, to: 97.221.81.171) , I can see this server from our firewall with command: execute ping 97.221.81.171 However all incoming and outgoing traffic from Internet to 97.221.81.171 does not work, so I guess firewall must be blocking this traffic (there is policy "Deny" for all ports as last entry in polices, that was set by ISP). Then I have added policy (for example, port3 and wan1) to allow traffic for all; then had gone to System->Network->Interfaces, and when I try to edit port3 and then address: 97.221.81.171/255.255.255.0 I get error message: "IP address is in same subnet as the others." Have downloaded configuration file from System->Dashboard->Configuration (but could not find IP 97.221.81.171 anywhere?) What should I do? Where should I look up to detect why 200D complains that this subnet is the same as others?

1 reply

ede_pfau
SuperUser
ede_pfau
SuperUser
February 16, 2016

To determine if an address is part of another subnet you need to know the subnet's network mask. In FortiOS, this is written "/24" (for example) denoting that 24 of 32 bits (4 bytes) form the network part, and 8 bits are left for enumerating hosts. This is basic networking stuff and not vendor/Fortinet related.

 

If you were given 15 addresses then your subnet would have 16 hosts (a power of 2), thus 4 bits, thus 32 - 4 = 28 bits for the network part. So, 97.221.81.162/28, or probably 97.221.81.160/28. The first and last address in a subnet range are not useable for hosts.

 

The Fortigate, as any router, will not accept any 2 ports in the same network. It routes between networks, and having 2 ports in the same network would introduce ambiguity where to send traffic.

 

I don't know how you want to set up your network but most probably you will not use public IPs (97.221.81.162...) for your internal hosts. Instead, you would use addresses from so-called private networks (RFC 1918) like 192.168.x.y/24 or 172.16.x.y/16. You would use your public addresses to make internal servers visible to the internet, by way of address translation (a.k.a. NAT). The feature you would like to look up in the FGT is called VIP (virtual IP).

Please get more info on all of this from the excellent FortiOS Handbook from docs.fortinet.com. Realworld config examples are given in the Cookbook (same source) but they are terse and provide no background knowledge.

Terms & ConditionsAccessibility statement