Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
leoiaco
New Contributor

New IP Public Range on same WAN interface

Hi all,

we have a Fortigate-VM with only one Interface dedicated for WAN and a public IPs range (/28) configured with IP Pools

Now we have a new different public IPs range (/28) belong to different public subnet (maybe same router?) and we want to configure this new public range on the same wan interface.

Important: other interfaces are already configured.

Can I accomplish this task as fast as possible without reconfigure virtual appliance (is not possible in production environment)?

Thanks

Leo

1 Solution
Paul_S
Contributor

leoiaco, I have many subnets routed to my WAN interface. My ISP handles all the WAN routing. I just make sure all my policies, LAN Routing, etc.. are correct.

 

If I were you, I would proceed like this:

 

Phase1 - talk with ISP, run "diag sniffier packet" command on fortigate. This will all you to confirm when packets to the new range is hitting your firewall.

 

Phase2 - now that ISP is routing WAN traffic for both ranges and you have confirmed with sniffer command. Start setting up VIPs and policies. then test.

FG200D 5.6.5 (HA) - primary [size="1"]FWF50B' s 4.3.x, FG60D's 5.2.x, FG60E's 5.4.x                   [Did my post help you? Please rate my post.][/size] FAZ-VM 5.6.5  |  Fortimail 5.3.11 Network+, Security+

View solution in original post

13 REPLIES 13
Johan_Witters
Contributor

Not sure if it is the same on Fortigate_VM, but on the hardware boxes you can configure a "secundary ip" address on the interface.

 

Go to "Network > Interfaces" and edit the interface, at the bottom of the page you should have a check box "secundary ip address" if the interface has a manually assigned ip address. In the box that appears, type in the new ip address for your FGT, only 1 address is necessary..

Johan Witters

Network & Security Engineer

FCNSP V4/V5

 

BKM NV

leoiaco
New Contributor

Hi Johan,

I've already configured new IP as secondary address on wan interface.

Is necessary to configure static route? VIP?

What test can i do to verify this?

Thanks.

Regards

 

 

 

Johan_Witters
Contributor

It depends on what you need to do:

- outbound connections will by default take the wan interface ip address for natting. If you need to access the internet with an address from the new ip range, you need to create a "ip pool" and use this pool as NAT ip on your internal -> outside security policies

- if you need inbound connections on the new ip pack, you need to configure vips for these addresses/ports and use them in outside -> internal policies.

 

If you need more info, just give me a sign.

Johan Witters

Network & Security Engineer

FCNSP V4/V5

 

BKM NV

leoiaco
New Contributor

Hi Johan,

let me configure server and policy for test, i will update you as soon as possible.

Thanks a lot.

Regards.

 

L.

leoiaco
New Contributor

Hi,

i need configure static route like shown in jpg file attached?

Thanks in advance

L.

Johan_Witters
Contributor

No it normally isn't necessary, the ISP will use the original ip as path to the outside world as they will also have configured a 2ndary ip on their box. So you would use only the original default route that was already configured.

Having 2 default routes with the same metric would also put your FGT in "load balancing", sending packets out with source address 1.1.1.1 for 1 packet and 2.2.2.2 for the next. It would cause you troubles with outbound mail etc where the source ip is checked.

 

You would need to a a 2nd default route in case you have this setup:

 

FGT    <->      switch     <->     router isp1

                                   <->     router isp2

Johan Witters

Network & Security Engineer

FCNSP V4/V5

 

BKM NV

leoiaco
New Contributor

Hi Johan,

it doesn't work [&:].

Secondary IP on WAN interface-> Configured

IP Pool -> Configured

2nd default route-> (same distance, different priority)Configured

I'm in this scenario FGT    <->      switch     <->     router isp1 (first route Distance:10, Priority: 0)                                    <->     router isp2 (second route Distance:10, Priority: 10)

 

Policy Outside with NAT -> Configured

Can you help me?

Thanks

 

Leo

 

ashukla_FTNT

leoiaco wrote:

Hi Johan,

it doesn't work [&:].

Secondary IP on WAN interface-> Configured

IP Pool -> Configured

2nd default route-> (same distance, different priority)Configured

I'm in this scenario FGT    <->      switch     <->     router isp1 (first route Distance:10, Priority: 0)                                   <->     router isp2 (second route Distance:10, Priority: 10)

 

Policy Outside with NAT -> Configured

Can you help me?

Thanks

 

Leo

 

Second route will not be active as priority is 10, so only first default route will be active.

You can achieve in two way:

Create policy route to push certian traffic through second isp

Make the priority 0, so even second default route will be up ( but you can't decide which traffic will go to which wan)

leoiaco
New Contributor

Nobody can help me?

Thanks.

L.