Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Autumn 2024 badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiBridge
- FortiAuthenticator
- FortiCache
- FortiCarrier
- FortiConnect
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDB
- FortiDDoS
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecorder
- FortiRecon
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiWAN
- FortiVoice
- FortiWeb
- FortiWebCloud
- Lacework
- RMA Information and Announcements
- Wireless Controller
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- RE: How to put two ports on the same network?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Not applicable
Created on 04-11-2007 05:00 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to put two ports on the same network?
We just got a new FortiGate 50B.
I' d like to connect it to:
- our uplink (a router sitting on the local end of a T1)
- our LAN (a switch with a bunch of PCs on it)
- and our one public server.
I' d like the public server to have a public IP, and the LAN to be a separate private net with NAT. Our T1 comes with a /28 so we have several usable public IPs. The T1 router has one IP, the FortiGate can have a second one (which it can also NAT all the LAN PCs to), and the public server can have a third.
It' d be really nice not to have to use a separate switch to sit between the FortiGate, T1 router, and public server.
What I need to do is configure the FortiGate such that both the uplink port and the public server port are treated as being on the same /28 subnet, with the FortiGate bridging between the two ports.
I asked about this before we bought it, and was told we could do it.
Now that I' m poring over the documentation and config interface, I don' t see quite how I' m supposed to...
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
20 REPLIES 20
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Cos,
I don' t think you can achieve what you are trying to do. I believe (but not completely sure) that you can either have the whole unit in transparent mode or in NAT/Route mode.
In transparent mode, all interfaces are on the same subnet. This is no good for your internal network.
In NAT/Route mode all interfaces must be on seperate subnets. No good for your server/internet connection.
However there are ways around it.
By far your best option is to put your server on a new private address and use a VIP on the fortigate to map this to the required RIPE address. This is definately best practice for connecting machines to teh internet for public access.
If for some reason you really can' t do this, you can create a new VDOM in transparent mode. In effect you then have two totally seperate firewalls, on can be used for the server and the other for the lan to server/intenet side. This method is complex and not really advised on a 50 due to memory limitations.
Jon
Still learning to type " the"
Still learning to type " the"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why would you need another switch in the mix? After the T-1 is terminated to good old Ethernet, plug it into the FortiGate and go! Realistically, there is no need to map every PC to a RIPE/ARIN IP address. The Fortigate will NAT the outgoing traffic for you. Save those public IPs for future expansion. Once you have the T-1 plugged in (assuming to the WAN port), and the switch with all your devices as well (internal here), just create a virtual IP to map that ' public' server from a RIPE/ARIN IP to the internal IP address. Make sure in any policy that faces the Internet, you check off the NAT box, or you won' t get far. If the ' public' server is on a third subnet, stick it on the DMZ port, and move the virtual IP definition there instead.
Good luck
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Not applicable
Created on 04-12-2007 10:56 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Jon: No good. The public server needs to be accessed from both inside and outside our office. If we put it on the internal network, it would get NATed, and people in the office would need to use a private IP to access it. A majority of them use laptops which they bring into and out of the office.
A solution which forces them to change their DNS configuration every time they enter or leave the office, or frob /etc/hosts, or use a totally different set of bookmarks (with virtual web servers answering to the different names), is just too annoying. I want to rely on DNS to give the IP of the public server, and everyone to be able to use DNS to access it, regardless of whether they' re in or out of the office.
Bob: Of course " there is no need to map every PC to a RIPE/ARIN IP address" - we just want to do this for *one* server. See my response to Jon, above, for why putting it on the internal net and NATing is not a good solution.
Ideally, yes, a DMZ would be the right thing to do. Unfortunately our T1 ISP makes it difficult to split up our public IPs into more than one subnet, and we' d lose some support if we did that. And really the only reason we' d need a DMZ is to make it easier to configure the firewall; other than that, we don' t mind putting the public server on the front network.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Create a new Virtual Domain and put the public server on the lan side of that. The Fortigate will treat it as if it' s a completely separate physical box.
Thought for the day:
Advertising (n): the science of arresting the human
intelligence for long enough to get money from it.
-- Stephen Leacock.
Thought for the day: Advertising (n): the science of arresting the human
intelligence for long enough to get money from it. -- Stephen Leacock.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I' m not sure how that solves the problem, but maybe that' s because I don' t quite understand virtual domains. If I do what you suggest, will PCs on the internal LAN and people out on the Internet both be able to access the public server using the SAME IP ADDRESS? Remember the LAN is using private IPs and NAT.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I need to test this, but you can create a VIP on both the public and the LAn side that point to teh same address.
Give me a hour or so to prove this.
