Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Summer Badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCare Services
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiData
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevice
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEndpoint
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiTester
- FortiSwitch
- FortiToken
- FortiVoice
- FortiWAN
- FortiAppSec Cloud
- FortiWeb
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- How to put two ports on the same network?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Not applicable
Created on ‎04-11-2007 05:00 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to put two ports on the same network?
We just got a new FortiGate 50B.
I' d like to connect it to:
- our uplink (a router sitting on the local end of a T1)
- our LAN (a switch with a bunch of PCs on it)
- and our one public server.
I' d like the public server to have a public IP, and the LAN to be a separate private net with NAT. Our T1 comes with a /28 so we have several usable public IPs. The T1 router has one IP, the FortiGate can have a second one (which it can also NAT all the LAN PCs to), and the public server can have a third.
It' d be really nice not to have to use a separate switch to sit between the FortiGate, T1 router, and public server.
What I need to do is configure the FortiGate such that both the uplink port and the public server port are treated as being on the same /28 subnet, with the FortiGate bridging between the two ports.
I asked about this before we bought it, and was told we could do it.
Now that I' m poring over the documentation and config interface, I don' t see quite how I' m supposed to...
20 REPLIES 20
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Cos,
I don' t think you can achieve what you are trying to do. I believe (but not completely sure) that you can either have the whole unit in transparent mode or in NAT/Route mode.
In transparent mode, all interfaces are on the same subnet. This is no good for your internal network.
In NAT/Route mode all interfaces must be on seperate subnets. No good for your server/internet connection.
However there are ways around it.
By far your best option is to put your server on a new private address and use a VIP on the fortigate to map this to the required RIPE address. This is definately best practice for connecting machines to teh internet for public access.
If for some reason you really can' t do this, you can create a new VDOM in transparent mode. In effect you then have two totally seperate firewalls, on can be used for the server and the other for the lan to server/intenet side. This method is complex and not really advised on a 50 due to memory limitations.
Jon
Still learning to type " the"
Still learning to type " the"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why would you need another switch in the mix? After the T-1 is terminated to good old Ethernet, plug it into the FortiGate and go! Realistically, there is no need to map every PC to a RIPE/ARIN IP address. The Fortigate will NAT the outgoing traffic for you. Save those public IPs for future expansion. Once you have the T-1 plugged in (assuming to the WAN port), and the switch with all your devices as well (internal here), just create a virtual IP to map that ' public' server from a RIPE/ARIN IP to the internal IP address. Make sure in any policy that faces the Internet, you check off the NAT box, or you won' t get far. If the ' public' server is on a third subnet, stick it on the DMZ port, and move the virtual IP definition there instead.
Good luck
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Not applicable
Created on ‎04-12-2007 10:56 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Jon: No good. The public server needs to be accessed from both inside and outside our office. If we put it on the internal network, it would get NATed, and people in the office would need to use a private IP to access it. A majority of them use laptops which they bring into and out of the office.
A solution which forces them to change their DNS configuration every time they enter or leave the office, or frob /etc/hosts, or use a totally different set of bookmarks (with virtual web servers answering to the different names), is just too annoying. I want to rely on DNS to give the IP of the public server, and everyone to be able to use DNS to access it, regardless of whether they' re in or out of the office.
Bob: Of course " there is no need to map every PC to a RIPE/ARIN IP address" - we just want to do this for *one* server. See my response to Jon, above, for why putting it on the internal net and NATing is not a good solution.
Ideally, yes, a DMZ would be the right thing to do. Unfortunately our T1 ISP makes it difficult to split up our public IPs into more than one subnet, and we' d lose some support if we did that. And really the only reason we' d need a DMZ is to make it easier to configure the firewall; other than that, we don' t mind putting the public server on the front network.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Create a new Virtual Domain and put the public server on the lan side of that. The Fortigate will treat it as if it' s a completely separate physical box.
Thought for the day:
Advertising (n): the science of arresting the human
intelligence for long enough to get money from it.
-- Stephen Leacock.
Thought for the day: Advertising (n): the science of arresting the human
intelligence for long enough to get money from it. -- Stephen Leacock.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I' m not sure how that solves the problem, but maybe that' s because I don' t quite understand virtual domains. If I do what you suggest, will PCs on the internal LAN and people out on the Internet both be able to access the public server using the SAME IP ADDRESS? Remember the LAN is using private IPs and NAT.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I need to test this, but you can create a VIP on both the public and the LAn side that point to teh same address.
Give me a hour or so to prove this.
Still learning to type " the"
Still learning to type " the"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes that works, you can have the server on an RFC address and create theVIP for theexternal interface and a VIP for the LAN interface.
That way anyone typing in the RIPE address for the server will get to it.
Still learning to type " the"
Still learning to type " the"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That may be the best solution for us, thank you!
I can' t test this right now because people are using the server, so I' ll have to try it overnight sometime.
