Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
NetworkZeus
New Contributor

Fortigate 900D OSPF Private/Public IPs

Hi guys,

 

 

I’m configuring a Fortigate 900D using an aggregate interface with a private IP connected to an upstream Cisco ASR which in-turn connects to the internet directly.

 

The ASR will be advertising a default-route and I want the Fortigate to learn this and then advertise the route downstream to another firewall.

 

The Fortigate is carved up into two VDOMs, a Root VDOM and a VPN VDOM. The Root VDOM has an Loopback interface configured to act as an explicit proxy and will be target directly by users to access the internet.

 

The explicit  proxy is using the system DNS which can either be Fortiguard DNS or Google however because the external interface of the Root VDOM has an internal private address when the DNS/Fortiguard services need to reach the internet they are sourcing from an internal address which is not routable.

 

Users -> Proxy address x.x.x.x:8080-> Loopback Interface (explicit  web proxy) -> Agg1 (private address) ->Cisco ASR (Public IP)

 

I then decided to re-IP the interface on both the external interface on the Fortigate and the internal interface of the ASR with a /30 which I took from a /25 range of public IP’s which would solve the routing issues,  however when I now try and configure OSPF on the Cisco and the Fortigate they will not form an adjacency. As soon as I change the IP back to a private address the OSPF relationship is re-established.

 

 

Questions.

 

•  Is there a reason I cannot run OSPF with public IP addresses on a Fortigate?

•  If I can’t use the public IP’s what are the option of using a Fortigate without a public IP address on the external internet facing interface?

 

 

Requirements

 

•  Once the proxy intercepts the users web request it should be source NAT’d from a public IP either by a security policy or using the external interface.

•  The default-route needs be to advertised by a routing protocol so if we lose a critical path to the internet   the default-route is lost it will be re-learnt elsewhere.

 

 

Fortigate 900D

 

Software - v5.6.0 build1449 (GA)

 

 

 

Thanks in advance

 

NetworkZeus

1 REPLY 1
emnoc
Esteemed Contributor III

Do you have a topology map? It was very hard to follow you description. As far as public or private OSPF does not care. What I gathered, you are having  trouble routing the exp-proxy address to the 2nd firewall?

 

 

As far as what your doing, we 've done that in a lot of case and just defined ippool for  that explicit-proxy. We divided our network address_ranges in  halves

 

examples

 

"WEST goes thru one proxy and EAST thru a 2nd, this was done via system gpo push for the  webclients btw"

 

1: Fix your reach-network-routing for the clients 1st

 

2: than work on the exp-fwpolicies and any SNAT that 's needed.

 

Here's a blog on explicit-proxy socpuppet style  that I've done a few times now. The loop-back are carried in ospf across the  network and  we have proxy-control file for   webclients to   used for accessing the proxy for various domains ;)

 

http://socpuppet.blogspot.com/2017/08/fortigate-explicit-proxy-with.html

 

We even deployed  turn-around proxy using dedicated  Fortigates for this also. So as long as the client can get to the proxy they are proxied by that devices. Great for sneaking  thru  GEOIP based blocking  devices or other items doing control.

 

http://socpuppet.blogspot.com/2017/08/turn-around-explicit-proxy-on.html

PCNSE 

NSE 

StrongSwan