Hello, many confusing posts and discussions regarding the proper way to handle Comcast's EDI with /30 PTP network for connection to the Ciena Router and the public user block provided with the same service. In our case it's a/28 block of useable ips. We have also put a L3 switch in front of the Fortigate and connected the Ciena PTP to the switch on one vlan, and provided for the useable ips on another vlan. I have been wanting to eliminate the L3 switch in between and directly connect the Fortigate WAN1 port to the Ciena, which I have done, but want to use the other block of ip's. I setup Port 14 (was available, no other reason) on the FG with one of the ip addresses from that block and have connected a device to that port with another ip from that block. I can ping the FG port from my laptop while on the lan. I have created a policy that allows all traffic from the wan side to the port14 interface with the public ip address on it but I can not ping that address from the wan side. My understanding was that the /28 block of useable ip addresses was reachable with out any other configuration magic. Does anyone have a clear, basic guide to helping me understand all the nuts and bolts required to be able to access that /28 block?
The connected device can reach the FG but traffic won't go out wan1. I'm getting confused with all the different suggestions including the use of VIPs, IP Pools, others have talked about proxy arp or static arp settings and I think it's causing me to over complicate things.
Any help or guidance sincerely appreciated.
Brad
Solved! Go to Solution.
I didn't know about Comcast EDI service until I saw your post. But luckily I found their description how it's intended to work at their site:
Based on this, it seems to be very simple. The Ciena device acts as a switch(or modem/bridge), not a router. Then you use one of /30 IPs for WAN interface while their GW device (Comcast Router in the diagram) has another IP. The /28 can be used whatever you want to use. Comcast simply route any packets destined to /28 to your WAN /30 IP. All devices w/ a private IP connected to LAN side of your FGT, you can set a simple NAT with the /30 IP as outside IP.
If you assign one of /28 IP on LAN side of your FGT, it becomes the GW IP of the devices connected to the port w/ other /28 IPs. You need to assign them to your local devices. Then all of them should be reachable from the internet as long as your FGT has a default route pointing to Comcast Router's GW IP via WAN interface and each device has a default GW pointing to the FGT's /28 IP.
Instead, if you want to use those /28 IPs to be mapped to local/private IP like 192.168.x.y or others, which is on your servers like Web server, email server, and so on, you need to set VIPs(and ippool/SNATs if necessary for the outgoing direction) at the FGT.
Your statement "can not ping that address(on the port14?) from the wan side" is not clear where you actually pinged from. If from/over the internet, could be simply the source IP is not in trusthosts or a routing issue somewhere in-between.
In any case, it comes down to HOW you want to use those /28 IPs; on each device? or VIPs at the FGT.
Toshi
I didn't know about Comcast EDI service until I saw your post. But luckily I found their description how it's intended to work at their site:
Based on this, it seems to be very simple. The Ciena device acts as a switch(or modem/bridge), not a router. Then you use one of /30 IPs for WAN interface while their GW device (Comcast Router in the diagram) has another IP. The /28 can be used whatever you want to use. Comcast simply route any packets destined to /28 to your WAN /30 IP. All devices w/ a private IP connected to LAN side of your FGT, you can set a simple NAT with the /30 IP as outside IP.
If you assign one of /28 IP on LAN side of your FGT, it becomes the GW IP of the devices connected to the port w/ other /28 IPs. You need to assign them to your local devices. Then all of them should be reachable from the internet as long as your FGT has a default route pointing to Comcast Router's GW IP via WAN interface and each device has a default GW pointing to the FGT's /28 IP.
Instead, if you want to use those /28 IPs to be mapped to local/private IP like 192.168.x.y or others, which is on your servers like Web server, email server, and so on, you need to set VIPs(and ippool/SNATs if necessary for the outgoing direction) at the FGT.
Your statement "can not ping that address(on the port14?) from the wan side" is not clear where you actually pinged from. If from/over the internet, could be simply the source IP is not in trusthosts or a routing issue somewhere in-between.
In any case, it comes down to HOW you want to use those /28 IPs; on each device? or VIPs at the FGT.
Toshi
I'm trying to configure our new Fortigate 300 the same way. We currently have an internal HP router connected to a Sonicwall connected to an external HP router connected to our Comcast EDI. Consolidating the mess down to just the Fortigate is proving to be very difficult. The two HP routers were used back when we had an MPLS. Our Ciena is x.x.52.201/30 and I have interface 1 on the FGT set as WAN x.x.52.202 with a static route x.x.52.201. I then need to set interface 2 the 'private' WAN IP to the first IP in our block x.x.52.225 and that's where I am getting lost. Do I need to setup a LAN interface on another private WAN IP?More static routes? VIPs? Comcast told me our private WAN mask was 255.255.255.224 which the FGT says is an invalid mask when I try to create a static route. Any help would be extremely appreciated.
I think your Ciena is just a bridge then the IP lives on their CO/datacenter facility. But it doesn't matter.
I wouldn't use "private WAN IP" to call them, but just an additional public /27 subnet you got from Comcast. It's routable and you don't need any route in the FGT because they're connected interfaces if you assign one of them to interface2. Then all other devices you assign one of /27 need to be connected through the interface2.
If you, instead, want to use VIPs with the /27 IPs while keeping private IPs on those devices that need to be reachable from internet, you don't need to configure any of those on any FGT interfaces. They live only in VIP/ippool(SNAT) config. FGT NAT translates those to local/private IPs.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.