New Member

Question

Route WAN IP internally with no NAT

Forum|Forum|15 years ago
October 21, 2010
14 replies
10628 views

Howdy, We have a FGT80C (v4 MR2 P1) that has a static public IP with several additional IPs tied to it. We have several of these IPs setup as VIPs and are forwarded internally to their destination (NAT' d). We recently came across a scenario where we need to do the same thing but we cannot have the IP Nat' d (we need to give an internal machine the public IP). It will have 2 NICs (one for its internal IP so it can be reached internally, and then another for the public address). The only other time I did a setup like this I have the public NIC connecting to in front of the router. I was not sure where to begin on this. Would someone be able to point me in the right direction please? Thanks!

veechee

New Member

To assign an IP address to traffic that is initiated from an internal interface, you need to use an " IP Pool" . This will use NAT. Once you create the IP Pool (Firewall -> Virtual IP -> IP Pool), you select that pool in the firewall policies you want that IP used for. In Firewall rules it' s called " Dynamic IP Pool" . I use an IP Pool address right now to assign a separate static IP to clients for wifi access.

Us53276.jpg

ede_pfau

SuperUser

Exceptional, but I think the way to go is using policy routing. You would connect the internal server to the internal interface, and create a policy route for the public IP " a.b.c.d/32" (one host only) to egress on " internal" . On the internal interface, the FG will have to arp for the public IP address, the server will respond and accept the traffic. Return traffic will be to an external address via the default route (so you don' t need a second policy route back). test, test, test. No: read, test, sniff. Sniffing will reveal immediately if this is working.

ede_pfau

SuperUser

@veechee: Correct to the point, but this scenario doesn' t ask for (source) IP translation. It' s about routing the traffic to an interface where you normally wouldn' t expect a public IP address.

ede_pfau

SuperUser

but we cannot have the IP Nat' d (we need to give an internal machine the public IP)

could you please explain a bit? If it was because you want to reach the machine from other interfaces as well, using only one, namely the public, IP address, then you' ll have to install additional policy routes, one per (source) interface. And back routes if the source IF is not covered by the default route.

ColdfirexAuthor

New Member

Thanks for the replies. What I meant about the no NAT, is that the server will have a NIC with the public IP assigned directly. There will be a second NIC that has an internal IP so that it can communicate with devices on the internal network. Does this sound right? If I used this method will I have to assign a specific port on the FGT for this traffic or will just using any of the internal ports be fine? So are you saying that a policy route should accomplish this? Would you know the details on what I would need to enter?

ede_pfau

SuperUser

For your scenario using a VIP to the internal IP of the server would be the way to go. Bypassing a security device is never a good idea. Create a VIP from a free public IP to the server' s internal IP. Connect the server to the LAN, the FG to the LAN and _don' t_ specify port forwarding. The FG will then not only hand over traffic from the public IP to the internal NIC but translate the server' s internal IP back to the public IP on replies. The use of policy routing may work here but chances are bad if you' re not familiar with it. In addition, you give away control on the traffic for no apparent benefit. In plain English: drop the idea. Just my $.02

ColdfirexAuthor

New Member

Unfortunately the software that is on this server has to have the public IP on its NIC so that is why we are in this situation, otherwise I would had gone with port forwarding or something else. I am really not that familiar with policy based routing (only used it a couple of times) so anything you can recommend on trying to accomplish this would assist greatly. Thanks!

ColdfirexAuthor

New Member

I spoke with Support some and they suggested that we setup a second VDom in transparent mode which will then allow us to have filtered traffic, do no NAT, and have the public IP on internal machines. Does this sound like it would be ok?

jtfinley

New Member

I was going to suggest that as I read from the top, but it looks like you found your answer: Setup a VDOM, add the WAN and another port in transparent mode. In that scenario, it' s basically adding another PORT to the WAN, effectively creating a two port switch with the level of security using FW policies. You' ll plug the server nic into the " other" port and give a real IP.

ede_pfau

SuperUser

Yes, sure. The support team knows what they say, most of the time. Imagine the second VDOM as a second independent hardware Fortigate; in transparent mode, you only have a management IP for accessing the Web GUI and CLI. There are no IPs set on the ports as the device is working like a bridge/hub/piece of wire. If later you need to be able to have traffic across the second VDOM to the root VDOM you can configure an inter-VDOM link. See the Admin Guide or Handbook for this.

simonorch

Explorer

I' ve just come across a similar scenario today. Is this for an MS direct access server by any chance? A suggestion i got from a Fortinet SE was to (if possible) subnet these ' internal' public IP addresse and then just route as normal. In my case there' s also a LAN next to the server, also, if you were to put your WAN port in a transparent vdom, wouldn' t this cause problems with fortiguard?

jtfinley

New Member

It shouldn' t if the managing VDOM is accessible or move it to another VDOM.

Show more replies

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded