Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
NORVIN
New Contributor

Fortinet FortiGate 200B Allow Multiple ISP IPs On 1 Port

We have a Fortinet FortiGate 200B.  Our ISP gave us 5 IPs to use.  The first is our main address assigned to the 200B's MAC address.  They also have 3 IPs looking for our DVR security systems also by MAC address.  Here is the set up:

 

X.X.X.150 = Our main IP.

X.X.X.151 = DVR #1.

X.X.X.152 = DVR #2. X.X.X.153 = DVR #3.

X.X.X.154 = Nothing used yet.

 

My question is how do I set up the Fortinet FortiGate 200B to see all 5 of these IPs coming from the modem?

 

There are no WAN ports so I sat up Port 11 as DHCP for the ISP.

 

I pretty much followed these directions:

 

http://kb.kaminskiengineering.com/node/377

 

I went to Firewall Objects > Virtual IP > Virtual IP and created the ports that need to be forwarded to.  There are four ports needed for each DVR.  The port numbers are the same for each DVR, but the external IP is different.  Therefore, there are 12 entries.

 

I then went to Firewall Objects > Virtual IP > VIP Group and created three groups for each DVR using the four ports forwarded to for each group.

 

Last of all, I want to Policy > Policy > Policy and created a Port 11 > The Switch and added each VIP Group in this order:

[ul]
  • Port 11
  • all
  • The Switch
  • VIP Group #1
  • always
  • ANY
  • ACCEPT[/ul]

    No boxes are checked.

  • 22 REPLIES 22
    NORVIN

    The subnet mask for the Internet given to us is 255.255.254.0, but I am not sure where else I could put that unless I add each DVR to Firewall Objects > Address > Address.

     

    I'm not sure of the proper way to do the diag sniff.

     

    I don't see proxy-arp listed anywhere.

    Toshi_Esumi
    Esteemed Contributor III

    Mike's question was based on an assumption that your ISP is actually delivering packets for other devices to your FG. But it's not the case now. Only thing you could do, to me, is pretty much negotiating with your ISP to provide at least one static IP (or a /30 for your FG and their GW device) different from you have now and route an additional subnet you have now to your FG IP by insisting you have to terminate/route all traffic through your FW(FG).

    NORVIN

    Could any of these issues have anything to do with having a Windows 2008 R2 server doing DHCP on our network?  I am not sure how though because the old DVR system worked fine.

     

    I am out of ideas.  The Internet IPs other than our main can be pinged to.  The ISP has the MAC addresses of the DVRs linked to the reserve Internet IPs.

    Toshi_Esumi
    Esteemed Contributor III

    If you have decided to go that route, you can't put your DVR devices behind the FG. You need to have a switch connected to ISP's modem on WAN side then all devices, FG, DVRs, others that have the public IPs from the ISP need to be connected to the switch to pull the IP from ISP's DHCP server. At that time, at least DVRs have no network connection to your internal Win DHCP server.

    NORVIN

    What route?  How can an older DVR system hooked up the same way work and now this new system not work when all we did was change the IPs allowed to us?  What else can I tell the ISP to change?

    Toshi_Esumi
    Esteemed Contributor III

    You said your ISP got DVRs' MAC addresses. That means your ISP is expecting each DVR to request the assigned IP from them. If it's behind your FG, the DHCP request wouldn't get through to reach the ISP side. They, DVRs, have to on the same broadcast domain with ISP's modem for their DHCP to work.

    I would recommend you create a diagram how your netowrk is laid out and discuss with your ISP for your options. 

    michaelbazy_FTNT

    I was thinking of the following sniff :

    diag sniff packet any 'host X.X.X.151 or host X.X.X.152 or host X.X.X.153 or host X.X.X.154 '

     

    Then try to ping all of theses IPs (from another connection - for example ping from your mobile, or ask a friend from somewhere else :) ) 

     

    If your ISP is working correctly, you should see some packets being captured.

     

    If you don't see anything, then talk with your ISP...

    I'm operating by "Crocker's Rules"
    NORVIN

    I don't have much to report back.  It seems something is screwy with the reserved IP addresses.  I can change any of the reserved IPs to our main IP and the DVRs group using that IP work just fine away from the building.  If I use one of the reserved IPs, they will not work.

     

    I have no idea what I can say to the ISP.  They keep telling me the IPs are reserved and they look for the MAC addresses of the DVRs.

    ede_pfau
    Esteemed Contributor III

    Locking the other public IPs to one MAC each is the problem here.

    The only way to handle this IMHO is to install a small WAN switch. Plug in

    - the WAN line from the router

    - the FGT's WAN port

    - the DVRs WAN ports

     

    This way, the DVRs will address the ISP's router showing their original MAC addresses and receive their public addresses. Of course, then they are exposed to the internet! No protection from the FGT at all.

     

    As a true solution, your ISP should just route a /28 subnet to your FGT and skip authenticating via MACs. Or rather, authenticate one MAC for the whole subnet. Then you could create VIPs for all the other public IPs and this will just work.


    Ede

    "Kernel panic: Aiee, killing interrupt handler!"
    Ede"Kernel panic: Aiee, killing interrupt handler!"
    NORVIN

    I wish it was that simple, but the DVRs are in different buildings and they go through a Windows Server before getting to the Fortigate which is in another building.

     

    So then the reserved IPs could be reserved to the same MAC address (the Fortgate's MAC the modem is plugged into)?

    Labels
    Top Kudoed Authors