Skip to main content
zer0kbps
zer0kbps
Explorer II
January 13, 2025
Solved

Using BGP Advertised Prefixed IP without physical interface.

  • January 13, 2025
  • 3 replies
  • 2980 views

 

Our setup is such that we're trying to get our FG1101E to act as both router and firewall with BGP routing.

 

We have our ISP provided single fiber uplink at 10gbps (SFP+) which has a defined Point to Point IP /29 IP address that's used to peer with a BGP neighbour.

 

The BGP side of things appears to work ok, with our prefix for public IPs are being advertised and received to our ISP, and they are sending at default route to us. 



What we're trying to achieve is to be able to egress to the web using an IP on the advertised prefix, these are public IPs assigned to us as an organisation. 

 

We're able to use them in the context of an outbound rule, for this to work we have to create an IP_Pool overload object and use that in the rule which shows to the world we're coming from an IP we own.

 

If we don't do that, then our IP is shown as the BGP peer IP.

 

We are trying to get to a place where we can use some sort of virtual interface with the IP loaded on from our prefix that can be used in policies and other objects..

 

We've tried with an IP from our assigned public prefix range

  • VLANs based interface assigned to a non tagged VLAN (just to get it up)
  • tried EMACS VLAN,
  • tried loopback addresses
  • using a different VRF and trying a variation of the above.

 

 

 

I've looked at multple documents and other pages with no obvious solution.

one example - https://docs.fortinet.com/document/fortigate/7.6.1/administration-guide/184807/defining-a-preferred-source-ip-for-local-out-egress-interfaces-on-bgp-routes
https://community.fortinet.com/t5/Support-Forum/How-to-change-outgoing-IP-address/m-p/36923?m=128453&mpage=1&tree=true


Is it even possible or do I bite the bullet at get a router between the Fortigate and ISP ?

Best answer by funkylicious

Can you please elaborate on what you are trying to achieve ? 

You just want to advertise via BGP a prefix and not configure it on a interface ? You can achieve that by doing a static route with the nexthop Blackhole and advertised it via network command to the bgp peer.

You can use any IP from that prefix for anything, DNAT/SNAT as long as the peer accepts it and advertises it further in the Internet.

3 replies

funkylicious
SuperUser
funkyliciousAnswer
SuperUser
January 13, 2025

Can you please elaborate on what you are trying to achieve ? 

You just want to advertise via BGP a prefix and not configure it on a interface ? You can achieve that by doing a static route with the nexthop Blackhole and advertised it via network command to the bgp peer.

You can use any IP from that prefix for anything, DNAT/SNAT as long as the peer accepts it and advertises it further in the Internet.

"jack of all trades, master of none"
zer0kbps
zer0kbpsAuthor
Explorer II
January 13, 2025

I need to use an IP on a WAN interface that's in a prefix I'm advertising to the peer. I only have one physical WAN interface.

 

WAN_BGP is on VL200 between my ISP and my FG, the point to point subnet is x.x.x.101 --> x.x.x.100 /31
-BGP Advertised Prefix is y.y.y.136/29

-Default route 0.0.0.0/0 --> x.x.x.100 is received from BGP neighbour.

 

I need the WAN Interface to have IP y.y.y.137/29 so I can use it in rules, VIP objects and VPN profiles etc...

Currently when I test the internet egress path, my external IP appears as x.x.x.101 but I need it to appear as y.y.y.137/29 (which are our public IPs) I would expect it to then hop to x.x.x.100

funkylicious
SuperUser
funkylicious
SuperUser
January 13, 2025

You can use it as I mentioned and/or as secondary IP on the interface.

In order for a prefix to be advertised into BGP it needs to be in the routing table, either as configured directly or with a static route ( blackhole ) .

"jack of all trades, master of none"
    zer0kbps
    zer0kbpsAuthor
    Explorer II
    January 14, 2025

    So as it happens, the Central SNAT feature has made this process more manageable, so I've created a rule to NAT out via my assigned public IPs in the Central SNAT page LAN->WAN NATing with y.y.y.138/29.
    I already had reciprocal firewall policies to permit this traffic to the internet using these interfaces, so I believe this mimics using an IP Pool against a firewall rule (the traditional policy way) which I can live with in this context.

     

    On testing with a client I can confirm it's egressing with the correct IP. 

     

    When I tried with explicit proxy it was using the wrong IP again, but I downgraded from 7.6 to 7.4 firmware and it then honoured what I configured in the explicit proxy GUI settings.

    I didn't need it as a secondary IP on the WAN interface to my ISP.

     

    I did create a blackhole route in the static routing table though.

     

    So usage in this context is to either switch on Central SNAT and create a NAT rule dictating what public IP to egress on, or just use an IP Pool if you don't want to enable that feature.

    funkylicious
    SuperUser
    funkylicious
    SuperUser
    January 14, 2025

    The secondary IP is optional, if you want to establish IPsec tunnel using an IP from that prefix and not the one directly assigned and used for the BGP peering.

     

    https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-IPsec-VPN-settings-on-a-secondary/ta-p/189807

     

    "jack of all trades, master of none"
      Terms & ConditionsAccessibility statement