We have a Fortinet FortiGate 200B. Our ISP gave us 5 IPs to use. The first is our main address assigned to the 200B's MAC address. They also have 3 IPs looking for our DVR security systems also by MAC address. Here is the set up:
X.X.X.150 = Our main IP.
X.X.X.151 = DVR #1.
X.X.X.152 = DVR #2. X.X.X.153 = DVR #3.
X.X.X.154 = Nothing used yet.
My question is how do I set up the Fortinet FortiGate 200B to see all 5 of these IPs coming from the modem?
There are no WAN ports so I sat up Port 11 as DHCP for the ISP.
I pretty much followed these directions:
http://kb.kaminskiengineering.com/node/377
I went to Firewall Objects > Virtual IP > Virtual IP and created the ports that need to be forwarded to. There are four ports needed for each DVR. The port numbers are the same for each DVR, but the external IP is different. Therefore, there are 12 entries.
I then went to Firewall Objects > Virtual IP > VIP Group and created three groups for each DVR using the four ports forwarded to for each group.
Last of all, I want to Policy > Policy > Policy and created a Port 11 > The Switch and added each VIP Group in this order:
[ul]No boxes are checked.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi,
and welcome to the forums.
When I first read your post I won
ered what your question was. Everything should be working now, your config is correct.
There are 2 ways a FGT can handle multiple IP addresses on a port:
1- via VIP
2- as secondary address
Going the VIP path here is 100% the way to go, as you need port forwarding as well, and as you use more than 2 addresses. Remember that a port-forwarding VIP will not respond to ping, only to ARP and the specified services/ports (UDP or TCP). [the exception being FortiOS v5.4 where you can additionally allow ICMP]
So if you have difficulties or more questions feel free to post here.
Thanks for the welcome. Mainly I was just wondering if I was doing something wrong in my setup.
Yeah I thought that would be the right way to do it. I even did an IP Pool of the extra ISP-provided IPs on an individual basis and that didn't work. The IP Pool made no difference and probably isn't needed so I deleted it.
I am starting to wonder if it is because the ISP has them going to the MAC addresses of the DVRs. I am not sure how they would set it up on their end so it works on our end.
The way it is is now, the extra IPs going to the DVRs are not working.
Is the main IP .150 pulled via DHCP? You mentioned about DHCP so I was wondering. Then the rest might not work.
Yes it is pulled via DHCP. Let me try Manual with the primary ISP IP provided to us.
That killed the Internet so now I will have to run into work and switch it back. I did see I could now add Secondary IP Address(es) when I switched it to manual.
EDIT...
I tried it twice using manual settings for the ISP and made sure the gateway was defined under Router > Static > Static Route as:
0.0.0.0/0.0.0.0 X.X.X.1 port11
It refuses to work using manual settings.
You could have the ISP route the block of IP's to the IP that your WAN interface is getting. Providers like WOW and Windstream have done that for me in the past.
Mike Pruett
Just to clarify:
- VIPs do destination NAT - the destination IP address is substituted
- IP pools do source NAT - the source IP address is substituted
When using a VIP, reply traffic and even traffic originating from the NATted internal host is automatically source NATted by the VIP, as a convenience. This way, the true source IP of the exposed host is fully hidden.
If you get the other IPs by DHCP as well, a VIP cannot work - the FGT needs to negotiate first to get the assignment.
@MikePruett Our ISP says, "That is not typical protocol for our network and our block addressing structure does not lend itself to that configuration very well. It would be easiest for us to simply allocate several public addresses directly to you."
@ede_pfau Yes the extra IPs are also DHCP-supplied by the ISP and are set to look for the MAC addresses of the DVRs by the ISP. How can I make the firewall negotiate first to get the assignment in that case?
I'd say you can't.
Follow your ISP to get directly allocated IPs. Then use them either by VIP or as secondary addresses where VIPs are far more flexible.
Quick question : have you checked your subnet mask? maybe the ISP made an error in the mask he allocated...
Also, have you tried a diag sniff packet to check that the packet you should receive are actually forwarded to you?
(last thing I can think of : is the proxy-arp disabled?)
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1688 | |
1087 | |
752 | |
446 | |
227 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.