Still learning to type " the"
Still learning to type " the"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes that works, you can have the server on an RFC address and create theVIP for theexternal interface and a VIP for the LAN interface.
That way anyone typing in the RIPE address for the server will get to it.
Still learning to type " the"
Still learning to type " the"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That may be the best solution for us, thank you!
I can' t test this right now because people are using the server, so I' ll have to try it overnight sometime.
Does this work if the public server is on the *same* internal network as the PCs? That is, will PCs on the private net trying to reach the server by its public IP be able to reach the virtual IP and have their traffic forward (and double-NATed) back to the internal net?
If not, I could put the public server on WAN2 on its own private address space, so either way it sounds like this could work, but I' m curious if you tried it in the above configuration.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No it won' t VIP and NAT only happen once traffic passes through the FG, you need to set it up on a seperate network, and also for security you should do.
Imagine a compromise of the server through some unknown means. If it is on your LAN you are wide open. This way you can be specific about what access is allowed back into teh LAN from your server and tie that down as well.
Still learning to type " the"
Still learning to type " the"
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- MacOs Sequoia (15.0) M3 support for... 144 Views
- Traffic between VLANs: Fortigate 40f &... 89 Views
- IPSEC IKEV2 SAML SSO 110 Views
- I Have Issue on Netflow FortiGate 96 Views
- How to block 1723 port incoming... 152 Views
Labels
-
FortiGate
8,080 -
FortiClient
1,622 -
5.2
801 -
FortiManager
682 -
5.4
639 -
FortiAnalyzer
518 -
FortiAP
427 -
FortiSwitch
426 -
6.0
416 -
FortiClient EMS
365 -
5.6
362 -
FortiMail
301 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
189 -
SSL-VPN
178 -
FortiNAC
163 -
IPsec
154 -
6.4
128 -
FortiGuard
125 -
FortiGateCloud
98 -
FortiSIEM
94 -
FortiCloud Products
94 -
SD-WAN
89 -
FortiToken
86 -
Customer Service
74 -
Wireless Controller
74 -
FortiAuthenticator
70 -
4.0MR3
64 -
Firewall policy
58 -
FortiProxy
53 -
FortiEDR
50 -
Fortivoice
49 -
FortiADC
49 -
FortiExtender
43 -
VLAN
42 -
FortiDNS
41 -
High Availability
41 -
FortiSandbox
39 -
ZTNA
37 -
FortiGate v5.4
35 -
Routing
35 -
LDAP
34 -
FortiSwitch v6.4
33 -
DNS
33 -
BGP
32 -
SAML
31 -
Certificate
30 -
Interface
29 -
SSO
27 -
NAT
27 -
FortiConnect
26 -
FortiConverter
25 -
Authentication
25 -
FortiWAN
24 -
RADIUS
24 -
FortiLink
24 -
FortiGate v5.2
23 -
VDOM
23 -
Application control
21 -
Web profile
21 -
Virtual IP
20 -
FortiSwitch v6.2
18 -
FortiPortal
18 -
Fortigate Cloud
18 -
Logging
18 -
Traffic shaping
17 -
FortiMonitor
16 -
FortiPAM
16 -
FortiDDoS
15 -
FortiGate v5.0
14 -
SSL SSH inspection
14 -
OSPF
13 -
FortiCASB
12 -
SSID
12 -
Admin
12 -
IP address management - IPAM
12 -
FortiManager v5.0
11 -
Automation
11 -
Static route
11 -
WAN optimization
11 -
Web application firewall profile
11 -
FortiSOAR
10 -
FortiRecorder
10 -
SNMP
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiAP profile
9 -
System settings
9 -
FortiManager v4.0
8 -
FortiBridge
8 -
RMA Information and Announcements
8 -
IPS signature
8 -
Proxy policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
Security profile
7 -
Traffic shaping policy
7 -
Port policy
7 -
FortiCache
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Intrusion prevention
6 -
FortiCarrier
5 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Fabric connector
5 -
Fortinet Engage Partner Program
5 -
3.6
4 -
FortiDeceptor
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Antivirus profile
4 -
Traffic shaping profile
4 -
Application signature
4 -
DLP sensor
4 -
Email filter profile
4 -
Netflow
4 -
Web rating
4 -
FortiDB
3 -
FortiHypervisor
3 -
Explicit proxy
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Replacement messages
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
API
2 -
FortiNDR
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
Schedule
2 -
Service
2 -
Zone
2 -
Cloud Management Security
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Kerberos
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
TACACS
1 -
SDN connector
1 -
Multicast policy
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1517 | |
| 1013 | |
| 749 | |
| 443 | |
| 209 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.