Let's say I have a /28 block of public IPs
123.234.10.32 (fake IP to protect the innocent)
ISP says my gateway IP will be 10.33
Therefore my range of usable IPs will be 10.34 through 10.46
And 10.47 is broadcast.
I'll assign the first usable IP to the WAN interface on my Fortigate:
123.234.10.34
I am also required to enter a subnet mask here.
Would I enter a subnet mask for the entire /28 network? (255.255.255.240)
Assuming I actually wanted to do "stuff" with the remaining IPs in the block, I assume I would now need to add the remaining IPs - one by one - into the same WAN interface by enabling the 'Secondary IP Address' option and then clicking the +CreateNew button and add them, one at a time. Is this the right way to do it?
And since I am adding these IPs one at a time, would I use 255.255.255.255 as the subnet mask for each?
Or
Would I still use the /28 subnet mask?
Here's what I have now:
Interface Name: WAN
IP/Netmask: 123.234.10.34/255.255.255.240
Secondary IP Address
123.234.10.35/255.255.255.255
123.234.10.36/255.255.255.255
123.234.10.37/255.255.255.255
123.234.10.38/255.255.255.255
123.234.10.39/255.255.255.255
123.234.10.40/255.255.255.255
123.234.10.41/255.255.255.255
123.234.10.42/255.255.255.255
123.234.10.43/255.255.255.255
123.234.10.44/255.255.255.255
123.234.10.45/255.255.255.255
123.234.10.46/255.255.255.255
(Is this right? Or should the subnet mask for each of these IPs also be 255.255.255.240)?
Why you want that many additional IPs on the Wan IF, for Services? Anyway, for both of your questions, you use /28 subnet mask. It's like "normal" interface networking.
________________________________________________________
--- NSE 4 ---
________________________________________________________
You would use public IPs to access servers on your LAN (1), or a server provided by your FGT (2).
For the latter, the FGT offers SSLVPN or IPsec VPN gateway services. For this, you would create secondary IPs.
For (1) - internal servers, you need to create VIPs (destination NAT objects) which redirect traffic destined to the WAN address to an internal address on your LAN/DMZ. No need to define secondary IPs for these, and in fact, they would prevent this usage.
So, yes, you could create 2 more secondary IPs if needed but I don't see a use case for more.
I have 9 public-facing servers that are hosted behind my firewall in the DMZ.
So one public IP is used for the Public DNS A record that points to my Email Server. Another public IP points to my FTP server. Another points to a web server, and so on.
So wouldn't all of these public IPs need to be added to the WAN interface? Or is there a different way to do this?
Finally I found a way to do this. Most of the information online are useless compared to yours.
It doesn't look like anyone ever truly answered this. I have the exact same questions as you did about this and I am wondering how you ended up doing it?
For anyone coming here for an answer to this,
the (simplest) correct way to do this is to do the following -
You do not need to add every single IP to the wan interface, just one IP.
IP: X.X.10.34 MASK: 255.255.255.240 GW: X.X.10.33
The remaining IP's get allocated via Virtual IPs. (Policy & Objects > Virtual IP's)
This remains true if the internet link is part of the subnet, or the internet link is a /30 (for this you set the WAN link using the /30) and there is a separate subnet routed from the ISP over that link.
I hope this helps.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.