I have the task of migrating users on a business park from one ISP to another. With the current ISP we have a /23 subnet. The new one has given us a /24 as a start.
Each client has their own VLAN with their own subnet, /30, /29 etc.
Is there any way I can use the /24 the new ISP has given me across multiple VLAN interfaces without carving it up into smaller subnets?
I understand that it can be done with some Cisco and Brocade switches. I also saw an article explaining how to do it with a Mikrotik router using /32 subnets and proxy arp.
I've tried it various ways with a routed or transparent VDOMs but with no success yet.
Any help is appreciated.
Cheers!
Will a vlan is layer2 and your speaking layer3 ( /24 ) . 1st questions;
1: does the client really need a dedicate ip_address or can you SNAT
2: can you use /31 ( you will save quite a few address vrs /30 )
3: Do you have a map or topology of how your network lays out now?
4: how much space was used by the original /23
PCNSE
NSE
StrongSwan
Hi emnoc,
I agree, I'm mixing layer 2 and 3 here.
1.) a little over half the clients don't need fixed IPs so we assign them private ranges. The others have mail servers, VPNs and other services so they require their own public IP to assign to their own firewall.
2.) I've tested this with a few devices. Some of the cheaper soho routers don't like having a 31 bit subnet mask. Clients tend to have a variety of kit dependant on their needs.
3.) Map attached. It's complicated. Sorry :)
4.) Currently around 288 IPs. If I move them all to a /24 subnet I could save around 70 IPs. This would leave enough room to add more clients in future comfortably in a /24.
Okay
Here's my thoughts your overview is simple to follow, the intervdom will protect the inside layer firewalls right ?
You want to pass or share parts of the /2X to these machines ?
Will you always have multiple ISP providers? With multiple blocks routed to you ?
Will the ease of obtain more blocks comes naturally and with ease?
And your correct on the /31 might not be a valid mask for all l3 routing devices, but what I found most devices have some type of firmware upgrade to allow for the 255.255.255.254 mask.
What's your vdom count that you foresee "now" and in the "futuro" ? I personally would leverage the multiple vdoms and route all thru the vdom-internet regardless if it's transparent or nat/route.
Give transparent-vdom to the users that requires there own use of alayer3 router/firewall and provide nat/routed firewall vdoms for the others. Please see my example, this works great for a firewall with more than 10 vdom support if you need to compartmentalize
But you can quickly exhaust vdoms by taking this approach. I also don't know what's the max number of vdom-interlilink. You need to aggregate customer firewall, imho it's best to use a layer3 router with a trunked handoff to a aggregation switch
( 802.1q router on a stick ) and place the firewalls ( multiple vdoms ) behind this for vdom you manage and/or place a sub-interface SVI carried thru the switch to customers that manage there's own firewall/router.
This is how every MSSP/HSSP/VISP that I worked with does it ymmv, but if you need public address space , than you need public address space. In the attachment we started with over 4 ISP unplink but later stucked these into a A10 SLB for link loading.
So we could route traffic from our various vdoms to link 1 2 3 4 and using whatever non ECMP path selection.
PCNSE
NSE
StrongSwan
Thanks for your detailed response :)
The internet VDOM is there to allow us to route between multiple ISPs more easily and using less physical firewall ports. We will have 3 ISPs for the forseeable future with multiple blocks. Obtaining new blocks should be easy if we can show the need.
VDOM count, I'd say we may offer one or two VDOMs to select hosting clients if they need to manage their own firewalls. I like to keep control of that where I can. We won't exceed 10 unless we start selling it as a service. Then we'd outgrow our FG100Ds.
We have 36 clients who have public IPs on their own firewalls so we'd need a bigger box or multiple FortiGates to give each client a VDOM. I would like bigger boxes of course :)
I will test using the router to aggregate the VLANs. I have a couple of Cisco 2811s which might do for a test at least.
I have found a way to sort of do what I want. On the gateway VDOM, allow subnet overlap, assign the gateway IP for the /24 to each of the VLAN interfaces that need public IPs. Add static routes to each VLAN interface to the allocated IPs. The switches we have allow IP adddress filtering so I can permit only the clients's allocated IP.
Communication between members of the /24 subnet is done locally across the switches and not in and out of the gateway as is the case now. There will be a little less control there but it's a solution that seems to work.
I also won't need the transparent VDOM.
Any obvious downsides you can see?
Cheers!
Of course one could use /32 subnet masks for (customer) end systems to ensure that all traffic (even to neighbors) will flow through the firewall.
I've seen some ISPs using this in their network to achieve avoid wasting IP addressing - and still forcing all traffic through a particular default gateway.
On the end system you configure your ip address with a /32 subnet. The default gateway will sit outside your network (which is just your single host in case of /32). The end system will then use a simple ARP to see whether it can reach the default gateway via its interface.
On the default gateway you define the interface as /24 (or whatever your whole network has), enable proxy ARP, and disable ICMP redirects.
For example the German provider Hetzner described this setup in their Wiki:
http://wiki.hetzner.de/index.php/KVM_mit_Nutzung_aller_IPs_aus_Subnetz/en#IP_Addresses
"The net mask 255.255.255.255 ensures that we still always address outward packets to the Hetzner default gateway - even if we wish to speak with a rack neighbour."
But I have never implemented this myself on a FortiGate firewall. Maybe you can give it a try in a lab environment.
If it doesn't work with /32 and the gateway outside your (/32) network (which may not work on certain broken OS), you could instead try using /31 subnets with your firewall and the end system each having a dedicated IP in that subnet. Just like you would do with /30 (you just don't waste network and broadcast address). This procedure is described in RFC 3021.
I would take caution on this approach. This requires the device understand the difference betweena multiaccess and a pt2pt. Even the urllink show what's look like a linux cfg with the wording point2point for the device cfg. This is big gotacha that you have to considered.
In a true point2point nobody relies on ARP, regardless if it's Proxy-Arp or Normal.
PCNSE
NSE
StrongSwan
Thanks dfroe.
I had considered /32 or /31 addressing as an option. The few soho routers I tried were not happy with /31 or /32 as a subnet mask. I'll have to test it with something else and see if they support that.
Any recommendations for a soho vpn router?
It would be useful if the FortiGate could be configured as a PPPoE server.
IIRC Juniper SRX and the Fortigate 5K chassis offer PPPoE services, but you have way better and cheaper options ranges from a smaller cisco IOS/ASR router to opensource+linux/bsd and all of these would be way better than trying to set this up on a firewall imho
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1743 | |
1114 | |
760 | |
447 | |
241 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.