Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Keechi
New Contributor

Fortigate 60D and managing 5 public IP´s

Hello

 

I´m new to this Forum and to FortiNet Produkts!

 

I´m trying to manage 5 public IP´s through the Fortigate60D and it would be nice if someone could help me with this configuration.

 

5 Ip´s : x.x.81.34 - x.x.81.38/29

Gateway:  x.x.81.33

 

And I want

x.x.81.34 for my Private use.

x.x.81.35 for my Webshop

x.x.81.36 for surveillance

 

I tried to funnel the traffic with VIP´s but that didnt work out. I think I missunderstood the function of VIP´s.

 

FortiOs is @ 5.6.3

 

Hopefully someone can help me with this little issue or tell me some resources where I could learn about this specific topic.

 

Greetings Keechi

6 REPLIES 6
Toshi_Esumi
Esteemed Contributor III

Is this /29 the only public IPs you got from your ISP? Or you got a different IP in a /30 (likely pulled via DHCP or PPPoE) on the main wan interface and this /29 is an additional subnet from your ISP?

Keechi

Yes I got a totally different IP from DHCP and the ISP does the rest, thats what they told me.

Yesterday I spoke to the ISP and they told me that I need 1 Router at x.x.81.33, and for each other IP I want to use I need another router but I think (don´t know) that this could be achieved by just 1 good FortiGate.

Toshi_Esumi
Esteemed Contributor III

Wait, if they actuall said you needed 1 router at x.x.81.33, that's not the GW at your ISP. There needs to be another IP within the /29 as a GW on the ISP or ISP device side, unless you got another /30 subnet to get to ISPs GW device. Are you sure about that?

rwpatterson
Valued Contributor III

+1

 

If the ISP said the gateway is .33, why would you need another router at that address? If you are supplying the gateway, then they would need to give you yet another gateway address. That makes no sense to me either. One Fortigate with a bunch of VIP definitions should easily handle this case.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Toshi_Esumi
Esteemed Contributor III

Ok, I didn't read you wrote "got a totally different IP from DHCP". So the Fortigate must have gotten a GW IP via DHCP and set up the default route. Then you should be able to map any IPs in the /29 with VIP statements by following online help:

http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-firewall-52/Firewall%20Objects/Virtua...

 

 

Toshi_Esumi
Esteemed Contributor III

By the way the online help has only one line mentioning about policy. But there needs to be a policy (or a set of policies) to utilize the VIP objects you create in the direction wan1/2 -> lan/internal without NAT (unless you want to do SNAT to hide the source IP) and you need to specify the VIP(s) at Destination.

 

Labels
Top Kudoed Authors