Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Autumn 2024 badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDLP
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGuard
- FortiGate Cloud
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: FortiWiFi 90D - Network Design Change - Need H...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FortiWiFi 90D - Network Design Change - Need Help
We are moving to using Google Fiber with our FortiWiFi 90D, and the way Google handles static IPs and the way we currently have this device configured has us stumped.
{NOTES: This office has tenants that are each on their own VLAN for privacy. IPs are changed for the sake of the client's anonymity}
Current Setup
2 VDOMs
[ol]The VDOMs are given 50/50 priority. This setup was so the VOIP vendor has full control over their network... and has worked well for years. We did not set this up, the old IT vendor did.
New Setup Needed
Now that we are switching to Google Fiber, the way they hand out Static IPs is "funky". You get one static IP that you receive via DHCP. Then, the other 5 that we purchased are on a different subnet completely.
Example:
Static IP via DHCP: 23.228.140.27
Static IP LAN Subnet: 136.50.213.72/29
What I would *like* to do is assign 136.50.213.74 to be WAN 1. Use 136.50.213.75-77 to be my 3 Virtual IP addresses on point 1.2.2.1 above. And Use 136.50.213.78 for WAN 2.
But, I can't figure out how to get this to work. I currently have WAN 1 using 23.228.140.27 and forwarding 136.50.213.75-77 properly, but I can't get the "phones" / WAN 2 to route properly.
Since the routing from the 23.228.140.27 to the 136.50.213.72/29 is on the "network" VDOM, how can I use the last IP for WAN 2?
I really don't want to have to rebuild the entire network layout. Is there a way to do this? I'm not super verbose in the Forti OS and capabilities.
Any help would be GREATLY appreciated.
Thank you,
Hugh
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The "funky" you described seems to be very common at least around my area (NW corner of the US) like CenturyLink fiber or Comcast: get one interface public IP and GW then get additional public subnet /29s when customers request. You just need to know if those specific internet destinations, like voip vendor, SMTP server, etc. are expecting packets sourced from one of those VIP IPs in additional subnets. If yes, like in many cases, you need to SNAT those outgoing packets with the same IP in VIP.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Would you be willing to explain how I can setup the SNAT for WAN2? Like I said, not real great with this interface. I inherited this router. Thanks.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The VIP will automatically take care of the source address: it will not only exchange the destination address for incoming traffic but will also source-NAT (exchange the source address) for outgoing traffic.
You would only need additional source NAT (which would be done via enabling NAT in the policy, and specifying an IP pool) in a policy from LAN to WAN, that is, if these hosts initiate outbound sessions as well.
As I see it you have 2 independent VDOMs with 2 independent ISPs and default routes. Insofar, I don't understand the remark on 'routing between the 2 public addresses'. Just connect the voice VDOM to the same LAN switch as your LAN-VDOM, and pass the proper gateway and address to your phones via DHCP.
Actually, you cannot NOT use the one WAN1 public address - your connection/login to your ISP depends on the DHCP handshake. So one WAN interface will have to use that address while you're free to use the other address range via VIPs for either the LAN-VDOM or the phone-VDOM.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's automatic only if the session is initiated from outside. Like an SMTP server, if the server located inside initiates a new session toward the internet there is no reference to the VIP statement and it follows the first available NAT policy, which is typically NATed with the interface IP. We had this problem in the past and created an ip-pool with one IP used in the VIP then SNATed with an outgoing policy using the ip-pool.
v5.6 seems to have improved these NAT related features and one policy seems to be able to handle both. But I haven't tested 5.6 yet so just based on "What's new" doc.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
By assuming it's not 5.6, the config is simple and you can do it from GUI.
1) create an IP Pool with only one IP in the external IP range and accept all other default values.
2) create a new policy from inside to outside interface/zone with NAT enabled then choose "Use Dynamic IP Pool" instead of "Use Outgoing Interface...", then select the IP Pool you created.
3) move the new policy above the existing(default) inside to outside interface/zone policy.
