Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ForgetItNet
Contributor

Force internal IP out of secondary WAN IP

Hi all,

I have searched for this in the forum and internet without much success so just wanted to clarify that i AM doing this the right way.

I've got a WAN connection (say 1.1.1.1) and i've got an internal IP of a device on 192.168.70.50. I have added a secondary IP to that WAN interface of 1.1.1.2 and i want to route the 192.168.70.50 out of that ip (1.1.1.2) so i've added a policy route with the incoming interface as the Data Internal interface (which is what the 192.168.70.50 is connected to) and a source address of 192.168.70.50/255.255.255.255, then a destination address of 0.0.0.0/0.0.0.0 and in the outgoing interface i've selected the WAN interface and then set the gateway address as 1.1.1.2 ?

I've ran packet trace and i can see packets coming INTO 1.1.1.2 to 192.168.70.50 but nothing going out.

Have i configured this correctly or am i missing anything ?

I'm not that familiar with Fortigate products (model is a 60E on V7 software by the way)

Thanks all

1 Solution
pminarik
Staff
Staff

Hi ForgetItNet,

 

"Gateway" is the IP of the next-hop (presumably the IPS router/modem), so that would not be correct if the 1.1.1.2 IP is "owned" by your device on the WAN interface.

What you should do instead is create a new IP pool, set it to the "range" 1.1.1.2-1.1.1.2, and then in the appropriate firewall policy for the client 192.168.70.50 you enable source NAT and switch it to using your new IP pool (instead of the default option "use outgoing interface IP").

 

Here's some older, but still good, documentation:

https://docs.fortinet.com/document/fortigate/6.0.0/handbook/476781/ipv4-pools

 

[ corrections always welcome ]

View solution in original post

1 REPLY 1
pminarik
Staff
Staff

Hi ForgetItNet,

 

"Gateway" is the IP of the next-hop (presumably the IPS router/modem), so that would not be correct if the 1.1.1.2 IP is "owned" by your device on the WAN interface.

What you should do instead is create a new IP pool, set it to the "range" 1.1.1.2-1.1.1.2, and then in the appropriate firewall policy for the client 192.168.70.50 you enable source NAT and switch it to using your new IP pool (instead of the default option "use outgoing interface IP").

 

Here's some older, but still good, documentation:

https://docs.fortinet.com/document/fortigate/6.0.0/handbook/476781/ipv4-pools

 

[ corrections always welcome ]
Labels
Top Kudoed Authors