Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
robert_espi
New Contributor II

2 Public IP from same ISP for Two Departments on Same FortiGate

Hi,

 

I got a block of public ips with 2 usable ips. I wanted to add the first ip out of the block for department A on wan1 port. And the second ip on wan2 for department B. I have no trouble adding the first ip for department A. When I'm adding the second ip for department B i get an error stating "conflicts with wan1 subnet'. 

Department A -> Wan1

= IP- 200.200.20.2 Subnet mask 255.255.255.248 Gateway is 200.200.20.1

 

Department B -> Wan2

= IP- 200.200.20.3 Subnet mask 255.255.255.248 Gateway is 200.200.20.1

 

I understand the conflict, but is there another way of achieving this? I know you can add a secondary ip when configuring an interface. Perhaps this is what i need to do and just use an ip pool for outgoing interface for traffic from department B to pass thru 200.200.20.3. 


 

R.E
R.E
11 REPLIES 11
gfleming
Staff
Staff

Yes you can not have two interfaces in the same subnet. In this case you will use NAT to accomplish your requirements. Dept A will be SNAT to .2 and Dept B will be SNAT to .3.

 

https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/898655/static-snat

 

No need for a secondary IP

Cheers,
Graham
Toshi_Esumi
Esteemed Contributor III

Are you sure this is the "interface" subnet, not an additional subnet to the interface subnet? It's very odd you have /29 subnet mask (/255.255.255.248) when you get "block of 2 usable IPs". It's generally /30.

Also it's odd, at least to me, to have two circuits (terminated at wan1 and wan2) from the same ISP and get just one subnet if it's an interface subnet.

 

Toshi

gfleming

Getting a /29 from an ISP is possible. I've seen it before. Sometimes they route a larger block over a /30 or they just give a small block and that's what you get and its not routed.

 

Also I think OP was talking about splitting the ISP link over two WAN links I don't think he's saying he's getting two circuits from the ISP. In that case it would definitely be two different subnets.

Cheers,
Graham
Toshi_Esumi
Esteemed Contributor III

I agree. @robert_espi, are you trying to use wan1/wan2 interfaces for the internal side of connections? Not to the ISP?

 

Toshi

robert_espi

The public ip we get from isp are whitelisted on other domains for services. Its also for internal staff to get thru to our dailup ipsec vpn and for a site to site vpn to a remote site. 

R.E
R.E
robert_espi

Correct. Its not two different circuits from the ISP. Its just one ONT device which we connect to both ports wan1 and wan2 on the fortigate and assigned the public ip static. Previously it was working due to us having two firewalls. But since we've upgraded to a 100F we decided for both companies to use 1 firewall. I know we could have achieved this using vdoms but im still not too comfortable when it comes to creating sts ipsec tunnels and dialup clients. 

R.E
R.E
Toshi_Esumi
Esteemed Contributor III

As you figured two separate vdoms are the only option since they act as independent routers/FWs. You likely need to connect them together over npu-vlink then route traffic through so that those shared connections, like VPNs, can be shared for both sides.
But you must have been doing the same with physical connections when you had two FWs.

 

Toshi

Faiza_Emam_Delhi
Contributor II

The error message you are seeing indicates that there is an IP address conflict between the WAN1 and WAN2 interfaces on your FortiGate. This is because both interfaces are configured with IP addresses from the same subnet.

To resolve this issue, you can either change the subnet mask or use a different subnet for one of the interfaces. Here are two possible solutions:

1. Change the subnet mask: You can change the subnet mask on both interfaces to use a larger subnet, such as 255.255.255.240. This would allow both interfaces to use IP addresses in the same subnet without conflicting with each other. However, this would reduce the number of available IP addresses in the subnet.

2. Use a different subnet: You can configure one of the interfaces to use a different subnet than the other interface. For example, you could configure WAN1 to use the 200.200.20.0/29 subnet and WAN2 to use the 200.200.20.8/29 subnet. This would ensure that there is no IP address conflict between the two interfaces.

If you choose to use a different subnet for one of the interfaces, you will also need to update the routing table on your FortiGate to ensure that traffic is routed correctly between the two subnets.

Thanks & Regards,
Faizal Emam
Thanks & Regards,Faizal Emam
HezekiahGage
New Contributor

To resolve the IP conflict and achieve the desired setup, you can configure the WAN1 interface with the IP address 200.200.20.2 and the subnet mask 255.255.255.248, along with a gateway of 200.200.20.1 for department A. Then, configure the WAN2 interface with a secondary IP address of 200.200.20.3 and the same subnet mask. This allows you to assign both IP addresses to separate departments. To ensure outgoing traffic from department B uses the correct IP, set up an IP pool or source-based routing to route traffic from department B through the WAN2 interface with the source IP of 200.200.20.3.

Labels
Top Kudoed Authors