Does this work if the public server is on the *same* internal network as the PCs? That is, will PCs on the private net trying to reach the server by its public IP be able to reach the virtual IP and have their traffic forward (and double-NATed) back to the internal net?
If not, I could put the public server on WAN2 on its own private address space, so either way it sounds like this could work, but I' m curious if you tried it in the above configuration.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No it won' t VIP and NAT only happen once traffic passes through the FG, you need to set it up on a seperate network, and also for security you should do.
Imagine a compromise of the server through some unknown means. If it is on your LAN you are wide open. This way you can be specific about what access is allowed back into teh LAN from your server and tie that down as well.
Still learning to type " the"
Still learning to type " the"
Labels
-
FortiGate
10,637 -
FortiClient
2,167 -
FortiManager
892 -
5.2
687 -
FortiAnalyzer
682 -
5.4
638 -
FortiSwitch
588 -
FortiClient EMS
565 -
FortiAP
562 -
IPsec
422 -
6.0
416 -
SSL-VPN
384 -
FortiMail
372 -
5.6
362 -
FortiNAC
287 -
FortiWeb
252 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SD-WAN
197 -
FortiAuthenticator
178 -
FortiGuard
160 -
5.0
152 -
Firewall policy
145 -
FortiGate-VM
134 -
6.4
128 -
FortiCloud Products
116 -
FortiSIEM
113 -
FortiToken
113 -
FortiGateCloud
112 -
Wireless Controller
95 -
Customer Service
88 -
High Availability
86 -
FortiProxy
78 -
ZTNA
76 -
Routing
75 -
Fortivoice
73 -
SAML
73 -
DNS
71 -
VLAN
71 -
BGP
70 -
FortiEDR
69 -
FortiADC
68 -
Authentication
68 -
Certificate
66 -
RADIUS
61 -
LDAP
60 -
FortiLink
56 -
SSO
54 -
NAT
54 -
FortiSandbox
53 -
FortiExtender
52 -
4.0MR3
49 -
vdom
47 -
Interface
46 -
Application control
46 -
FortiDNS
43 -
Logging
41 -
Virtual IP
41 -
FortiGate v5.4
38 -
FortiSwitch v6.4
38 -
FortiPAM
37 -
SSL SSH inspection
36 -
FortiConnect
35 -
Web profile
35 -
Automation
33 -
FortiWAN
31 -
FortiConverter
30 -
FortiGate v5.2
27 -
Traffic shaping
26 -
API
26 -
Static route
26 -
SNMP
25 -
SSID
25 -
FortiSwitch v6.2
23 -
FortiPortal
23 -
FortiGate Cloud
23 -
System settings
22 -
WAN optimization
21 -
FortiMonitor
20 -
OSPF
20 -
Security profile
19 -
Web rating
19 -
FortiSoar
18 -
Web application firewall profile
18 -
IP address management - IPAM
18 -
FortiGate v5.0
16 -
FortiDDoS
16 -
Explicit proxy
16 -
FortiAP profile
16 -
Admin
15 -
IPS signature
15 -
Proxy policy
15 -
Intrusion prevention
15 -
FortiCASB
14 -
NAC policy
14 -
FortiManager v4.0
13 -
DNS filter
13 -
FortiManager v5.0
12 -
FortiDeceptor
12 -
users
12 -
Traffic shaping policy
12 -
Fabric connector
12 -
Port policy
12 -
FortiBridge
11 -
FortiRecorder
11 -
FortiAnalyzer v5.0
10 -
FortiWeb v5.0
10 -
Trunk
10 -
Traffic shaping profile
10 -
Authentication rule and scheme
10 -
Fortinet Engage Partner Program
10 -
FortiGate v4.0 MR3
9 -
RMA Information and Announcements
9 -
Antivirus profile
9 -
FortiCache
8 -
FortiToken Cloud
8 -
4.0
7 -
4.0MR2
7 -
Packet capture
7 -
Application signature
7 -
VoIP profile
7 -
Vulnerability Management
7 -
FortiScan
6 -
FortiCarrier
5 -
FortiNDR
5 -
FortiTester
5 -
DLP profile
5 -
DLP sensor
5 -
DoS policy
5 -
Email filter profile
5 -
Protocol option
5 -
TACACS
5 -
Cloud Management Security
5 -
3.6
4 -
FortiDirector
4 -
Internet service database
4 -
DLP Dictionary
4 -
Netflow
4 -
Replacement messages
4 -
SDN connector
4 -
Service
4 -
Multicast routing
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiAI
3 -
Kerberos
3 -
File filter
3 -
Multicast policy
3 -
FortiEdge Cloud
3 -
FortiInsight
2 -
Video Filter
2 -
Schedule
2 -
ICAP profile
2 -
Zone
2 -
Lacework
2 -
FortiGuest
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
FortiSASE
1 -
Virtual wire pair
1 -
FortiEdge
1 -
FortiAIOps
1
Top Kudoed Authors
| User | Count |
|---|---|
| 2609 | |
| 1390 | |
| 804 | |
| 664 | |
| 455 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.