- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiBridge
- FortiAuthenticator
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDDoS
- FortiDAST
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiGate Cloud
- FortiExtender
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecorder
- FortiRecon
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- FortiWebCloud
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- RE: How to exclude an IP from a range on an inter...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to exclude an IP from a range on an interface?
I have been provided by my ISP a non-consecutive selection of IP' s.
66.18.202.151-158, excluding .153
Also I need to point one of those IP' s at a second router. I am using a 80CM as the primary, and a 50C as a secondary.
What interface configuration do I need to create on the 80CM, to only include [.151,.152,.154,.156-159]?
Currently the WAN1 interface on the 80CM is set to " 66.18.202.151/255.255.255.224" .
Is this where the secondary IP option comes into play? I tried to find information about it in the documentation but failed.
I am using MR2 Patch 9 on both devices.
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
you should only assign one IP address to your FGT' s wan1 port, and use the others in VIPs (virtual IPs). Use of secondary IP addresses is recommended against as this would prevent anti-spoofing control.
Your public IP range is .151 - .158 (not .159 as stated further below).
One possible network mask is 255.255.255.240 (= /28). This is the smallest mask which covers your range.
Available IPs for hosts/routers are .151 to .158
.159 is the broadcast address which cannot be assigned.
So ' wan1' would get the 66.18.202.151/28.
For the second router, create a VIP on the wan1 interface, mapping 66.18.202.152/32 to an internal 192.168.222.1 (or whatever), no port forwarding. Same holds true for any publicly accessible server.
If you want your second router to face the public then you would have to plug it into a switch together with the FGT wan1 port and the cable from the provider (that is, in parallel) and assign it a free public IP address.
You see that it really doesn' t matter at all that the public IPs are not consecutive.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ORIGINAL: ede_pfau Hi, you should only assign one IP address to your FGT' s wan1 port, and use the others in VIPs (virtual IPs). Use of secondary IP addresses is recommended against as this would prevent anti-spoofing control. Your public IP range is .151 - .158 (not .159 as stated further below). One possible network mask is 255.255.255.240 (= /28). This is the smallest mask which covers your range. Available IPs for hosts/routers are .151 to .158 .159 is the broadcast address which cannot be assigned. So ' wan1' would get the 66.18.202.151/28. For the second router, create a VIP on the wan1 interface, mapping 66.18.202.152/32 to an internal 192.168.222.1 (or whatever), no port forwarding. Same holds true for any publicly accessible server. If you want your second router to face the public then you would have to plug it into a switch together with the FGT wan1 port and the cable from the provider (that is, in parallel) and assign it a free public IP address. You see that it really doesn' t matter at all that the public IPs are not consecutive.Hi Ede_pfau, Thanks for the information. Maybe I' m going about this the wrong way already. It' s possible my lack of understanding about some networking basics is where the problem is. I had assumed that I needed to make sure each router was only " listening" on the IP' s it needed to be on. I want both routers to be public facing. I have each WAN1 port plugged into a switch, along with the DSL modem. The primary router (80CM) has 66.18.202.151/255.255.255.224 on WAN1, with some VIP' s to route mail/http/https to the mail server. In reality this router only needs an IP for management, and an IP to pass through for the mail server. The secondary router (60C) has 66.18.202.155/255.255.255.0 on WAN1. I don' t need any VIP as there is nothing behind this router at all. It' s just to be used for VPN testing, so all I need is to be able to manage remotely. At this point I can' t access the 60C remotely at all (PING, HTTPS, SSH are allowed on management, but nothing connects). And anything plugged into it' s internal ports cannot get out (current firewall policy is allow everything in and out, but no dns resolves, or it can' t contact any DNS server). I' m not worried about the outbound from the internal ports as I' m sure I can resolve that later if need be. It' s the remote management that' s at issue (and of course VPN connectivity for testing). I' d guess the reason I can' t remotely touch the 60C, is I have the WAN1 on the 60C incorrectly assigned.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ORIGINAL: Owain Deagle The primary router (80CM) has 66.18.202.151/255.255.255.224 on WAN1, with some VIP' s to route mail/http/https to the mail server. In reality this router only needs an IP for management, and an IP to pass through for the mail server. The secondary router (60C) has 66.18.202.155/255.255.255.0 on WAN1. I don' t need any VIP as there is nothing behind this router at all. It' s just to be used for VPN testing, so all I need is to be able to manage remotely.66.18.202.155/255.255.255.0 and 66.18.202.155/255.255.255.224 are not the same... I guess you already figured that out.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ORIGINAL: rwpattersonI' m feeling particularly thick today, I don' t understand what you mean?ORIGINAL: Owain Deagle The primary router (80CM) has 66.18.202.151/255.255.255.224 on WAN1, with some VIP' s to route mail/http/https to the mail server. In reality this router only needs an IP for management, and an IP to pass through for the mail server. The secondary router (60C) has 66.18.202.155/255.255.255.0 on WAN1. I don' t need any VIP as there is nothing behind this router at all. It' s just to be used for VPN testing, so all I need is to be able to manage remotely.66.18.202.155/255.255.255.0 and 66.18.202.155/255.255.255.224 are not the same... I guess you already figured that out.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Don' t worry.
