Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
ORIGINAL: Troy Sorzano Bob, Ok WAN1 and VLAN700 are to be treated as different interfaces. And this is what I am seeing. But I am still trying to wrap my head around it so thank you for your understanding. I do have a policy Internal -nat-> VLAN700 and that works to get my traffic out. But my traffic is nated to that /30 vlan which is only 1 IP. This is causing a problem for my mail server which I need to show up on the /28 range because of my SPF and reverse PTR. Maybe the best way to understand my confusion is to imagine this. I have a Fortigate WAN with a /28 I have a cisco router with a /30 My system is up and running. Internal --nat--> WAN1 has my nated address exposed to the internet as the mgt interface IP of the Fortigate on the /28. All my VIP are on the /28 and are exposed to the internet. This is how all my fortigates are setup and work great. Very simple for me to understand the WAN1' s gateway is the Cisco Router /30. I want to remove the physical router and put that /30 on my Foritgate. But still have the same functionality with my /28 being exposed for my nat and VIPs.After you remove the Cisco, the other interface would probably have a wider IP range than the /30. Just a thought.
First question is can that be done or would you recommend I always have a router for the /30?It can be done. Most of us drop the external router and terminate the Internet directly on their FGT units. (aside from some hairy BGP issues)
If it can be done can you give me some pointers to get going the right direction. Or what questions to ask. I think my default gateway is my bigest confusion I want a gateway on the /28 range but right now my gateway is on the /30. Could I have a route to /28 then to the /30. Man my head hurts....No you cannot because return traffic would still come back in on the /28 subnet. Your best bet (If you' re not married to the /28 IP addresses) would be to set up a secondary DNS entry on the /30 subnet for your mail server, and match the SPF entries to allow that as well. You may also have to set up some type of IP forwarding on the Cisco that would then get sent to the mail server IP. I' m not sure of your particular layout.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.