Hi,
I got a block of public ips with 2 usable ips. I wanted to add the first ip out of the block for department A on wan1 port. And the second ip on wan2 for department B. I have no trouble adding the first ip for department A. When I'm adding the second ip for department B i get an error stating "conflicts with wan1 subnet'.
Department A -> Wan1
= IP- 200.200.20.2 Subnet mask 255.255.255.248 Gateway is 200.200.20.1
Department B -> Wan2
= IP- 200.200.20.3 Subnet mask 255.255.255.248 Gateway is 200.200.20.1
I understand the conflict, but is there another way of achieving this? I know you can add a secondary ip when configuring an interface. Perhaps this is what i need to do and just use an ip pool for outgoing interface for traffic from department B to pass thru 200.200.20.3.
Yes you can not have two interfaces in the same subnet. In this case you will use NAT to accomplish your requirements. Dept A will be SNAT to .2 and Dept B will be SNAT to .3.
https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/898655/static-snat
No need for a secondary IP
Are you sure this is the "interface" subnet, not an additional subnet to the interface subnet? It's very odd you have /29 subnet mask (/255.255.255.248) when you get "block of 2 usable IPs". It's generally /30.
Also it's odd, at least to me, to have two circuits (terminated at wan1 and wan2) from the same ISP and get just one subnet if it's an interface subnet.
Toshi
Getting a /29 from an ISP is possible. I've seen it before. Sometimes they route a larger block over a /30 or they just give a small block and that's what you get and its not routed.
Also I think OP was talking about splitting the ISP link over two WAN links I don't think he's saying he's getting two circuits from the ISP. In that case it would definitely be two different subnets.
I agree. @robert_espi, are you trying to use wan1/wan2 interfaces for the internal side of connections? Not to the ISP?
Toshi
The public ip we get from isp are whitelisted on other domains for services. Its also for internal staff to get thru to our dailup ipsec vpn and for a site to site vpn to a remote site.
Correct. Its not two different circuits from the ISP. Its just one ONT device which we connect to both ports wan1 and wan2 on the fortigate and assigned the public ip static. Previously it was working due to us having two firewalls. But since we've upgraded to a 100F we decided for both companies to use 1 firewall. I know we could have achieved this using vdoms but im still not too comfortable when it comes to creating sts ipsec tunnels and dialup clients.
As you figured two separate vdoms are the only option since they act as independent routers/FWs. You likely need to connect them together over npu-vlink then route traffic through so that those shared connections, like VPNs, can be shared for both sides.
But you must have been doing the same with physical connections when you had two FWs.
Toshi
The error message you are seeing indicates that there is an IP address conflict between the WAN1 and WAN2 interfaces on your FortiGate. This is because both interfaces are configured with IP addresses from the same subnet.
To resolve this issue, you can either change the subnet mask or use a different subnet for one of the interfaces. Here are two possible solutions:
1. Change the subnet mask: You can change the subnet mask on both interfaces to use a larger subnet, such as 255.255.255.240. This would allow both interfaces to use IP addresses in the same subnet without conflicting with each other. However, this would reduce the number of available IP addresses in the subnet.
2. Use a different subnet: You can configure one of the interfaces to use a different subnet than the other interface. For example, you could configure WAN1 to use the 200.200.20.0/29 subnet and WAN2 to use the 200.200.20.8/29 subnet. This would ensure that there is no IP address conflict between the two interfaces.
If you choose to use a different subnet for one of the interfaces, you will also need to update the routing table on your FortiGate to ensure that traffic is routed correctly between the two subnets.
To resolve the IP conflict and achieve the desired setup, you can configure the WAN1 interface with the IP address 200.200.20.2 and the subnet mask 255.255.255.248, along with a gateway of 200.200.20.1 for department A. Then, configure the WAN2 interface with a secondary IP address of 200.200.20.3 and the same subnet mask. This allows you to assign both IP addresses to separate departments. To ensure outgoing traffic from department B uses the correct IP, set up an IP pool or source-based routing to route traffic from department B through the WAN2 interface with the source IP of 200.200.20.3.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.