Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiGuest
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSOAR
- FortiSIEM
- FortiSwitch
- FortiTester
- FortiVoice
- FortiToken
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- RMA Information and Announcements
- Wireless Controller
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Double routing on one interface
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Double routing on one interface
Hi, I have a new pair of FGT 60-C' s that Im configuring with a new ISP (e10-fibre connection)
My question is similar to this post: http://support.fortinet.com/forum/tm.asp?m=79153&p=2&tmode=1&smode=1
in which my ISP has given me a " CE - Customer Edge" IP address to be configured on the router as well as a block of public IPs for my use.
This is what I have:
ISP Network IP Address: 1.1.1.216 255.255.255.252
ISP Broadcast IP Address: 1.1.1.219
ISP Default Gateway IP Address: 1.1.1.217 (Assigned to the ISP provider edge [PE] router customer facing interface)
ISP IP Address: 1.1.1.218 (To be assigned to the customer edge [CE] router ISP facing interface)
Customer Network IP Address: 2.2.2.144 255.255.255.240
CustomerBroadcast IP Address: 2.2.2.159
CustomerAssignable IP Addresses: 2.2.2.145 - 2.2.2.158 (To be assigned however you like)
Im a little confused on how to setup the WAN interface.
How do I setup my WAN interface (with the 2.2.2.x IPs) to use the 1.1.1.217 gateway?
From what I see, it looks like I need 2 routers, one to route to the ISP and one for my public block.
Can i configure this on the FGT60?
Any help appreciated!
Thanks
13 REPLIES 13
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No you don' t need 2 routers (you won' t ever need anything but a Fortigate :-)
- configure your wan interface with a static IP, 1.1.1.218/30.
- create a default route to 0.0.0.0/0 using the wan interface (just the interface - not the gateway IP, leave that at ' 0.0.0.0' ).
- to use the public IP addresses from the 2.2.2.144 subnet, create VIPs (virtual IPs). The FGT maps the VIP' s address to an internal (server) address, and it will react to the ISP' s side as if it were a real IP (keyword: proxy arp).
As the VIP are ' local' a.k.a. ' directly connected' IPs you don' t need an explicit route for them.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No you don' t need 2 routers (you won' t ever need anything but a Fortigate :-)Unless the ISP hands off at smarkjack :)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to use the public IP addresses from the 2.2.2.144 subnet, create VIPs (virtual IPs). The FGT maps the VIP' s address to an internal (server) address, and it will react to the ISP' s side as if it were a real IP (keyword: proxy arp).I did similar configurations on a Cisco; is it possible to use a LoopBack interface for the block of IP' s? (... haven' t tried this on a Fortigate)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Ede, I' ll give that a try.
Four outbound on a specific IP would it still work the same in which I' d setup a Dynamics IP Pool using my 2.2.2.2.x address and set the NAT option/Select IP Pool on the firewall rule?
Also, one other question, I need to split the incomming connection to my Phone System outside of the fortinet, (SIP Trunking). Originally I was planning on having the cable from the media converter goto a switch, then split the cable off to the fortinet and the phone swich (this is how it is today on my T1).
If the fortinet is now my " ISP Router" , can I still do this and use the 1.1.1.218 address as the gateway on the phone system?
Will the fortinet allow a packet to come in on the WAN1 interface and route it back out on the same interface? Or will I need to put the phone system behind the fortinet on the internal side (I' ve heard of a lot of issues with SIP trunks going through Fortinets whcih is why I' m trying to keep it out of the mix)
thanks for your help!!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
1. outbound IP: yes, to change the source IP of traffic originating on your LAN use an IP pool with just 1 IP address.
If you have a VIP in place, AND it' s not port-forwarding, then the Fortigate will source NAT outgoing traffic automatically, even if the traffic originates from inside. As soon as you use port forwarding you will have to add an IP pool and check the NAT option in the policy.
2. I agree that to avoid trouble with your PBX system it would be easier to place it outside of the firewall. But I would use 2 different public IPs for both firewall and PBX. You cannot use the same IP if both devices are wired to the same switch.
3. routing in and out: if a packet arrives at WAN1, the Fortigate opens a session if the traffic is allowed. Using this session table entry it will try to route the reply traffic back via the same interface. Only (static) routes or policy routing can force the FGT to route the reply traffic to a different interface.
HTH.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Ede, thank you for all of your assistance.
