The client had a single IP from Google Fiber before my company took over support. We installed an 80F, and the "static" is issued by DHCP from Google Fiber on the WAN interface. We have upgraded their Google Fiber account to add 5 static IPs. The statics are in a different subnet.
I am unsure what to do. Very important - if I create VLAN(s) for the static IP(s), what will change for the static IP issued by DHCP over the WAN? All traffic is currently using that DHCP static IP, including VPN. Will that render that IP unusable since it becomes a gateway for the block of static IPs?
If the statics require VLAN, what interface? the main LAN or the WAN? What is the Role that I select: LAN? WAN? DMZ? Undefined?
Can this be done with VIPs or IP Pools? If IP Pools, what type do I use? One-to-One, Fixed-Port Range, or something else?
Here is Google's depiction of the necessary layout for using static IPs.
Solved! Go to Solution.
Created on 06-28-2023 09:22 AM Edited on 06-28-2023 09:23 AM
Google's doc or any other ISP's would NOT include a case their customer has a FW to terminate the circuit. Never assume they're used as VIPs. Their explanation, as the diagram indicates, assumes a "router" terminates the circuit, let's say a cheap Linksys or TP-Link router, which can only route the additional subnet to LAN side. In that case, you have to assign it on the LAN interface.
With VIPs, the additional public IPs never leave the FGT. Just stay inside of it.
If you still have some doubt, you can configure a VIP to one device, get a maintenance window, then swap it with the current router/FW they have then verify it actually works.
Or open a ticket at TAC and ask them. They would say exactly the same.
Toshi
I've never seen that kind of helpful diagram provided by any ISPs who offer additional static IP blocks before. That tells exactly what you can do with the additional /29 subnet. Let's say you got 1.1.1.0/29. Then you can use 1.1.1.1/29 on your 80F's LAN interface IP, then other devices that should get a public IP take like 1.1.1.2/29 - 1.1.1.6/29 each. Of course the GW for those devices is 1.1.1.1.
Toshi
Created on 06-28-2023 08:02 AM Edited on 06-28-2023 08:03 AM
Thanks, Toshi.
Where do I put the 1.1.1.1 then? As an additional IP on the existing LAN interface or does this have to be a VLAN?
What do you make of the 23.23.23.23 reference in this part of the diagram?
It's up to you or what the customer currently has/previously had. If no private IP needed, you can swap the "internal" interface IP 192.168.1.99/24 with 1.1.1.1/29. If you want/need it as a separate subnet, either need to use the secondary IP on the internal or a new VLAN interface.
Created on 06-28-2023 08:48 AM Edited on 06-28-2023 08:49 AM
Is this the right way to do this?
If you want to use them in VIPs only, you don't need to have it on any FGT's interfaces. Only in case the devices need to have one of public IPs, you need to set it at an interface.
I don't understand. Here is the information from Google regarding this configuration. Specifically, the highlighted text.
Created on 06-28-2023 09:22 AM Edited on 06-28-2023 09:23 AM
Google's doc or any other ISP's would NOT include a case their customer has a FW to terminate the circuit. Never assume they're used as VIPs. Their explanation, as the diagram indicates, assumes a "router" terminates the circuit, let's say a cheap Linksys or TP-Link router, which can only route the additional subnet to LAN side. In that case, you have to assign it on the LAN interface.
With VIPs, the additional public IPs never leave the FGT. Just stay inside of it.
If you still have some doubt, you can configure a VIP to one device, get a maintenance window, then swap it with the current router/FW they have then verify it actually works.
Or open a ticket at TAC and ask them. They would say exactly the same.
Toshi
Toshi, I fully appreciate how much you are trying to help me. I am testing several scenarios now in my own environment.
Created on 06-28-2023 11:50 AM Edited on 06-28-2023 11:51 AM
In case you didn't know, you can use full /29 8 IPs for VIPs, including 1.1.1.0/29 and 1.1.1.7/29. Goodle side routes all packets destined to the subnet including the subnet address and broadcast address. Only in case you assigned it to a LAN interface those IPs wouldn't be usable/routable.
Toshi
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1738 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.