Hi all,
I recently switched from firewall brand. Now we use a Fortigate 61e. Before we used a Stormshield SN500. I like to deal with the following; our ISP (cablemodem) provides us with 4 static IP's. All 4 are meant to be used for different operations; voip, dmz, network, vpn.
The 61e has 2 WAN-ports, but as I noticed, they can be used for load-balancing or failover. So, at this moment I only use 1 static ip, connected to WAN1. > interface LAN 1 > switch 1 & switch 2 POE: 2 switches are connected with LAN 1 (internal network cq 192.168.2.0). I need some advice how to configure 'static ip 2', which will be used for SIP-VOIP only (in a different subnet, cq 192.168.20.0). Is it possible to connect the cable-modem to WAN2 > interface LAN 2 > switch. If possible, a pbx will be connected to the switch and addressing the 192.168.20.0-network. All the void-phones will use this subnet.
Thanks in advance.
I don't work with SIP/VOIP, but a couple notes.
1. You can define multiple Secondary IP Addresses or IP Pools on a single interface, so you could define all your static IPs on a single wan interface and just connect a single cable to your IPS's cablemodem. Depending on your use you may need to do source NAT or use VIPs. You can also use the LAN ports as wan ports, so you could define some of them as your static IPs instead if you want these physically separated.
2. To route based on source or protocol you'll need to use policy routes, which redirect to specific static routes that you've created. See http://help.fortinet.com/fos50hlp/56/Content/FortiOS/fortigate-networking/fortigate-advanced-routing... for details. Note that to make this work you may need static routes that have the same distance but different priorities set. See http://help.fortinet.com/fos50hlp/56/Content/FortiOS/fortigate-networking/fortigate-advanced-routing....
For the SIP/VOIP side, all I can do is point you to the docs which have some examples:
http://help.fortinet.com/fos50hlp/56/Content/FortiOS/fortigate-voip-guide/HNATT-config-example.htm
http://help.fortinet.com/fos50hlp/56/Content/FortiOS/fortigate-voip-guide/ALG-NAT-snat-example.htm
Hopefully somebody else with more experience on the VOIP side will chime in.
Thanks for the input. I'll try the LAN-port option and use them physically. I also read the cookbook regarding voip traffic, so I hopefully I get the routing right.
Regards
deleted
Your best bet would be to configure the one physical port and define the rest as virtual IP addresses. A virtual IP address will act as a physical interface would on the WAN interface, but does NOT need to be defined on the port (WANx). When you try to configure more than one IP on a single subnet on the firewall, you will get errors since there should only be one IP per subnet per interface. That IS the purpose of a firewall, isn't it? (VLANs although residing on a wire with the base VLAN are treated like separate interfaces)
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.