Sorry, Bob, sure there' s a difference when you assign network masks of different sizes. You (Owain) mentioned that the 80CM' s wan1 port carries a /27 netmask whereas the secondary router carries a /24 netmask.
The effect is this: the network mask determines the size of the address space that the device can reach locally, that is, it' s neighbourhood. If you have 2 devices in the same address range (like .151 and .155) and one has a broader neighbourhood range then...no problem! Both can still reach all hosts in the smaller range of both. BUT (and I guess that' s what Bob hinted at) you will have problems reaching hosts in the larger address range.
This is getting convoluted, sorry. I' ll give you an example:
Say, your local address space is 66.18.202.150-158
host1: 66.18.202.151/255.255.255.224 sees .145 - .158 as local devices
host2: 66.18.202.155/255.255.255.0 sees .1 - .254 as local devices
If you try to connect to .158 both will succeed, as it' s local.
If you try to connect to .140 only host1 will succeed (it knows .140 is not local, so it connects via routing) but host2 will fail as it deems .140 to be local which it isn' t.
Long story short, you should use the smallest network mask covering all of your addresses.
Back to your problem: why you cannot reach the secondary router is wild guessing at the moment. We just need more information.
- what is the ISP' s gateway IP address? You should be able to look it up on the 80CM, System>Network>Interfaces>wan1.
- what is the default route on the 60C?
- if you put the .155 on a VIP on the 80CM, can you then use it?
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ORIGINAL: ede_pfau Don' t worry. Sorry, Bob, sure there' s a difference when you assign network masks of different sizes. You (Owain) mentioned that the 80CM' s wan1 port carries a /27 netmask whereas the secondary router carries a /24 netmask. The effect is this: the network mask determines the size of the address space that the device can reach locally, that is, it' s neighbourhood. If you have 2 devices in the same address range (like .151 and .155) and one has a broader neighbourhood range then...no problem! Both can still reach all hosts in the smaller range of both. BUT (and I guess that' s what Bob hinted at) you will have problems reaching hosts in the larger address range. This is getting convoluted, sorry. I' ll give you an example: Say, your local address space is 66.18.202.150-158 host1: 66.18.202.151/255.255.255.224 sees .145 - .158 as local devices host2: 66.18.202.155/255.255.255.0 sees .1 - .254 as local devices If you try to connect to .158 both will succeed, as it' s local. If you try to connect to .140 only host1 will succeed (it knows .140 is not local, so it connects via routing) but host2 will fail as it deems .140 to be local which it isn' t. Long story short, you should use the smallest network mask covering all of your addresses. Back to your problem: why you cannot reach the secondary router is wild guessing at the moment. We just need more information. - what is the ISP' s gateway IP address? You should be able to look it up on the 80CM, System>Network>Interfaces>wan1. - what is the default route on the 60C? - if you put the .155 on a VIP on the 80CM, can you then use it?Ok a days rest has made this all the clearer. So for the secondary router (60C), it' s probably best to put the WAN1 interface at 66.18.202.155/32? If I do this then it stops being visible from external sources. If I set it to /27 it becomes visible. I was able to determine the gateway IP by looking at the default route on the 80CM, it' s 66.18.202.129. It did not appear to be visible in the System>Network>Interfaces>wan1 section. This would explain why at least a /27 netmask is needed. So that the gateway is in the local address space. I checked the 60C, and it had no default route. So I created a route 0.0.0.0/0.0.0.0 with Gateway of 66.18.202.129, just like the 80CM. Now I can ping and access the router remotely via IP. All i need to sort out now is outbound webtraffic, which appears to be a DNS error, as nslookup fails from a machine plugged directly into the 60C' s internal ports. I' ll show you how i' ve got the internal ports setup: IP/netmask: 192.168.30.1/24, DNS Query set to Recursive DHCP: 192.168.30.100-200, Gateway 192.168.30.1, .... and I' ve fixed it. I had the DHCP dns set to 192.168.30.1, I changed it to System DNS setting, and it now works. All is resolved, for the moment! Thanks so much! Though if you see anything I' m doing clearly wrong here please let me know.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK, the /27 netmask is right but your gateway is NOT local. How do you connect on the WAN side, per DHCP or PPPoE?