With regards to the phone, my intention is to give it a dedicated address in the 1.1.1.1 subnet. That' s my only confusuion right now, what would the gateway be in that situation? Do I need to give the WAN1 interface a secondary IP in that subnet as well?The fgt would be the next-hop for the pbx. (The 1.1.1.x IPs are all public IPs)
The techs are comming tomorrow to install the media converter, so I' ll start to play with it then. Luckily I have until mar 1 to get this running and swap out my older pair of fgt60' s!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For WAN traffic, you can set up the PBX' s gateway to be 1.1.1.218. This way, the FGT sees the traffic. If you put in the 1.1.1.217, the WAN traffic goes straight to your ISP, that would be feasable as well. I' d even prefer the latter one.
But a PBX has 2 ends: one WAN port and LAN port(s). How is the LAN side related to the FGT?
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Ede,
Have this kind-of working. Im able to get traffic moving fine with the IPs I want on the fortinet. When I bring my PBX into the mix things get weird. If I have the PBX use the fortigate as a gateway on the WAN1 interface, then it works, if I have the PBX connect to the upstream rotuer then everything dies.
I suspect there is something upstream on the ISP that is preventing multiple devices to talk to the next hop. I' ve reversed the order (had PBX connect, then introduce the FGT, and the connection dies as well) so I think something is amiss upstream.
With that, im think Im going to try to convert one of my older FGTs to a pure router (transparent mode) and use that as the gateway for the 2.2.2.x addresses. That should eliminate any SIP packet issues when using the FGT in NAT mode ( I hope). So my new layout will be:
MediaConverter
|
FGT #1 (1.1.1.218 gw:1.1.1.217)
|
Switch-------------------
|-FGT#2/3 cluster |-PBX (Cisco UC540)
WAN ip:2.2.2.145-157 -ip:2.2.2.158
GW: 1.1.1.218 GW: 1.1.1.218
I image that should work, only concern is SIP going through the FGT #1, albeit in router mode, so hopefully it' s OK. I was really hoping to get my PBX a direct conection, but this shoudl be OK.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Looks OK, except that the (inside) gateway address for FGT#2 and the PBX would be the internal port IP address of FGT#1. That should be from the 2.2.2.x subnet, right?
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,750 -
FortiClient
1,778 -
5.2
801 -
FortiManager
736 -
5.4
639 -
FortiAnalyzer
563 -
FortiSwitch
477 -
FortiAP
474 -
FortiClient EMS
436 -
6.0
416 -
5.6
362 -
FortiMail
323 -
6.2
251 -
SSL-VPN
249 -
FortiAuthenticator v5.5
234 -
IPsec
212 -
FortiWeb
208 -
5.0
196 -
FortiNAC
191 -
FortiGuard
139 -
6.4
128 -
SD-WAN
117 -
FortiAuthenticator
106 -
FortiGateCloud
102 -
FortiSIEM
99 -
FortiCloud Products
98 -
FortiToken
92 -
Firewall policy
84 -
Wireless Controller
81 -
Customer Service
80 -
4.0MR3
64 -
FortiProxy
60 -
Fortivoice
56 -
High Availability
56 -
FortiADC
54 -
vlan
53 -
FortiEDR
52 -
ZTNA
49 -
Routing
47 -
FortiExtender
45 -
FortiSandbox
44 -
DNS
44 -
FortiDNS
42 -
LDAP
42 -
BGP
40 -
Authentication
39 -
FortiGate v5.4
35 -
SAML
35 -
NAT
35 -
Certificate
35 -
FortiSwitch v6.4
34 -
RADIUS
34 -
SSO
33 -
Interface
31 -
FortiConnect
30 -
VDOM
30 -
FortiLink
29 -
FortiWAN
27 -
Application control
27 -
Web profile
27 -
FortiConverter
25 -
Logging
25 -
Virtual IP
25 -
FortiGate v5.2
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
Fortigate Cloud
20 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
FortiGate-VM
18 -
FortiMonitor
18 -
Traffic shaping
17 -
SSID
16 -
Automation
16 -
WAN optimization
16 -
FortiDDoS
15 -
OSPF
15 -
System settings
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
Static route
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
SNMP
13 -
Admin
13 -
FortiCASB
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
Security profile
11 -
Proxy policy
11 -
FortiManager v4.0
10 -
FortiBridge
10 -
IPS signature
10 -
FortiAP profile
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
Web rating
7 -
Fortinet Engage Partner Program
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
API
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
TACACS
3 -
SDN connector
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
Vulnerability Management
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1737 | |
| 1108 | |
| 752 | |
| 447 | |
| 240 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.