Hi all,
I'm complete new to Fortigate . I've searched the topics to see if someone already has given a solution for the problem I'm encountering, but didn't find it. I've a Fortigate 60D, and upgraded the OS to 5.4.
Today I received a public subnet from my ISP with 16 IP addresses (from which I can use 14). These IP addresses 212.115.xxx.xxx /28 will be routed by our ISP to one external IP adres: 217.63.xx.xx. I've configured the WAN1 port with this IP address: 217.63.xx.xx. The internet connection is ok. When I connect a PC to Int 1, I have internet, and the IP address is also pingable from the outside.
I've deleted port 2 t/m 7 from the Hardware Switch (only port 1 remains as member of the switch).
Now I would like to configure the FGT as follow:
212.115.xxx.xx1 = Port 1 = VLAN 1 = connected to HP switch (on this VLAN 1 I have servers, switches, printers etc.)
212.115.xxx.xx2 = Port 2 = VLAN 2 = connected to HP switch (on this VLAN 2 I have some DECT transmitters for telephony)
212.115.xxx.xx3 = Port 3 = VLAN 3 = connected to HP switch (on this VLAN 3 I have a Guest Wifi network)
212.115.xxx.xx4 = Port 4 = VLAN 4 = connected to HP switch (on this VLAN 4 I have the internal LAN clients)
Could this be done?
Or should I use port 2 - 5 for the VLAN's and port 1 for management?
The config as how I have it now is:
I tried to setup int2 as WAN port to submit the external IP directly, and created VLAN_DECT (VLAN2) as part of this Int2.
I tried to setup int3 as WAN port (instead of applying a ext. IP address, I tried to get the IP address from DHCP (but the DHCP server isn't active jet, so the IP address = 0.0.0.0
How should I config the interfaces (and after that, how do I have to config a NAT route) in such way they will go to the internet (thru the WAN1 port) with their own external IP adress?
I hope you'll understand what I'm trying to do, and someone can help me....
Thanks in advance.
Leander van Gorsel
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Please explain what the actual local subnets you want to assign to VLAN1-4. Assigning /32 public IP to the interfaces wouldn't let you connect any IP devices in those VLANs. You instead need to have a GW IP in those VLANs on the ports and use combinations of VIP&IP Pool to configure NAT with those public IPs.
Hello Toshi,
Thank you for your reply. Unfortunately I don't understand you completely... I'll try to make it a bit more clear.
The local subnets I want to use are:
VLAN 1: 192.168.1.0 /24 (Servers etc)
VLAN 2: 192.168.2.0 /24 (DECT)
VLAN 3: 192.168.3.0 /24 (WIFI Guest)
VLAN 4: 192.168.4.0 /23 (LAN Clients)
These VLANS's are configured on a couple of stacked HP-2920-48G switches. From these switches I use 1 port for each VLAN to connect the switch to the FGT. i.e.:
VLAN 1 = port 1 of HP switch <--> Port 1 FGT <--> 212.115.xxx.xx1
VLAN 2 = port 2 of HP switch <--> Port 2 FGT <--> 212.115.xxx.xx2
VLAN 3 = port 3 of HP switch <--> Port 3 FGT <--> 212.115.xxx.xx3
VLAN 4 = port 4 of HP switch <--> Port 4 FGT <--> 212.115.xxx.xx4
But now I don't know how to configure the VLAN's 1-4 on the ports 1-4 of the FGT.
Beside that I want to assign different public IP addresses to each VLAN. So when I want to connect to the mailserver I need to use the public IP address of VLAN 1 (port 1 FGT) i.e. 212.115.xxx.xx1. If I want to connect to a client device or CCTV device on the local LAN, i want to use the public IP address of VLAN 4 (port 4 FGT) i.e. 212.115.xxx.xx4. (of course I also need a routing table to route the external IP address 212.115.xxx.xx4 from port 3389 to internal address 192.168.4.xxx).
I think I also need a routing table in the FGT to route the public IP's 212.115.xxx.xx1, 212.115.xxx.xx2, 212.115.xxx.xx3, 212.115.xxx.xx4 from each port of the FGT to the WAN1 port which has public IP adres: 217.63.xx.xx.
But I don't know how to configure the ports with the corresponding VLAN's and how to use the public IP addresses on these ports.
I have two more days to accomplish this, I hope somebody can explain it to me...
Regards.
As many threads discussed about vlan config on FG, a vlan is a subinterface of each physical/logical interface. You just need to create a new interface with an interface like Port2 (VLAN1 is always native so you don't have to configure a subinterface). If you google "Fortigate VLAN configuration" you can find many examples.
At those vlan interfaces, you need to configure an IP like 192.168.2.1/24(VLAN2), then it would become the GW for all devices in the VLAN.
There are two components in FG's static NAT; 1) in-to-out, and 2) out-to-in. For 1) you need to create an ip-pool to have the /32 as a member then use it for outgoing policy for the vlan subnet, otherwise all traffic use the interface public IP (if it's not desirable). For 2), it's called VIP, You need to map it to actual internal destinations somehow. You can separate traffic by ports. You need to figure out how to do that if those devices in the same vlan use the same ports.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1713 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.