Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
theArties
New Contributor III

Separating a WAN subnet into Multiple Ports

Hi all, 

 

Would like to know whether there's a workaround for this. 

Currently a /29 WAN subnet is created on a WAN 1. e.g. 202.188.1.130/29. Gateway is 202.188.1.129.

I want to separate a particular IP out e.g. 202.188.1.132 and connect it to another port e.g. Port 15 for SSL-VPN purpose. 

By default, under the SSL-VPN settings, the box will only listen on the WAN 1 IP i.e. 202.188.1.130:443.

 

How can I make the box to listen to 202.188.1.132 for the SSL-VPN. 

 

Thank you in advance for your guidance. 

 

 

 

 

2 Solutions
ShawnZA
Contributor II

You will not be able to set a IP on another interface that is already part of the /29 on your WAN1.

 

You could break up the /29 in two /30's, but would need extra config on the next hop router as well, and a switch in between if there are no other ports available on the next hop.

 

You could also do a VIP as per this thread but don't think that's what you are looking for as the original IP will also still be listening for VPN requests unless you block it...

 

[link]https://forum.fortinet.com/tm.aspx?m=111523[/link]

 

 

 

View solution in original post

ShawnZA

In the link I pasted they guy actually forwards it to his primary extarnal IP, so probably not what you are looking for.

 

You could also create a loopback interface, and assign any internal IP to it, like 10.40.1.1/30, or just a /32 as you only need one IP

 

Then create a VIP address with your second external IP and forward it to the IP you specified for the loopback on port 443

 

Then in the VPN settings you select the new loopback interface as the listening interface. I have done setups like that for IPSEC VPN so I am sure it should work for a SSL VPN setup.

View solution in original post

5 REPLIES 5
ShawnZA
Contributor II

You will not be able to set a IP on another interface that is already part of the /29 on your WAN1.

 

You could break up the /29 in two /30's, but would need extra config on the next hop router as well, and a switch in between if there are no other ports available on the next hop.

 

You could also do a VIP as per this thread but don't think that's what you are looking for as the original IP will also still be listening for VPN requests unless you block it...

 

[link]https://forum.fortinet.com/tm.aspx?m=111523[/link]

 

 

 

theArties
New Contributor III

Hi ShawnZA, 

 

Thanks for your time. 

 

I read thru the link and did a check on the current box. 

Silly question: what should the mapped IP be? the LAN IP for the box? 

 

Thanks.

ShawnZA

In the link I pasted they guy actually forwards it to his primary extarnal IP, so probably not what you are looking for.

 

You could also create a loopback interface, and assign any internal IP to it, like 10.40.1.1/30, or just a /32 as you only need one IP

 

Then create a VIP address with your second external IP and forward it to the IP you specified for the loopback on port 443

 

Then in the VPN settings you select the new loopback interface as the listening interface. I have done setups like that for IPSEC VPN so I am sure it should work for a SSL VPN setup.

ShawnZA

I did a quick change on my home firewall, look at the attached image, create the loopback interface, create the VIP address and change the VPN settings to the new interface.

Then create the policy with the VIP to forward the SSL VPN traffic to your new internal loopback interface.

 

 

https://forum.fortinet.com/tm.aspx?m=149400

Also some info on setting up SSL VPN to a Loopback interface.

theArties
New Contributor III

Hi ShawnZA,

 

Thank you for sharing the idea. I've followed the steps and was able to achieve the result. 

 

Cheers.