- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: Basic Configuration with multiple public IPs
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Basic Configuration with multiple public IPs
hi,
I am trying to setup a FortiWiFi 40C to work with our network. I hope this is even the correct subforum. We have an adsl-modem connected to WAN1 of the FortiWiFi, a large switch on LAN1 for alle the client-PCs and a bintec elmeg hybird 300 PBX system for VoiP on LAN2.
Our ISP has given us 4 public IP Adresses as well as a gateway IP.
The Gateway IP is public.97, useable addresses are public.98 to public.102. Only public.98 is allowed for SIP-login for VoiP though.
What I am trying to achieve is to route all traffic for public.98 to the PBX on LAN2, and let the clients access the internet with public.99. For remote access to our NAS i would also need public.100 forwarded to the NASes IP on LAN1, but this is secondary.
Right now I configured the WAN-Interface to connect to the modem with PPPoE which works fine, but all clients now have public.97 as public IP.
Can somebody point me in the right direction what I have to configure?
[strike]*edit: We had a working setup with a small mikrotik-router, which I don't have access to, inbetween modem and fortiwifi performing the pppoe and probably routing of the IPs. The FortiWiFi would get internet access, if I could define a gateway to use. In the WAN-configuration I can only use manual mode, where I can only define an IP, but no gateway. For a quick fix, can I somehow configure the FortiWiFi to use public.99 as IP and public.97 (the Mikrotik Router) as gateway? In the long run I would like to eliminate or at least reset the mikrotik router to regain access. [/strike]fixed with static route to 0.0.0.0/0 via public.97
Solved! Go to Solution.
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
all clients now have public .98 as public IP - .97 is the gateway address on your provider's side.
In the outbound policies (lan1 to wan1 and lan2 to wan1), you can use IPpools for source NAT. If you only tick "NAT", source NAT will be done with the outbound interface address. In an IPpool, you can specify the address to use.
As your general internet traffic and VoIP traffic use different source interfaces, you have 2 different policies outbound, and thus can use different IPpools.
To direct inbound traffic from a public IP to a private IP (wan to LAN), you create a VIP (virtual IP). The VIP does destination NAT and exchanges the public.100 to the private IP of your NAS. Reply traffic as well as traffic originating from your NAS will use this translation as well - you don't have to NAT it's source address.
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
all clients now have public .98 as public IP - .97 is the gateway address on your provider's side.
In the outbound policies (lan1 to wan1 and lan2 to wan1), you can use IPpools for source NAT. If you only tick "NAT", source NAT will be done with the outbound interface address. In an IPpool, you can specify the address to use.
As your general internet traffic and VoIP traffic use different source interfaces, you have 2 different policies outbound, and thus can use different IPpools.
To direct inbound traffic from a public IP to a private IP (wan to LAN), you create a VIP (virtual IP). The VIP does destination NAT and exchanges the public.100 to the private IP of your NAS. Reply traffic as well as traffic originating from your NAS will use this translation as well - you don't have to NAT it's source address.
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, I'll try to get this to work on the weekend, when nobody is in the office. Is the following configuration of the FortiWiFi correct:
[ol]Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
1. PPPoE *assigns* a WAN IP, like with DHCP. That's why you cannot configure a primary or a secondary IP.
2. VIP is OK. Be aware that you can't ping the internal server (for testing) if you port-forward, only if you fully forward all traffic. Which is no security risk as you narrow down the services in the policy.
3. Traffic from WAN to internal server has to use a VIP. Traffic from LAN to WAN2, where the default route is pointing to WAN1, needs to use a Policy Route.
So plenty of stuff to read up on...
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Related Posts
- FortiManager and FSSO agents 167 Views
- Replace private AS path but keep... 396 Views
- Multiple Fortigate/VDOM SAML MFA Auth (for... 160 Views
- FortiEMS/FortiClient - VPN Tunnel with Multiple... 360 Views
- FortiExtender Cloud 24.1 is now Released! 143 Views
Labels
-
FortiGate
6,756 -
FortiClient
1,344 -
5.2
801 -
5.4
639 -
FortiManager
580 -
FortiAnalyzer
425 -
6.0
416 -
5.6
362 -
FortiSwitch
346 -
FortiAP
344 -
FortiClient EMS
274 -
FortiMail
262 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
160 -
6.4
128 -
FortiNAC
110 -
FortiGuard
108 -
FortiSIEM
91 -
FortiGateCloud
88 -
IPsec
86 -
FortiCloud Products
85 -
FortiToken
73 -
Customer Service
70 -
SSL-VPN
69 -
4.0MR3
64 -
Wireless Controller
62 -
FortiProxy
47 -
FortiADC
44 -
FortiEDR
41 -
Fortivoice
41 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
33 -
FortiSandbox
33 -
SD-WAN
33 -
FortiSwitch v6.4
30 -
Firewall policy
30 -
High Availability
24 -
FortiConnect
24 -
VLAN
23 -
FortiAuthenticator
22 -
FortiWAN
22 -
FortiConverter
21 -
ZTNA
20 -
FortiPortal
18 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
Certificate
16 -
FortiMonitor
14 -
SAML
14 -
BGP
14 -
DNS
14 -
Interface
14 -
Logging
14 -
FortiGate v5.0
13 -
FortiDDoS
13 -
LDAP
12 -
Routing
12 -
FortiCASB
12 -
VDOM
12 -
fortilink
11 -
RADIUS
10 -
Virtual IP
10 -
FortiRecorder
10 -
FortiWeb v5.0
9 -
Authentication
9 -
SSL SSH inspection
9 -
Traffic shaping
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
SSID
8 -
FortiSOAR
8 -
SSO
8 -
Application control
8 -
RMA Information and Announcements
7 -
FortiAnalyzer v5.0
7 -
Fortigate Cloud
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
FortiBridge
6 -
SNMP
6 -
Web profile
6 -
Proxy policy
5 -
Traffic shaping policy
5 -
FortiAP profile
5 -
Web application firewall profile
5 -
FortiTester
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
IPS signature
4 -
Packet capture
4 -
Antivirus profile
4 -
Automation
4 -
WAN optimization
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Port policy
4 -
FortiToken Cloud
3 -
DoS policy
3 -
Email filter profile
3 -
Web rating
3 -
Intrusion prevention
3 -
FortiDB
3 -
trunk
3 -
FortiDeceptor
2 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Fortinet Engage Partner Program
2 -
Users
2 -
Traffic shaping profile
2 -
FortiPAM
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Protocol option
2 -
4.0MR1
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
Fabric connector
1 -
Multicast routing
1 -
Explicit proxy
1 -
Zone
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.