Skip to main content
MarkLeibbrandt
MarkLeibbrandt
New Member
November 17, 2021
Question

WAN intreface

  • November 17, 2021
  • 3 replies
  • 6369 views

Hi,

 

We are recieving a single WAN connection from our ISP direct to Fortigate. They are providing a /30 linknet address and /29 for Internet trafic.
I was thinking of using a VLAN interface for the /29 Routable public address attached to the WAN interface which will have linknet /30 address.
Does this sound right or is there an alternate way to do this.

3 replies

yashwani
Staff
yashwani
Staff
November 17, 2021

Hi Mark,

You can achieve this even without creating a vlan interface. Instead you can use VIP and pools to NAT from this public IP pool. ISP will have this subnet pointed towards your firewall.

 

 

    MarkLeibbrandt
    MarkLeibbrandtAuthor
    New Member
    November 17, 2021

    Hi Yashwani,
    Thanks for the quick reply.
    Could you please clarify for me, If the /30 linknet was 192.168.0.1/30 my address 192.168.0.2 ISP 192.168.0.1
    and the routable network is 172.16.0.0/29
    (name/ip changed to protect the innocent :))
    What would my VIP external address be ?
    What would my mapped IP address be ?
    I am struggling to get my head around this.
    Thanks

    RodrigoM
    Staff
    RodrigoM
    Staff
    November 17, 2021

    Hi Mark, 

    It depends on the use you will give, and there are different ways to do it. As Yashwani told you, you can just use VIPs and Nat pools.

     

    For example, if you are going to publish web services, you can use VIPs:

    - VIP1 : 172.16.0.2 to 192.168.12.2; VIP2: 172.16.0.3 to 192.168.12.3 and so on.... In that case, when traffic arrives to your public IP, will be nat'd to your private one (the subnet 192.168.12.0/24 is you LAN/DMZ network in my example). 

     

    Another option (or you can use both according your needs) is to create a nat pool for outbound traffic.

    - NAT POOL: 172.16.0.4 to 172.16.0.5. Then you can use this pool into a firewall policy to perform source nat for outbound traffic to internet. 

     

     

    Adrian_Lewis
    Adrian_Lewis
    New Member
    November 17, 2021

    Another alternative would be to have both subnets on the same interface using secondary IP. The suggestion from yashwani is cleaner however and should allow you to use all 8 of the /29 IP addresses as there would be no network or broadcast addresses involved.

    scientistmerge
    scientistmerge
    New Member
    April 26, 2022

    For example, if you are going to publish web services, you can use VIPs of io games acc:

    - VIP1 : 172.16.0.2 to 192.168.12.2;

    - VIP2: 172.16.0.3 to 192.168.12.3 and so on.... In that case, when traffic arrives to your public IP, will be nat'd to your private one (the subnet 192.168.12.0/24 is you LAN/DMZ network in my example). 

    Terms & ConditionsAccessibility statement