Hi,
Referring to the diagram attached, FGT is connected to the upstream server farm switch with OSPF (10.20.30.2).
The interface configuration is as below:
WAN: 10.20.30.2 (OSPF interface)
LAN: 172.16.30.1
We would like to configure VIP at the internal FortiGate with IP segment 10.1.159.0/24 at the WAN interface and mapped it to the internal server.
We had tested the VIP at our labs and it is working as intended.
However, we are having some suspicious about whether the server can go to the internet or not with this configuration.
Sample config:
config system interface
edit "LACP-WAN"
set vdom "Int"
set ip 10.20.30.2 255.255.255.252
set allowaccess ping
set type aggregate
set member "internal5"
set device-identification enable
set lldp-transmission enable
set monitor-bandwidth enable
set snmp-index 49
set secondary-IP enable
config secondaryip
edit 1
set ip 10.1.159.254 255.255.255.0
set allowaccess ping
next
end
next
end
config firewall ippool
edit "Pool-25"
set startip 10.1.159.25
set endip 10.1.159.25
set comments "Test Server 01"
next
end
config firewall policy
edit 1
set name "Pool2ndIP"
set uuid 26ae67a4-81cd-51ec-4cb0-d7a20a187547
set srcintf "LACP-LAN"
set dstintf "LACP-WAN"
set srcaddr "servertest"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set ippool enable
set poolname "Pool-25"
set nat enable
next
end
The objective is to allow the internal server to go to the internet with NATting to 10.1.159.254 or any other IP Pools within the 10.1.159.254 segment. Please advise if it is doable.
Thanks.
Regards,
Umar
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
As long as there is a route to the internet for the 10.1.159.x, it should be possible.
OSPF may only give you the default static route (with the next hop being in 10.20.30.x).
But you can still add a static route with lower metric for this server for the 10.1.159.x IP range.
Hey umar,
with the policy Pool2ndIP as outlined, the host 'servertest' would be allowed to access whatever can be reached through LACP-WAN interface, and traffic from servertest would go out the LACP-WAN interface using IP 10.1.159.25
If your routing is in order as Alex mentioned, I would not expect any issues.
Out of topic, but I would suggest to use tagged vlan sub-interfaces on LACP agregates.
Will be easier to add additional vlans (WAN providers or LAN subnets) alter.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1666 | |
1077 | |
752 | |
446 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.