2 Public IP from same ISP for Two Departments on Same FortiGate
I got a block of public ips with 2 usable ips. I wanted to add the first ip out of the block for department A on wan1 port. And the second ip on wan2 for department B. I have no trouble adding the first ip for department A. When I'm adding the second ip for department B i get an error stating "conflicts with wan1 subnet'.
Department A -> Wan1
= IP- 126.96.36.199 Subnet mask 255.255.255.248 Gateway is 188.8.131.52
Department B -> Wan2
= IP- 184.108.40.206 Subnet mask 255.255.255.248 Gateway is 220.127.116.11
I understand the conflict, but is there another way of achieving this? I know you can add a secondary ip when configuring an interface. Perhaps this is what i need to do and just use an ip pool for outgoing interface for traffic from department B to pass thru 18.104.22.168.
Are you sure this is the "interface" subnet, not an additional subnet to the interface subnet? It's very odd you have /29 subnet mask (/255.255.255.248) when you get "block of 2 usable IPs". It's generally /30.
Also it's odd, at least to me, to have two circuits (terminated at wan1 and wan2) from the same ISP and get just one subnet if it's an interface subnet.
Correct. Its not two different circuits from the ISP. Its just one ONT device which we connect to both ports wan1 and wan2 on the fortigate and assigned the public ip static. Previously it was working due to us having two firewalls. But since we've upgraded to a 100F we decided for both companies to use 1 firewall. I know we could have achieved this using vdoms but im still not too comfortable when it comes to creating sts ipsec tunnels and dialup clients.
As you figured two separate vdoms are the only option since they act as independent routers/FWs. You likely need to connect them together over npu-vlink then route traffic through so that those shared connections, like VPNs, can be shared for both sides. But you must have been doing the same with physical connections when you had two FWs.
The error message you are seeing indicates that there is an IP address conflict between the WAN1 and WAN2 interfaces on your FortiGate. This is because both interfaces are configured with IP addresses from the same subnet.
To resolve this issue, you can either change the subnet mask or use a different subnet for one of the interfaces. Here are two possible solutions:
1. Change the subnet mask: You can change the subnet mask on both interfaces to use a larger subnet, such as 255.255.255.240. This would allow both interfaces to use IP addresses in the same subnet without conflicting with each other. However, this would reduce the number of available IP addresses in the subnet.
2. Use a different subnet: You can configure one of the interfaces to use a different subnet than the other interface. For example, you could configure WAN1 to use the 22.214.171.124/29 subnet and WAN2 to use the 126.96.36.199/29 subnet. This would ensure that there is no IP address conflict between the two interfaces.
If you choose to use a different subnet for one of the interfaces, you will also need to update the routing table on your FortiGate to ensure that traffic is routed correctly between the two subnets.
To resolve the IP conflict and achieve the desired setup, you can configure the WAN1 interface with the IP address 188.8.131.52 and the subnet mask 255.255.255.248, along with a gateway of 184.108.40.206 for department A. Then, configure the WAN2 interface with a secondary IP address of 220.127.116.11 and the same subnet mask. This allows you to assign both IP addresses to separate departments. To ensure outgoing traffic from department B uses the correct IP, set up an IP pool or source-based routing to route traffic from department B through the WAN2 interface with the source IP of 18.104.22.168.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.