- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- RE: /30 and /28 on Fortigate without router
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
/30 and /28 on Fortigate without router
All our Fortigates have been setup with a router. We configure the router with a /30 address. Then we configure the Fortigate with a WAN1 and the /28. This makes for a very simple Fortigate setup with just a internal interface and a WAN1 interface.
Yesterday we were delivered a 10Bbit ethernet conneciton with no router. The ISP provided us with a /30 using VLAN id = 700 and the /28 IPs. We were able to get working using only the fortigate but we are having a few issues. My question is what is the best practice to setup a Fortigate with two IP' s on the WAN thus replacing the router.
Here is how I configured it. With both ranges on the WAN1 interface. ( munged IPs )
WAN1 /28
205.241.19.49 / 255.255.255.240
VzVLAN type VLAN Interface WAN1 VLAN ID 700 /30
113.121.42.234 / 255.255.255.252
Route 0.0.0.0 / 0.0.0.0 113.121.42.233 VzVLAN distance 10
Is this the proper way to setup a /30 and /28 on a WAN interface?
On my normal simple fortigate devices my policys are
Internal --nat-> Wan1 and this give me my NAT on the mgt interface
205.241.19.49
Now with this more complex setup I have WAN1 and VzVLAN I want my traffic to flow
Internal --nat--> Wan1 -> VzVLAN
I want the nat IP of 205.241.19.49
However because my route is the far side of the VzVLAN I think my traffic is flowing like this
Internal --nat--> VzVLAN
thus getting the IP of 113.121.42.234
Can anyone help me better understand handleing traffic when we have two subnets on one WAN interface.
Thanks,
Troy
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You are confusing your thinking. The two interfaces are WAN1 and VLAN700. Any outgoing traffic you want on the new pipe must have a policy going to the remote router on VLAN700. You will need to NAT all this traffic outbound or the Internet connection won' t work as desired (or at all).
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Bob,
Ok WAN1 and VLAN700 are to be treated as different interfaces. And this is what I am seeing. But I am still trying to wrap my head around it so thank you for your understanding. I do have a policy
Internal -nat-> VLAN700 and that works to get my traffic out. But my traffic is nated to that /30 vlan which is only 1 IP. This is causing a problem for my mail server which I need to show up on the /28 range because of my SPF and reverse PTR.
Maybe the best way to understand my confusion is to imagine this.
I have a Fortigate WAN with a /28
I have a cisco router with a /30
My system is up and running. Internal --nat--> WAN1 has my nated address exposed to the internet as the mgt interface IP of the Fortigate on the /28. All my VIP are on the /28 and are exposed to the internet. This is how all my fortigates are setup and work great. Very simple for me to understand the WAN1' s gateway is the Cisco Router /30.
I want to remove the physical router and put that /30 on my Foritgate. But still have the same functionality with my /28 being exposed for my nat and VIPs.
First question is can that be done or would you recommend I always have a router for the /30?
If it can be done can you give me some pointers to get going the right direction. Or what questions to ask. I think my default gateway is my bigest confusion I want a gateway on the /28 range but right now my gateway is on the /30. Could I have a route to /28 then to the /30. Man my head hurts....
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ORIGINAL: Troy Sorzano Bob, Ok WAN1 and VLAN700 are to be treated as different interfaces. And this is what I am seeing. But I am still trying to wrap my head around it so thank you for your understanding. I do have a policy Internal -nat-> VLAN700 and that works to get my traffic out. But my traffic is nated to that /30 vlan which is only 1 IP. This is causing a problem for my mail server which I need to show up on the /28 range because of my SPF and reverse PTR. Maybe the best way to understand my confusion is to imagine this. I have a Fortigate WAN with a /28 I have a cisco router with a /30 My system is up and running. Internal --nat--> WAN1 has my nated address exposed to the internet as the mgt interface IP of the Fortigate on the /28. All my VIP are on the /28 and are exposed to the internet. This is how all my fortigates are setup and work great. Very simple for me to understand the WAN1' s gateway is the Cisco Router /30. I want to remove the physical router and put that /30 on my Foritgate. But still have the same functionality with my /28 being exposed for my nat and VIPs.After you remove the Cisco, the other interface would probably have a wider IP range than the /30. Just a thought.
First question is can that be done or would you recommend I always have a router for the /30?It can be done. Most of us drop the external router and terminate the Internet directly on their FGT units. (aside from some hairy BGP issues)
If it can be done can you give me some pointers to get going the right direction. Or what questions to ask. I think my default gateway is my bigest confusion I want a gateway on the /28 range but right now my gateway is on the /30. Could I have a route to /28 then to the /30. Man my head hurts....No you cannot because return traffic would still come back in on the /28 subnet. Your best bet (If you' re not married to the /28 IP addresses) would be to set up a secondary DNS entry on the /30 subnet for your mail server, and match the SPF entries to allow that as well. You may also have to set up some type of IP forwarding on the Cisco that would then get sent to the mail server IP. I' m not sure of your particular layout.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Related Posts
- BGP modify the mask of a... 0 View
- Block inside attacks 32 Views
- Create branch office VPN so that... 81 Views
- Fortigate 60d boot device failing 64 Views
- Forward traffic from Fortigate not showing... 65 Views
Labels
-
FortiGate
6,452 -
FortiClient
1,288 -
5.2
801 -
5.4
639 -
FortiManager
562 -
6.0
416 -
FortiAnalyzer
410 -
5.6
362 -
FortiSwitch
331 -
FortiAP
327 -
FortiClient EMS
259 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
148 -
6.4
128 -
FortiNAC
103 -
FortiGuard
102 -
FortiGateCloud
86 -
FortiSIEM
85 -
FortiCloud Products
82 -
FortiToken
69 -
Customer Service
69 -
IPsec
66 -
4.0MR3
64 -
Wireless Controller
58 -
SSL-VPN
54 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
38 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
30 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
FortiConverter
21 -
High Availability
20 -
Firewall policy
20 -
VLAN
18 -
FortiPortal
17 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
ZTNA
15 -
FortiMonitor
14 -
Certificate
14 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
SAML
11 -
BGP
11 -
DNS
11 -
Interface
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
Logging
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiAuthenticator
7 -
Admin
7 -
FortiGate v4.0 MR3
7 -
4.0
7 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
SSID
5 -
Security profile
5 -
Traffic shaping policy
5 -
Authentication
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
Static route
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
SSL SSH inspection
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
packet capture
3 -
FortiToken Cloud
3 -
Automation
3 -
Intrusion prevention
3 -
DoS policy
3 -
FortiTester
3 -
Port policy
3 -
FortiDB
3 -
IPS signature
3 -
FortiDeceptor
2 -
FortiInsight
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
NAC policy
1 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
Zone
1 -
FortiManager-VM
1 -
Fabric connector
1 -
Internet Service Database
1 -
Fortinet Engage Partner Program
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.