Good evening,
I want to realize / convert a Cisco config into a Fortigate as follows and would like to receive advice for this:
Currently I get the following static public subnet from my provider via PPPoE x.x.x.81 255.255.255.240
The first IP-adres x.x.x.81 is used for our Cisco.
The additional IP addresses are used for tenants within a multi-tenant business premises.
x.x.x.81 /28 is assigned to a sub-interface as follows
interface GigabitEthernet0/2.200
description VLAN200
encapsulation dot1Q 200
ip address x.x.x.81 255.255.255.240
ip tcp adjust-mss 1452
Then the PPPoE interface is configured with ip unnumbered as below:
interface Dialer1
mtu 1492
bandwidth 100000
ip unnumbered GigabitEthernet0/2.200
ip nat outside
no ip virtual reassembly in
encapsulation ppp
dial pool 1
dialer group 1
ppp pap sent-username xxxxxxxxxx password 7 xxxxxxxxxx
The VLAN 200 is then forwarded, together with various other VLANs, via a trunk port to an access switch.
Where necessary, we configure an interface with access VLAN 200 on this access switch.
We then pass on one of the free IP addresses from the subnet to the tenant, who connects his firewall to the access port and uses this to statically configure his firewall or router.
For example:
IPv4: x.x.x.82
Gateway: x.x.x.81 = Cisco at the moment but must become the Fortigate Firewall.
Subnetmask 255.255.255.240
Even though a VLAN 200 can also be created in the Fortigate and I can specify an Unnumbered IP address with the PPPoE client, this does not work as mentioned above.
Does anyone know a solution to achieve the same goal via the Fortigate?
Thanks in advance.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
You can follow this document to create an troubleshoot pppoe vlan on fortigate
Dear Amritpal Singh,
Thanks for the input but this is not what I am looking for. Setting up a PPPoE connection is not the problem.
This concerns the distribution of the /28 subnet via the Fortigate that we have available via this PPPoE connection.
In many cases, for example, with other providers we first receive a /32 IP address via the PPPoE client or DHCP client. An addition a /29 or /28 subnet is then routed over this. We don't have to do anything for this, the subnet is already at our disposal.
However, in my original story we are assigned the /28 subnet with public IP-adressen at once via the PPPoE client. In that case, the IP unnumbered function under the PPPoE client does not work as it does in my original story with Cisco. I also cannot easily find anything about the IP unnumbered function under the PPPoE client with a WAN interface within a Fortigate. Do you perhaps have more information about this in your knowledge base?
Thank you very much.
I don't think it's possible to replace the current Cisco setup with FGT's. Because the PPPoE-terminating interface/entity (Cisco's Dialer) is bridged to a LAN interface to have the /28 subnet (or shared). If a FW (this case FGT) supports the feature, traffic through this doesn't not have separation between an ingress interface and an egress interface so there is nowhere to apply FW policies, which apply per interface-to-interface base, like wan-to-lan, lan-to-wan, etc.
Leaving the Cisco in place and adding the FGT to it wouldn't look like accomplish your needs either. So likely you need to get a new(conventional) IP subnet delivery method from the provider, or get a new circuit, if you have to put the FGT in this picture.
Toshi
Good afternoon Toshi,
Thank you for the explanation.
I think we will choose to install a Cisco to handle the subnet and then give the Fortigate its own public IP address from the /28 subnet.
The reason we are going to install new hardware has to do with an upgrade of the internet speed.
Only that is an extra expense of approximately €1000,-
If the new FGT is NOT to provide its FW services to those tenants in the /28, that would be workable. Because you can't set IPs in the same subnet on two different interfaces, like wan and lan, on FGTs.
Toshi
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.