Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
EricG1793
New Contributor

One WAN interface, multiple WAN IPs

Hi folks,

We're using the WAN1 interface on our FortiGate only, with IP 72.x.x.1. The internal subnets 10.x.x.x all go through this interface and IP.

 

However, I've set up a new subnet on interface Dorm1, 192.168.1.x, and I want it to utilize a different WAN IP, 72.x.x.6 (which is in the same subnet as the primary WAN1 IP with the same ISP gateway). How can I accomplish this? I've read about creating VIPs, which we do use to map one external IP to one internal IP, but I'm not sure how to handle an entire subnet, AND ensuring that the outgoing traffic is through the other WAN IP as well.

 

Thanks for any ideas,

 

- Eric

2 Solutions
ede_pfau
Esteemed Contributor III

Hi,

 

for outward traffic you would substitute the source address, not the destination address like in a VIP. Source NAT is done via "IP pool" (Firewall > Objects > IP pools). You can define an IP pool with just a single address (a.b.c.d/32) or a whole subnet.

In the LAN to WAN policy, check "NAT" and "specify address" and select the IP pool.

Check with a visit to whatsmyip.org or the like.


Ede

"Kernel panic: Aiee, killing interrupt handler!"

View solution in original post

Ede"Kernel panic: Aiee, killing interrupt handler!"
ede_pfau
Esteemed Contributor III

You are planning to NAT 2.046 addresses, or is there a typo in your address ranges?

If the mapped-to address is just one, each translation has to be mapped to a different port. There are 64K - 1K ports for this but...this number might be limited by the hardware/FortiOS combination. Have a look at the "Maximum Features matrix" available on docs.fortinet.com .


Ede

"Kernel panic: Aiee, killing interrupt handler!"

View solution in original post

Ede"Kernel panic: Aiee, killing interrupt handler!"
6 REPLIES 6
ede_pfau
Esteemed Contributor III

Hi,

 

for outward traffic you would substitute the source address, not the destination address like in a VIP. Source NAT is done via "IP pool" (Firewall > Objects > IP pools). You can define an IP pool with just a single address (a.b.c.d/32) or a whole subnet.

In the LAN to WAN policy, check "NAT" and "specify address" and select the IP pool.

Check with a visit to whatsmyip.org or the like.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
EricG1793

Perfect, that worked! Thanks for the info. :)

 

One more question. I went to do the same for a different VLAN on the Inside interface. External IP is 72.x.x.13-72.x.x.13 and the internal IP range is 10.13.0.1-10.13.7.254. However, it says the number of ports for each IP is too small. It works if I shrink the internal range to 10.13.6.254. Thoughts?

ede_pfau
Esteemed Contributor III

You are planning to NAT 2.046 addresses, or is there a typo in your address ranges?

If the mapped-to address is just one, each translation has to be mapped to a different port. There are 64K - 1K ports for this but...this number might be limited by the hardware/FortiOS combination. Have a look at the "Maximum Features matrix" available on docs.fortinet.com .


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
rwpatterson
Valued Contributor III

You may be able to make 8 policies, each with a single class C subnet using the same IP pool. Not sure if it would choke something though...

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
EricG1793

Correct, we're leasing 2,048(-ish) addresses. 10.13.0.5-10.13.7.254. It's our public VLAN that we allow students and guests of the school to use their personal devices on.

 

Upon further testing, the absolute biggest range that I can use is 10.13.0.1-10.13.7.96. Same error with 97 and up. However, if I allow the pool to use two WAN IPs, it's fine. To me, having the pool stop at 96 is acceptable. We've only leased 1,300 IPs so I'll just change the DHCP scope. We're down to our last WAN IP anyway.

 

Here are the maximum values for 5.0.8, can't find 5.0.12 like we're using.

 

http://help.fortinet.com/.../5-0-8/max-values.html

amey
New Contributor

Hello Guyz,

 

Can you please help me with this post: https://forum.fortinet.com/FindPost/158019 Regards,

Labels
Top Kudoed Authors