Regarding the 60C, you had everything right the first time. I always let the FGT be DHCP server and DNS. Possibly DNS doesn' t work on the 60C. Try a ' exe ping www.google.com' from the console window. If that doesn' t resolve to an address the DNS system setting is wrong.
One other reason would be if you didn' t allow DNS out in your LAN to WAN policy. Then the system DNS setting could be correct but that wouldn' t help your hosts much.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- FortiGate/FortiManager communication over NAT 111 Views
- How can I provide a different... 149 Views
- Issue L2TP over IPSEC with Radius... 273 Views
- Assistance to allow external access to... 811 Views
- OSPF between FGT and Meraki MX... 145 Views
Labels
-
FortiGate
7,157 -
FortiClient
1,412 -
5.2
801 -
5.4
639 -
FortiManager
619 -
FortiAnalyzer
456 -
6.0
416 -
FortiAP
376 -
FortiSwitch
372 -
5.6
362 -
FortiClient EMS
291 -
FortiMail
281 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
175 -
FortiNAC
128 -
6.4
128 -
FortiGuard
115 -
IPsec
107 -
SSL-VPN
103 -
FortiGateCloud
97 -
FortiSIEM
93 -
FortiCloud Products
89 -
FortiToken
76 -
Customer Service
71 -
Wireless Controller
65 -
4.0MR3
64 -
FortiProxy
49 -
SD-WAN
48 -
FortiADC
45 -
FortiEDR
44 -
Fortivoice
44 -
FortiDNS
39 -
FortiExtender
35 -
FortiGate v5.4
35 -
FortiAuthenticator
35 -
FortiSandbox
34 -
Firewall policy
33 -
FortiSwitch v6.4
32 -
VLAN
31 -
High Availability
31 -
DNS
24 -
FortiWAN
24 -
FortiConnect
24 -
ZTNA
23 -
BGP
21 -
FortiConverter
21 -
Certificate
20 -
SAML
19 -
FortiGate v5.2
19 -
FortiPortal
18 -
LDAP
18 -
Interface
18 -
FortiSwitch v6.2
17 -
Routing
17 -
VDOM
17 -
FortiMonitor
15 -
Authentication
15 -
FortiGate v5.0
14 -
FortiLink
14 -
Fortigate Cloud
14 -
FortiDDoS
14 -
Logging
14 -
NAT
13 -
RADIUS
12 -
FortiCASB
12 -
Application control
11 -
Web profile
11 -
Traffic shaping
10 -
Virtual IP
10 -
SSO
10 -
SSL SSH inspection
10 -
FortiRecorder
10 -
SSID
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
WAN optimization
9 -
4.0MR2
9 -
IP address management - IPAM
8 -
FortiBridge
8 -
FortiGate v4.0 MR3
8 -
OSPF
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
FortiAP profile
7 -
SNMP
7 -
4.0
7 -
Admin
7 -
Web application firewall profile
7 -
Static route
6 -
Security profile
6 -
Proxy policy
6 -
Traffic shaping policy
6 -
Automation
6 -
IPS signature
5 -
Packet capture
5 -
DNS Filter
5 -
FortiCache
5 -
FortiManager v4.0
5 -
trunk
5 -
FortiDeceptor
4 -
FortiDirector
4 -
Web rating
4 -
Intrusion prevention
4 -
Port policy
4 -
Antivirus profile
4 -
FortiPAM
4 -
FortiCarrier
4 -
FortiTester
4 -
3.6
4 -
DLP sensor
4 -
FortiScan
4 -
Fabric connector
3 -
NAC policy
3 -
Multicast routing
3 -
System settings
3 -
FortiToken Cloud
3 -
Traffic shaping profile
3 -
Fortinet Engage Partner Program
3 -
DLP Dictionary
3 -
DLP profile
3 -
FortiDB
3 -
DoS policy
3 -
Email filter profile
3 -
FortiInsight
2 -
Netflow
2 -
Users
2 -
Protocol option
2 -
FortiAI
2 -
Application signature
2 -
FortiHypervisor
2 -
VoIP profile
2 -
Internet Service Database
2 -
Explicit proxy
2 -
4.0MR1
1 -
Multicast policy
1 -
Zone
1 -
FortiCWP
1 -
Kerberos
1 -
Subscription Renewal Policy
1 -
FortiNDR
1 -
TACACS
1 -
Replacement messages
1 -
Schedule
1 -
SDN connector
1 -
FortiManager-VM
1 -
Authentication rule and scheme
1 -
Service
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1062 | |
| 889 | |
| 527 | |
| 441 | |
| 152 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.