You should test by at least sniffing on the outgoing interface to see the source IP of the packets (like ping) has the IP you intended. If you do "flow debug" that are in many other threads you can see the process in a flow.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
From what you are suggesting - "Just connect the voice VDOM to the same LAN switch as your LAN-VDOM" - The phone-VDOM would be running through the LAN-VDOM. Therefor, they wouldn't really have 50/50 priority anymore... would they?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My questions to your description of the old/previous network are like below:
- Was the upstream device the previous ISP provided had two connections to your FG90D at WAN1 and WAN2? Or there were two physical circuits or two ISPs terminated at each WAN port?
- What is the default GW for each VDOM? You later mentioned phone VDOM is coming through LAN VDOM which doesn't much the description for WAN1 and WAN2 before.
- also I don't understand what is "50/50 priority of vdoms".
But unless you got two circuits from Google and terminating each at WAN1 and WAN2 separately, you have to use only one WAN port to get out to the internet. Then inside you might want to use VDOMs for some separation but you have to split the additional /29 to two /30s or even further into /31s to deliver the public IPs to each VDOM, so probably it would be completely new design from whatever You had before.
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- Issues with FortiClient EMS on macOS 19 Views
- FortiSwitch peer-consistency-check peer-config "NOT-FOUND" 88 Views
- Inquiry on Failover Design Between Multiple... 222 Views
- Fortigate blocking ticketmaster.com 1099 Views
- Problems with setting MTU 454 Views
Labels
-
FortiGate
8,340 -
FortiClient
1,686 -
5.2
801 -
FortiManager
703 -
5.4
639 -
FortiAnalyzer
532 -
FortiSwitch
452 -
FortiAP
446 -
6.0
416 -
FortiClient EMS
392 -
5.6
362 -
FortiMail
307 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
205 -
5.0
196 -
FortiWeb
194 -
IPsec
174 -
FortiNAC
171 -
FortiGuard
132 -
6.4
128 -
SD-WAN
102 -
FortiGateCloud
100 -
FortiSIEM
97 -
FortiCloud Products
95 -
FortiToken
88 -
FortiAuthenticator
80 -
Customer Service
76 -
Wireless Controller
76 -
Firewall policy
67 -
4.0MR3
64 -
FortiProxy
56 -
FortiADC
51 -
Fortivoice
50 -
FortiEDR
50 -
High Availability
48 -
vlan
47 -
ZTNA
45 -
FortiSandbox
43 -
FortiExtender
43 -
FortiDNS
42 -
Routing
39 -
DNS
38 -
BGP
37 -
LDAP
37 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SAML
32 -
Certificate
32 -
Interface
31 -
NAT
30 -
Authentication
29 -
SSO
29 -
FortiConnect
28 -
RADIUS
27 -
FortiLink
26 -
FortiWAN
25 -
FortiConverter
25 -
FortiGate v5.2
24 -
VDOM
24 -
Web profile
23 -
Application control
22 -
Virtual IP
22 -
Logging
21 -
Fortigate Cloud
19 -
FortiSwitch v6.2
18 -
FortiPortal
18 -
FortiMonitor
18 -
FortiPAM
18 -
SSL SSH inspection
18 -
Traffic shaping
17 -
FortiDDoS
15 -
FortiGate v5.0
14 -
OSPF
14 -
IP address management - IPAM
14 -
SSID
13 -
Static route
13 -
WAN optimization
13 -
FortiCASB
12 -
SNMP
12 -
Automation
12 -
Admin
12 -
System settings
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiSOAR
11 -
FortiManager v4.0
10 -
FortiRecorder
10 -
IPS signature
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiAP profile
9 -
Proxy policy
9 -
FortiBridge
8 -
RMA Information and Announcements
8 -
Security profile
8 -
Port policy
8 -
4.0
7 -
FortiDeceptor
7 -
FortiAnalyzer v5.0
7 -
Traffic shaping policy
7 -
Fabric connector
7 -
Intrusion prevention
7 -
FortiCache
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Antivirus profile
6 -
FortiCarrier
5 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Traffic shaping profile
5 -
Web rating
5 -
Fortinet Engage Partner Program
5 -
3.6
4 -
FortiScan
4 -
Explicit proxy
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Email filter profile
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
Schedule
2 -
SDN connector
2 -
Service
2 -
Zone
2 -
Cloud Management Security
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
TACACS
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1632 | |
| 1063 | |
| 749 | |
| 443 | |
| 210 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.