Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Namrezy
New Contributor

81E each interface has unique public IP

Hello!

 

I apologize if this is answered elsewhere, and would appreciate being pointed in that direction if so as I don't mean to waste anyone's time--I've spent quit a few hours now trying to figure out best practice for what I'm trying to accomplish and it seems most discussions are just a hair different that makes me go down a rabbit hole only to ultimately not make it work.  I learn a lot, but it doesn't seem to fit quite right.

 

I would like to use a FG 81E to drop between an ISP switch and Unifi ES24 to not only handle our LAN (Unifi Wifi Campus off the ES24) but also handle fiber coming from a nearby junction box that will have a tenant on each fiber crossover (adapter) to one of the ethernet interfaces. 

 

These tenants will potentially want their own unique public IP.  So, ideally, each interface would be configured to be it's own public IP from a /27 provided by the ISP.  The incoming ISP interface (the shared WAN1) will also be on this /27, as well.

 

I've been able to get this to work by using VLANs and subnetting the different tenants, under the assumption the ISP will work with me on the VLANs, but this means they won't have that unique public IP they want.  I'm new to the Fortigate line of hardware but would love to make this work and figured, at the very least, this post can be referenced by others in the future.

 

Are the unique public IPs even doable with the 81E on the individual interfaces?

 

I gave the WAN1 interface an IP but obviously that collides when trying to then bring up the interfaces.  I've looked into IP pools, VIP, and I'm now starting down the path of port forwarding, so I was curious if anyone had some "No, stay focused on IP pools" advice for me--I definitely don't intend for anyone to build the config for me.  Just a nudge in the right direction would be hugely beneficial at this point.

 

Thank you in advance!

1 Solution
Toshi_Esumi
Esteemed Contributor II

Is the interface IP/subnet on WAN1 within the /27? Or it's a /30 or something else outside of the /27? If separated, you can split the /27 (32 IPs) to like 8 x /30s or even 16 x /31s and assign each to your tenant VLAN interfaces.

If not, only option would be SNAT with ippools for outgoing and VIP/DNAT for incoming if any tenant's devices need to be exposed to the internet.

Based on your situation, I would suggest getting an additional /30 if not separated and swap the interface IPs/subnets with the ISP to use the /30, then take the first option. That's much cleaner and flexible through the future.

 

Toshi

View solution in original post

3 REPLIES 3
Toshi_Esumi
Esteemed Contributor II

Is the interface IP/subnet on WAN1 within the /27? Or it's a /30 or something else outside of the /27? If separated, you can split the /27 (32 IPs) to like 8 x /30s or even 16 x /31s and assign each to your tenant VLAN interfaces.

If not, only option would be SNAT with ippools for outgoing and VIP/DNAT for incoming if any tenant's devices need to be exposed to the internet.

Based on your situation, I would suggest getting an additional /30 if not separated and swap the interface IPs/subnets with the ISP to use the /30, then take the first option. That's much cleaner and flexible through the future.

 

Toshi

Namrezy

A thousand thank-you's, @Toshi_Esumi, for your response.

 

Correct: the WAN1 is also a part of the /27 I'm wanting to use for each interface.  I was in the midst of configuring VIPs and was realizing this might be into the weeds for me, with having to configure outgoing differently than incoming, so your reply came at the perfect timing.

 

And like you said, your first option seems cleaner and more flexible, i.e. assigning the VLAN interface an IP within the range, versus getting into VIPs and SNATs, and IP pools.

 

Although, the latter may be the route we have to go regardless.

 

Thank you, again, sir!  I will mark your post as my solution since I have more than enough to chew on now.

fluthersmack
New Contributor

Hello, 

I recently installed my newly obtained, If your interface IPs and subnets are not already separated, I would recommend purchasing an additional /30 and then exchanging them with your Internet service provider so that you can utilize the /30. After then, you should select the first available choice. This is going to be much easier to maintain and versatile in the years to come.

 

 

mario games