Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
MarkLeibbrandt
New Contributor

WAN intreface

Hi,

 

We are recieving a single WAN connection from our ISP direct to Fortigate. They are providing a /30 linknet address and /29 for Internet trafic.
I was thinking of using a VLAN interface for the /29 Routable public address attached to the WAN interface which will have linknet /30 address.
Does this sound right or is there an alternate way to do this.

7 REPLIES 7
yashwani
Staff
Staff

Hi Mark,

You can achieve this even without creating a vlan interface. Instead you can use VIP and pools to NAT from this public IP pool. ISP will have this subnet pointed towards your firewall.

 

 

Regards
yashwani
MarkLeibbrandt

Hi Yashwani,
Thanks for the quick reply.
Could you please clarify for me, If the /30 linknet was 192.168.0.1/30 my address 192.168.0.2 ISP 192.168.0.1
and the routable network is 172.16.0.0/29
(name/ip changed to protect the innocent :))
What would my VIP external address be ?
What would my mapped IP address be ?
I am struggling to get my head around this.
Thanks

RodrigoM

Hi Mark, 

It depends on the use you will give, and there are different ways to do it. As Yashwani told you, you can just use VIPs and Nat pools.

 

For example, if you are going to publish web services, you can use VIPs:

- VIP1 : 172.16.0.2 to 192.168.12.2; VIP2: 172.16.0.3 to 192.168.12.3 and so on.... In that case, when traffic arrives to your public IP, will be nat'd to your private one (the subnet 192.168.12.0/24 is you LAN/DMZ network in my example). 

 

Another option (or you can use both according your needs) is to create a nat pool for outbound traffic.

- NAT POOL: 172.16.0.4 to 172.16.0.5. Then you can use this pool into a firewall policy to perform source nat for outbound traffic to internet. 

 

 

MarkLeibbrandt

Hi,

I need to terminate a site-to-site VPN on this interface, how is this done with a VIP ?

Thanks

 

RodrigoM

Hi.

 

You can just create a loopback interface like 172.16.0.6/32.

 

bye.

Adrian_Lewis
Contributor

Another alternative would be to have both subnets on the same interface using secondary IP. The suggestion from yashwani is cleaner however and should allow you to use all 8 of the /29 IP addresses as there would be no network or broadcast addresses involved.

scientistmerge
New Contributor

For example, if you are going to publish web services, you can use VIPs of io games acc:

- VIP1 : 172.16.0.2 to 192.168.12.2;

- VIP2: 172.16.0.3 to 192.168.12.3 and so on.... In that case, when traffic arrives to your public IP, will be nat'd to your private one (the subnet 192.168.12.0/24 is you LAN/DMZ network in my example).