Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
fortinetuser2020
New Contributor

divide a public pool subnet (i think)

hi all. i'm not sure i'm aiming the question correctly, but i'll try

 

my goal is to expose a server with a fixed public ip address. a real one, not by 1:1 nat like today.

i've read that maybe there is a way to do that by subneting a public ip pool?

 

meaning, breaking for example a 64 ip pool, into smaller chunks, lets say i take 1 chunk and break it to a 4 pool

so i have a broadcast address, 2 usable addresses, and a network address. and i'm not sure which should be the gateway address for the host in such a setup. to my understanding, i'm supposed to represent them somehow to make the lan host "think" that the fortigate is it's public isp gateway by using this method. as stated, the end result is to setup a fixed real public ip directly on the host's NIC, same way i would do if i was to take the physical feed directly from the isp and have the ip settings provided by him setup directly on this nic. i'm aware of the fact that in order to do that, i'll to lose some addresses from my pools, but still...

 

is such a thing possible?

 

thank you

8 REPLIES 8
Dave_Hall
Honored Contributor

If your company was assigned a small block range of IPs (say 4 IPs) and one of them is assigned as a public IP for your fgt, but also want the fgt to listen/pass traffic for an internal server that is using one of the other public IPs - you may want to set up a VIP from WAN to Internal network using one of the public Ips as source and dest is an internal IP for the server, then you need a firewall rule from the server's internal IP to WAN using a one-to-one nat IP pool to change the internal IP of the server to it's public IP on the out (WAN).    (And of course the fgt's manage ports need to be changed to accommodate this.)

 

There may be other ways to accomplish what you want rather than above.  But if you are are going to have multiple devices using the public IP addresses assigned to your company, but don't really need to have them all behind the fgt - you may be better off sticking a switch between the ISP gateway device and the fgt and connect the other "public" devices to the other ports on the switch.  IMO. 

 

Perhaps someone has other suggestions.

 

 

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

fortinetuser2020

thank you. yeah, i've thought of that, but then i'll have a problem limiting the bandwidth of those other public ip consumers

Toshi_Esumi

Why do you think it would be a problem? L3 routing/router feature is separated from FW features. As long as you can identify the traffic by IP addresses, services, etc., you can apply traffic shaping on it.

You said totally 64 IPs, that's a /26 subnet. You can divide it whatever you want like 2 x /27s, or 1 x /27 + 2 x /28s, and so on. Then assign one of available IPs in each subnet on the FGT's interface (maybe a VLAN int if a switch is behind) to be a GW, or even just pass them down to a downstream L3 router or a route/switch, which would handle the entire subnets.

fortinetuser2020

ok. what you said is probably what i'm looking for. but i don't know how to do that technicly.

 

for example, if my subnet is 80.80.80.80/26, that's 64 addresses, 62 usable

so if i break this into 16 small subnets and take one of them : 80.80.80.64/30

so my subnet address is 80.80.80.64/30, my broadcast address is 80.80.80.67 and i have 80.80.80.65 and 80.80.80.66 usable.

 

what's the proper way to configure it so it'll work? let's say i'm setting up a vlan that will communicate with the lan host. what ip should i assign to the interface, and what ip should i assign to the nic of the internal host? and what will be that host's default gateway?

Toshi_Esumi

In case of a /30 only 2 IPs are usable for hosts, so like GW/FGT is 80.80.80.65/30 and the server side is 80.80.80.66/30. If you make each subnet smaller, you waste more IPs. You can still use those with VIPs at the FGT though, like 80.80.80.64 and .67.

fortinetuser2020

oh, so you're saying i can mix?

 

let's say i've divided the pool into a smaller one, 16 ips

i set the first usable on the fgt, the second usable on the internal host

and now i can use the third as a vip to do inbound nat for another host?

Toshi_Esumi

You can VIP any of those IPs as long as they don't conflict with "routed" devices that have the public IPs. But in case of /28 as you asked, only 14 IPs are assignable to host including the GW device. The first one (ex. .0) is network address I might use for VIP. Then I would make the second one (ex. .1) for GW/FGT and use/reserve 12 (ex. .2 - .14) of them for routed devices connected to the FGT. Then might use the last broadcast  address (ex. .15) for VIP.

axlmac
New Contributor

"my goal is to expose a server with a fixed public ip address. a real one, not by 1:1 nat like today. i've read that maybe there is a way to do that by subneting a public ip pool?"

 

Yes you can, it all depends on how you will achieve that goal, because as somebody else has already stated you may need extra HW. But... the role of that extra hardware might be played by a VDOM just dedicate for routing. If you don't have VDOMs enables then it's tricky because I guess you will have to start the configuration from scratch, but eventually your system will be more flexible. BTW: "...to make the lan host "think" that the fortigate is it's public isp gateway by using this method."

Try to get rid of any T9 or the likes because sometimes suggestions are really annoying and make the read difficult. My 2 cents and of course is I's suggestion ;-) Alex P.S.

 

If you shared your range in an anonimazed way we might be able to help you better .