Description
This article describes how to use an IP pool and its type depending on the network need.
Scope
FortiGate.
Solution
Dynamic SNAT.
Dynamic SNAT maps the private IP addresses to the first available public address from a pool of addresses.
In the FortiGate firewall, this can be done by using IP pools.
IP pools is a mechanism that allows sessions leaving the FortiGate to use NAT.
An IP pool defines a single IP address or a range of IP addresses to be used as the source address for the duration of the session.
These assigned addresses are used instead of the IP address assigned to that FortiGate interface.
IP pool types.
FortiGate uses four types of IPv4 IP pools.
This recipe focuses on some of the differences between them.
Overload.
This type of IP pool is similar to static SNAT mode.
Defining an external IP range that contains one or more IP addresses is necessary.
When there is only one IP address it is almost the same as static SNAT, the outgoing interface address is used.
When it contains multiple IP addresses, it is equivalent to an extended mode of static SNAT.
For instance, if an overload-type IP pool with two external IP addresses is defined (172.16.200.1—172.16.200.2), since there are 60,416 available port numbers per IP, this IP pool can handle 60,416*2 internal IP addresses.
The mapped IP address can be calculated from the source IP address.
The index number of the address in the pool is the remainder of the source IP address, in decimal, divided by the number addresses in the pool.
To calculate the decimal value of the source IP address, either use an online calculator, or use the following equation:
a.b.c.d = a * (256)3 + b * (256)2 + c * (256) + d
For example:
192.168.0.1 = 192 * (256)3 + 168 * (256)2 + 0 * (256) + 1 = 3232235521
If there is one IP pool, where:
- P1 = the first address in the IP pool.
- R1 = the number of IP addresses in the IP pool.
- X = the source IP address as a decimal number.
- Y = the mapped IP address.
Then the equation to determine the mapped address is:
Y = P1 + X mod R1
For example:
- Convert the source IP address to a decimal number.
192 * (256)3 + 168 * (256)2 + 1 * (256) + 200 = 3232235976
- Determine the number of IP addresses in the pool.
172.26.73.90 - 172.26.73.20 = 71
- Find the remainder of the source IP address divided by the number of addresses in the pool.
3232235976 mod 71 = 26
- Add the remainder to the first IP address in the pool.
172.26.73.20 + 26 = 172.26.73.46
So, the mapped IP address is 172.26.73.46.
If there are multiple IP pools, the calculation is similar to when only one pool exists.
If there are two IP pools, where:
- P1 = the first address in the first IP pool.
- P2 = the first address in the second IP pool.
- R1 = the number of IP addresses in the first IP pool.
- R2 = the number of IP addresses in the second IP pool.X = the source IP address as a decimal number.
- Y = the mapped IP address.
Then the equations to determine the mapped address are:
If X mod (R1 + R2) >= P1, then Y = P2 + X mod R2
If X mod (R1 + R2) < P1, then Y = P1 + X mod R1
For example:
- Convert the source IP address to a decimal number.
192 * (256)3 + 168 * (256)2 + 1 * (256) + 200 = 3232235976
- Determine the total number of IP addresses in the pools.
(172.26.73.90 - 172.26.73.20) + (172.26.75.50 - 172.26.75.150) = 71 + 101 = 172
- Find the remainder of the source IP address divided by the number of pool addresses.
3232235976 mod 172 = 108
- The remainder is greater than the number of addresses in pool01, so the address is selected from pool02 and the remainder is recalculated based only on pool02.
3232235976 mod 101 = 40
- Add the new remainder to the first IP address in pool02.
172.26.75.50 + 40 = 172.26.75.90
So, the mapped IP address is 172.26.75.90.
One-to-one.
This type of IP pool means that the internal IP address and the external (translated) IP address match one-to-one.
The port address translation (PAT) is disabled when using this type of IP pool.
For example, if a one-to-one type IP pool with two external IP addresses is defined (172.16.200.1 - 172.16.200.2), this IP pool only can handle two internal IP addresses.
Fixed port range.
For the overload and one-to-one IP pool types, this is not necessary to define the internal IP range.
For the fixed port range type of IP pool, both the internal IP range and external IP range can be defined.
Since each external IP address and the number of available port numbers is a specific number, if the number of internal IP addresses is also determined, this is possible to calculate the port range for each address translation combination.
So this type of fixed port range is called.
This type of IP pool is a type of port address translation (PAT).
For instance, if it is defined as one external IP address (172.16.200.1) and ten internal IP addresses (10.1.100.1-10.1.100.10), there is an IP+Port combination like the following table.
Port block allocation.
This type of IP pool is also a type of port address translation (PAT).
It gives users a more flexible way to control the way external IPs and ports are allocated.
Users need to define Block Size/Block Per User and external IP range.
Block Size means how many ports each Block contains. Block per User means how many blocks each user (internal IP) can use.
The following is a simple example:
- External IP Range: 172.16.200.1—172.16.200.1.
- Block Size: 128.
- Block Per User: 8.
Result.
- Total-PBAs: 472 (60416/128).
- Maximum ports can be used per User (Internal IP Address): 1024 (128*8).
- How many Internal IP can be handled: 59 (60416/1024 or 472/8).
Sample configuration.
To configure overload IP pool from GUI.
- In Policy & Objects -> IP Pools and select 'Create New'.
- Select the IPv4 Pool and then select Overload.
To configure overload IP pool from CLI.
config firewall ippool
edit "Overload-ippool"
set startip 172.16.200.1
set endip 172.16.200.1
next
end
To configure one-to-one IP pool using the GUI.
- In Policy & Objects -> IP Pools and select 'Create New'.
- Select the IPv4 Pool and then select 'One-to-One'.
To configure one-to-one IP pool from CLI.
config firewall ippool
edit "One-to-One-ippool"
set type one-to-one
set startip 172.16.200.1
set endip 172.16.200.2
next
end
To configure fixed port range IP pool from GUI.
- In Policy & Objects -> IP Pools and select 'Create New'.
- Select IPv4 Pool and then select Fixed Port Range.
To configure fixed port range IP pool from CLI.
config firewall ippool
edit "FPR-ippool"
set type fixed-port-range
set startip 172.16.200.1
set endip 172.16.200.1
set source-startip 10.1.100.1
set source-endip 10.1.100.10
next
end
To configure port block allocation IP pool from GUI.
- In Policy & Objects -> IP Pools and select 'Create New'.
- Select the IPv4 Pool and then select Port Block Allocation.
To configure port block allocation IP pool from CLI.
config firewall ippool
edit PBA-ippool
set type port-block-allocation
set startip 172.16.200.1
set endip 172.16.200.1
set block-size 128
set num-blocks-per-user 8
next
end
Note:
- In the case of Multiple dynamic IP pools, FortiGate picks the IP pool randomly. It will not follow any sequential approach.
- In most versions (except v6.4.9, v7.0.1 to v7.0.12, v7.2.0 to v7.2.5 and v7.4.0), if the IP pool is configured with 'set arp-reply enable', FortiGate will consider it as local address and not forward the traffic according to the routing table. This can cause traffic to be terminated at FortiGate.
- Refer to this document for more details: Technical Tip: IP pool and virtual IP behavior changes in FortiOS 6.4, 7.0, 7.2, and 7.4
- If the configured IPPOOL is not mapped in the policy, then traffic will be dropped as iprope check fail drop.