Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Vernon76
New Contributor

Fortigate 80c second ip question

Hi all, I have a fortigate 80c that gives ip addresses to ip phones and pc's in range of 175.50.60.50- 175.50.60.150 from the internal side.

The pbx is 175.50.60.5 lan side, on wan1 I have 182.168.54.2 from isp provider and 175.50.60.1 for the firewall

I want to add a second ip in the firewall, so that I can  add a sip trunk from the a provider on the wan side on the of the pbx.

Is this possible to add a second Ip on the internal side of the pbx with for example 192.168.40.1 and give the wan side of the pbx 192.168.40.5?

 

thank you in advance

 

 

21 REPLIES 21
Vernon76
New Contributor

The wan port is static ip.

I will try out the suggestions and let you know

 

But I wanted to know something, can one of the free internal port interface be programmed with a specific IP.

So in other words can layer 3 routing be done on an interface?

This is something that Dipen said in a post correct?

If this is possible, how can I do this?

 

Christopher_McMullan

Vernon76, I'm not quite sure I understand your question. Could you flesh out an example of what you mean?

Regards, Chris McMullan Fortinet Ottawa

Vernon76
New Contributor

What I mean is normally you can give the internal interface an ip correct?

So when you connect to a port and DHCP is active in the firewall, depending what ip range you give it the device connected to the port will get the ip address.

 

Is it possible to give for example on the firewall port 1 ip range 144.45.xx.xx,  port 2 145.56.32.22 and port 3 146.67.xx.xx and no matter what port connected to, the device still get internet connection.

 

Is this something that could be done and how can I do it?

 

Christopher_McMullan

I'm still a little in the dark, but maybe this would help:

 

Any port on the FortiGate can be used for any purpose. The ports labelled HA or MGMT may not have hardware acceleration, since they weren't designed to carry heavy production traffic, but if you *really* wanted to, you could use HA1 for your WAN link, and MGMT for LAN, or any other combination you can think of. Aside from acceleration, unless the specific hardware model has special features, the port names are just labels.

 

So generally speaking, you can address all ports not bound in a hardware/software switch with different subnets, and apply policies and routes as needed to pass traffic through/between them.

Regards, Chris McMullan Fortinet Ottawa

Vernon76
New Contributor

Hi Chris,

 

I uploaded an update of my diagram, so you might get a better picture of what I am asking.

If I read your answer correctly, it seems you have answered my question.

But just to make sure, I wanted to add to an internal interface a new ip address, so I can get internet and sip trunk access for the pbx.

 

Also I'm currently trying out the secondary IP address, but not having much luck.

Can't get internet on it, might you have any idea what other policies I need to check?

Christopher_McMullan

From the diagram, yes: add a secondary IP to internal1, 2, or 3, and the FortiGate will respond to ARP requests for its address acting as the gateway for that subnet. Addressing the interface creates a connected route for that subnet. The final ingredient is firewall policies: assuming you have a wide open outbound policy, there should be no issues, since the policy would govern any traffic between the internalx and WAN port pair in an outbound direction. If you have source address restrictions, these will either need to be relaxed, or a new object added to represent the secondary subnet you want to grant access to.

 

If you still can't achieve WAN access for the new subnet, a sniff and flow trace are good diagnostics to start with:

diag sniffer packet any "host w.x.y.z" 4

 

I use 'any'  here, and replace 'w.x.y.z' with an unchanging, public destination. That way, the sniff will not only show you packets arriving from the host, but also whether they leave the WAN interface, and if any replies back from the destination are received. Filtering per-interface will only show you return traffic if the session is set up successfully and the remote server replies; filtering for a private address will restrict you to traffic between the client and internalx effectively, if you NAT on the way out.

 

The flow trace:

diag debug reset

diag debug enable

diag debug flow show console enable

diag debug flow show function-name enable

diag debug flow filter addr w.x.y.z

diag debug flow trace start 5000

diag debug flow trace stop (enter the above commands, but after '...flow trace stop', don't press Enter; just leave the command in the register)

<attempt a connection, and when it fails...>

-Press Enter, then

diag debug flow filter clear

diag debug reset

diag debug disable

 

The output may not allow you to continuously see the command you are trying to type in, which is why I recommend typing '...flow trace stop' ahead of time. Also, the 'w.x.y.z' here should be replaced with the same destination public IP as the sniff.

Regards, Chris McMullan Fortinet Ottawa

ashukla_FTNT
Staff
Staff

For the secondary range 180.60.90.x the route in ISP modem should point towards wan1 ip.

This is because in order for the Modem to route to 180.60.90.x the only physical path is through wan1. 

If 180.60.90.x network is configured as connected route in modem it will arp for any ip in that range and firewall will not forward or respond for those arp as it will receive the arp on wan1.

 

so in modem the route should be like:

network 180.60.90.x

subnet mask (whatver subnet you got)

gateway 182.23.23.22.

 

Also assuming this ip is public and you don't want to nat make sure you have a policy on top which allows 180.60.90.x to any with nat disabled.

so if you define secondary ip on port2 then create a rule between port2 and wan1 with nat disabled.

If you don't have this policy on top the traffic will get allowed by regular policy and will get natted using wan1 public ip.

Vernon76
New Contributor

Hi Chris,

 

I managed to get internet connection from the secondary ip, I tried it with a firewall of mine to see it works.

I could browse the internet, ping, etc on the secondary ip.

So I think this connection can be tried out on the WAN port of the pbx.

The policy are on any, but I wanted to know  what policy would you recommend to limit hack attempts against the sip trunks.

Want to keep it as secure as possible.

 

e.g lets say the secondary ip on the firewall is 10.10.10.5 and the wan of the pbx is 10.10.10.6

 

 

DiNet
New Contributor

Allow in policy only ISP's external IP's to connect from WAN2 to your PBX.

Vernon76
New Contributor

Hi everyone, sorry for not posting back,haven't been feeling well these couple of weeks an thus haven't implemented it yet.

I'd like to thank everyone for their input on this topic.

 

Only one thing I need to know:

 

DiNet, you said that I need to Allow in policy only ISP's external IP's to connect from WAN2 to my PBX.

So I need to connect the WAN2 port to the pbx wan port correct?

Can you give me an example of this?

how I can let the 10.10.10.5 secondary ip go through the Wan 2

 

Krs