Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Malkosha
New Contributor

Interface mode strategy

I’m not a WAN expert by any means, but over the last 6 months I have managed to get our WAN up and working. We are using IPSEC VPN tunnels to connect everything with a different ISP in each location. I’ve done everything from FSSO to traffic shaping and so far everything is working great. It’s been a great learning experience.

 

In one location, we have an AT&T line with a WAN IP and 12 LAN addresses. We are putting in an IP phone system and the outside company wants to connect their router and pass through our Fortinet 90d.

 

I changed from switch mode to Interface mode using port 1 to reconnect our WAN. I used the WAN IP address for the tunnels and Internet access while the LAN addresses have gone unused. I planned on using port 14 for the IP phone system router to plug into. This will just be a straight shot through the 90d with no UTM policies applied.

 

I assume that all I need to do is assign one of the LAN addresses to this port and create the policy’s that allow this port Internet access through the WAN. Is this a good way to go? Compared to setting up our email server at the home office … Virtual IP’s, DMZ and all …. this seems a little too simple. Am I missing something other than classes on net design?

 

Thanks in advance for your help!

2 REPLIES 2
Dave_Hall
Honored Contributor

Hi Mike.

 

Welcome to the forums.

 

It would help to clarify how the internal network is laid out; you kinda make it sound like everything behind the fgt device is assigned static IPs (as apposes to dynamically assigned.

 

Personally, I would attach a small network switch (preferable one that supports VLANs) to the AT&T line then connect both the fortigate and VOIP router to that.  (If possible, place your IP phone system on a separate VLAN then the rest of the internal network.)  You will want to minimize the impact to your phone system should anything happen with the Fortigate router.

 

If you need to stick the VOIP router behind the Fortigate, you could use the WAN2 port unless you are using it for something at the moment. 

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Malkosha

Dave Hall wrote:

Hi Mike.

 

Welcome to the forums.

 

It would help to clarify how the internal network is laid out; you kinda make it sound like everything behind the fgt device is assigned static IPs (as apposes to dynamically assigned.

 

Personally, I would attach a small network switch (preferable one that supports VLANs) to the AT&T line then connect both the fortigate and VOIP router to that.  (If possible, place your IP phone system on a separate VLAN then the rest of the internal network.)  You will want to minimize the impact to your phone system should anything happen with the Fortigate router.

 

If you need to stick the VOIP router behind the Fortigate, you could use the WAN2 port unless you are using it for something at the moment. 

Thanks for the reply.

 

The fgt is connected directly into the AT&T edge device and uses the WAN IP to connect. They also gave me 14 LAN addresses which are not being used. The fgt is also connected to the switch in the from office which connects to the rest of out net. Using the WAN IP, I've created tunnels to the other locations. Accessing a company asset like a DB, uses the tunnels to get back to the main office. Local users wanting to access the Internet don't use the tunnels but go out the fgt directly at that location. This keeps Internet traffic from clogging the tunnels up. Their Internet use is monitored and traffic shaped and I use FSSO to control access from the domain.

 

The company we are getting VoIP from just wants their own IP and the ability to plug their router into the fgt and pass freely through. Since I went from Switch mode to Interface mode, I thought I'd be able to assign one the LAN addresses to port 14 as a gateway for their router and another LAN IP for that vendor to use in their router. Port 1 is now the Internal_LAN port we use both locally and for the tunnels.. Ports 2-13 are unused. WAN2 is reserved for future use. Our net and their proposed net are on a different subnets. 

 

Once I assign the address and create the policy's, I would think that their router will just slide through the fgt without them having access into our system.

 

Hopefully I explained that well enough ... like I said I'm no network engineer and while I'm having fun learning, sometimes its the simple stuff that gets me.

 

Thanks!

 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors