Skip to main content
dblbbl
dblbbl
New Member
February 25, 2017
Question

Public IPs, VIPs and NAT

  • February 25, 2017
  • 1 reply
  • 5071 views

Hi there, hoping somebody can help me out!

 

We currently have a /22 subnet from our ISP that we are using for our customers (each internal customer VLAN is mapped to one Public IP using NAT). This setup is working fine.

 

I'm now trying to present a smaller subnet from our /22 to an interface on the Fortigate, without NAT. I'd like to be able to configure devices on that interface with public IPs, and the Fortigate to route traffic both ways.

 

I've managed to get it working but seem to have come across a bug, or more likely I'm doing something wrong..

 

I changed the IP config on the WAN interface from (IPs changed)

 

IP: 11.11.0.2/22

to: 11.11.0.2/24

 

and created a new interface with the IP 11.11.1.1/24 to attach my Internet facing devices.

 

I can then see a 'connected' route for that subnet in the route monitor.

 

I then proceed to create Virtual IPs, this is where I think I'm going wrong. I use 11.11.1.1-11.11.1.254 as the external range, and 11.11.1.1-11.11.1.254 again as the internal mapped range, as the addresses should be the same externally and internally (no NAT).

 

This doesn't work, but if I then REMOVE the Virtual IPs I've just made, everything works fine from the 'internal' /24 subnet, I can ping to the internet and ping devices on it from outside. But after about 10 minutes, everything stops working - no communication both ways.

 

I can remedy this by adding the VIPs again, and removing them, but again after about 10 mins everything stops working.

Can anybody shed any light on this? I'm pretty sure VIPs aren't the correct way to do this, but using them is the closest I've got. I've tried policy routing, and playing with proxy-arp with no results.

 

Hardware is Fortigate 100d, firmware v5.4.0

 

Thanks in advance for your help!

1 reply

rwpatterson
rwpatterson
New Member
February 26, 2017

When the routing stops, are the routes still in the routing table?

ede_pfau
SuperUser
ede_pfau
SuperUser
February 26, 2017

The only solution is to set up the VIPs, delete them and repeat that every 10 minutes.

 

 

ede_pfau
SuperUser
ede_pfau
SuperUser
February 26, 2017

That wasn't meant too seriously.

No, you can't route between hosts on the SAME network. Full stop.

And your FGT is in router/NAT mode.

 

If you really want to use public IPs on your LAN I'd think your network design is wrong. You either need just a switch or a FGT in Transparent mode (this might even be a VDOM).

 

But hopefully you don't really need to use public IPs (for authentication or the like) and you could employ a private address range.

 

You use VIPs to direct traffic from the internet to public addresses which do not need to be secondary, 'real' addresses on the WAN interface, hence 'virtual' IPs. VIPs are not only proxy arp objects but primarily destination NAT devices. So on your LAN you'd use private RFC1918 addresses. To easy administration you can set up the translation 1:1 for the host part, i.e. 11.11.0.x -> 192.168.11.x where x=1..254.

If the range of public 11.x addresses is relatively small you can set up single VIPs with/without port translation (without is port to same port) and group them in a VIP group. This will save you a lot of policies.

 

The reason why your setup works for a couple of minutes is that during that time the arp cache is used to distribute the traffic to the correct side - WAN or LAN. At least that's the best explanation I can come up with. It's really a pathological corner case. (Great for a Fortinet NSE exam question!)

 

Terms & ConditionsAccessibility statement