Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Paul_Dean
Contributor

Conserving IP addresses

I have the task of migrating users on a business park from one ISP to another. With the current ISP we have a /23 subnet. The new one has given us a /24 as a start.

 

Each client has their own VLAN with their own subnet, /30, /29 etc.

 

Is there any way I can use the /24 the new ISP has given me across multiple VLAN interfaces without carving it up into smaller subnets?

 

I understand that it can be done with some Cisco and Brocade switches. I also saw an article explaining how to do it with a Mikrotik router using /32 subnets and proxy arp.

 

I've tried it various ways with a routed or transparent VDOMs but with no success yet.

 

Any help is appreciated.

 

Cheers!

NSE4
NSE4
8 REPLIES 8
emnoc
Esteemed Contributor III

Will a  vlan is layer2 and your speaking layer3 ( /24 ) . 1st questions;

 

1: does the  client really need a dedicate ip_address or can you SNAT

 

2: can you  use /31 ( you will save quite a few address vrs /30 )

 

3: Do you have a map or topology of how  your network lays out now?

 

4: how much space was used by the original /23

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Paul_Dean
Contributor

Hi emnoc,

 

I agree, I'm mixing layer 2 and 3 here.

 

1.) a little over half the clients don't need fixed IPs so we assign them private ranges. The others have mail servers, VPNs and other services so they require their own public IP to assign to their own firewall.

 

2.) I've tested this with a few devices. Some of the cheaper soho routers don't like having a 31 bit subnet mask. Clients tend to have a variety of kit dependant on their needs.

 

3.) Map attached. It's complicated. Sorry :)

 

4.) Currently around 288 IPs. If I move them all to a /24 subnet I could save around 70 IPs. This would leave enough room to add more clients in future comfortably in a /24.

 

 

NSE4
NSE4
emnoc
Esteemed Contributor III

Okay

 

Here's my thoughts your overview is simple to follow, the intervdom will protect the inside layer firewalls right ?

 

You want to pass or share parts of the /2X to these machines ?

 

Will you always have multiple ISP providers? With multiple blocks routed to you ?

 

Will the ease of obtain more blocks  comes naturally and with ease?

 

And your correct on the /31 might not be a valid mask for all l3 routing devices, but what I found most devices have some type of firmware upgrade to allow for the 255.255.255.254 mask.

 

What's your  vdom count that you foresee "now" and in  the "futuro" ?  I personally would leverage the multiple vdoms and route all thru the vdom-internet regardless if it's transparent or nat/route.

 

Give transparent-vdom to the users that requires there own use of  alayer3 router/firewall and provide  nat/routed firewall vdoms for the others. Please see my example, this works great for a firewall with  more than 10 vdom support if you need to compartmentalize

 

But you can quickly exhaust  vdoms by taking this approach. I also don't know what's the max number of vdom-interlilink. You need to aggregate  customer firewall, imho it's best to  use a layer3 router with a trunked handoff to a aggregation switch

( 802.1q router on a stick ) and place the firewalls ( multiple vdoms ) behind this for vdom   you manage and/or place a sub-interface SVI carried thru the switch to customers that manage there's own firewall/router.

 

This is how every MSSP/HSSP/VISP that I worked with does it ymmv, but if you need public address space , than you need public address space. In the attachment we started with over 4 ISP unplink but later stucked these into a  A10 SLB for link loading.

 

So we could route traffic from our various vdoms to link 1 2 3 4  and using whatever  non ECMP path selection.

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Paul_Dean
Contributor

Thanks for your detailed response :)

 

The internet VDOM is there to allow us to route between multiple ISPs more easily and using less physical firewall ports. We will have 3 ISPs for the forseeable future with multiple blocks. Obtaining new blocks should be easy if we can show the need.

 

VDOM count, I'd say we may offer one or two VDOMs to select hosting clients if they need to manage their own firewalls. I like to keep control of that where I can. We won't exceed 10 unless we start selling it as a service. Then we'd outgrow our FG100Ds.

 

We have 36 clients who have public IPs on their own firewalls so we'd need a bigger box or multiple FortiGates to give each client a VDOM. I would like bigger boxes of course :)

 

I will test using the router to aggregate the VLANs. I have a couple of Cisco 2811s which might do for a test at least.

 

I have found a way to sort of do what I want. On the gateway VDOM, allow subnet overlap, assign the gateway IP for the /24 to each of the VLAN interfaces that need public IPs. Add static routes to each VLAN interface to the allocated IPs. The switches we have allow IP adddress filtering so I can permit only the clients's allocated IP.

 

Communication between members of the /24 subnet is done locally across the switches and not in and out of the gateway as is the case now. There will be a little less control there but it's a solution that seems to work.

 

I also won't need the transparent VDOM.

 

Any obvious downsides you can see?

 

Cheers!

NSE4
NSE4
dfroe
New Contributor

Of course one could use /32 subnet masks for (customer) end systems to ensure that all traffic (even to neighbors) will flow through the firewall.

I've seen some ISPs using this in their network to achieve avoid wasting IP addressing - and still forcing all traffic through a particular default gateway.

On the end system you configure your ip address with a /32 subnet. The default gateway will sit outside your network (which is just your single host in case of /32). The end system will then use a simple ARP to see whether it can reach the default gateway via its interface.

On the default gateway you define the interface as /24 (or whatever your whole network has), enable proxy ARP, and disable ICMP redirects.

 

For example the German provider Hetzner described this setup in their Wiki:

http://wiki.hetzner.de/index.php/KVM_mit_Nutzung_aller_IPs_aus_Subnetz/en#IP_Addresses

"The net mask 255.255.255.255 ensures that we still always address outward packets to the Hetzner default gateway - even if we wish to speak with a rack neighbour."

But I have never implemented this myself on a FortiGate firewall. Maybe you can give it a try in a lab environment.

 

If it doesn't work with /32 and the gateway outside your (/32) network (which may not work on certain broken OS), you could instead try using /31 subnets with your firewall and the end system each having a dedicated IP in that subnet. Just like you would do with /30 (you just don't waste network and broadcast address). This procedure is described in RFC 3021.

emnoc
Esteemed Contributor III

I would take caution on this approach. This requires the device understand the difference betweena  multiaccess and a pt2pt. Even the urllink show what's look like a linux cfg with the wording point2point  for the device cfg. This is big gotacha that you have to considered.

In a true point2point nobody relies on  ARP,  regardless if it's  Proxy-Arp or Normal.

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Paul_Dean
Contributor

Thanks dfroe.

I had considered /32 or /31 addressing as an option. The few soho routers I tried were not happy with /31 or /32 as a subnet mask. I'll have to test it with something else and see if they support that.

 

Any recommendations for a soho vpn router?

 

It would be useful if the FortiGate could be configured as a PPPoE server.

NSE4
NSE4
emnoc
Esteemed Contributor III

IIRC Juniper SRX and the Fortigate 5K chassis offer PPPoE services, but you have way better and cheaper options ranges from a smaller cisco IOS/ASR router to opensource+linux/bsd and all of these would be way better than trying to set this up on a firewall imho

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors