Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Jon_Fleming
New Contributor

Multiple fixed IPs behind Verizon FIOS

OK, I just upgraded my Verizon FIOS to a block of five fixed IPs. Their documentation is nonexistent but I think I' ve got a handle on it. I want to have two Web servers behind the Fortigate. So here' s how I think it should work: The Verizon ActionTec router uses 192.168.16.x on its LAN side. It' s programmed to forward {IP 1}:80 to 192.169.16.16 and to forward {IP 2}:80 to 192.168.16.32. My Fortigate 50b (MR6 patch 4) has both WAN interfaces connected to the LAN side of the ActionTec. WAN1 is set up as 192.168.16.16/255.255.255.224. WAN2 is set up as 192.168.16.32/255.255.255.0. (Is 255.255.255.31 a valid netmask?). I have a static route (IP 0.0.0.0/0.0.0.0 gateway 192.168.16.1 device WAN1 distance 10) and port forwarding and everything set up on WAN1, so the existing Web server is working properly. Now I want to set up the same for WAN2 and the second web server. Obviously I want to forward WAN2:80 to the second web server. I bet I need a firewall policy for internal->WAN2 that accepts everything. Do I set up a static route for IP 0.0.0.0/0.0.0.0 gateway 192.168.16.1 device WAN2 distance 10? Or what? Is that all I need?
10 REPLIES 10
UkWizard
New Contributor

Not sure if these are real IP addresses you are stating, but with the details you have supplied, this isnt going to work. Whats the subnet mask on the 192.168.16.1 actiontec router? if its 255.255.255.0, then you wont even need to have wan2 connected. instead create a vip for the .32 IP on the wan1 interface. But is there no way you can get them to present the public IP range to the internal side of the router? thats the normal method. So that the fortinet has the 5x ext IP' s. having it like you have it is a mess to be honest, as unless you can get routes added on the Actiontec router for your internal subnet, you will have to also NAT on the fortinet, so effectively you will be double natting (fortinet and Actiontec) ..... odd
UK Based Technical Consultant FCSE v2.5 FCSE v2.8 FCNSP v3 Specialising in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT experience.
UK Based Technical Consultant FCSE v2.5 FCSE v2.8 FCNSP v3 Specialising in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT experience.
Jon_Fleming
New Contributor

The 192.168.16.x addresses are real on the LAN side of the Actiontec and on the WAN1 side of the Fortigate. The ActionTec LAN netmask is 255.255.255.0. When I signed up for the block of fixed IPs I called tech support and they told me that the public IPs would map one-for-one to the LAN ports on the Actontec: public IP 1 would map to LAN port 1, public IP 2 would map to LAN port 2, and so on. But I' ve talked to tech support twice today and they haven' t offered me that option. And their documentation is worse than Fortinet' s. I have the broadband ethernet connection set up as having the five IPs all assigned to it, and the big port forwarding rule that goes to the Fortigate WAN1 at 192.168.16.16 is set to only forward stuff that comes in on the first IP. Presumably I can set up another rule that forwards stuff coming in on the second IP to the Fortigate WAN2 at 192.168.16.32. Here' s what I must have. I need to have two servers (A and B) sitting behind a firewall router, preferably the existing Fortigate (I' m not excited about buying another router). I need to have {public IP 1} ports 25, 80, 110, 143, 443, 444, 4125, 37095, and 37096 forwarded to server A on the internal side of the Fortigate. I need to have {public IP 2} ports 80 and 443 forwarded to server B on the internal side of the Fortigate. And, of course, once a session is initiated between a remote machine and a server I need to have all that traffic routed appropriately. Since both servers are listening on ports 80 and 443, I don' t see how the routing can be done if everything' s coming into the Fortigate on WAN1. When a remote system tries to initiate a conversation on port 80, how does the Fortigate decide what server it goes to? The only way I can see (admittedly I' m no expert) is if traffic for server A comes in on WAN1 and traffic for server B comes in on WAN2. This all seems to be independent how the Actiontec is set up ...
Jon_Fleming
New Contributor

I' m still fighting my way through Verizon tech support, but it' s pretty certain at this point that presenting " the public IP range to the internal side of the router" is impossible with the ActionTec router. That' s from both Verizon and ActionTec technical support. It' s possible to do with the 8-port router option that they used to offer ... but don' t offer anymore, and nobody can even find one of those routers to give me. It' s supposedly possible to do if I pay more money to Verizon Business Networking to do it for em ... but that last time I got through to Verizon Business Networking after an hour on hold the guy told me that what I needed was FIOS Custoemr Care, and transferred me, dumping me back where I was two hours before. You can' t make this s**t up. Now I' m no terminal hold again. I bet the only way this is ever going to work is if I can get the Fortigate to work as I outlined in my first message.
UkWizard
New Contributor

You really should look to get the external IP' s on the LAN side of the router. (this would be a ' routed' solution. What you currently have is a NAT solution. You DO NOT have to use WAN2, as you have a class c mask, the IP' s you are talking about using on WAN2 anyway is in the same range as WAN1. So you cannot do that anyway (except in very very rare setups). So, forgetting WAN2, this leaves you with two options if you cannot get a routed solution. They are; 1) get a route added to the ActionTec router, saying to your internal subnet next hop is your fortinet WAN1 IP. This prevents you having to perform a second NAT on the fortinet. 2) Turn on NAT on the fortinet and put up with the double-NATTING.... (bad practice). So, after deciding the above, all you need to do is add the second IP (.32) as a VIP on the WAN1 interface (you have have as many IPs on the same interface). Then you just setup the policies as you want, with what you have said, i would setup an incoming policy for the relevant ports to the relevant IP. Thats it, job done.
UK Based Technical Consultant FCSE v2.5 FCSE v2.8 FCNSP v3 Specialising in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT experience.
UK Based Technical Consultant FCSE v2.5 FCSE v2.8 FCNSP v3 Specialising in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT experience.
Jon_Fleming
New Contributor

I appreciate your help, but I' m a bit confused. First, there' s no way that Verizon is going to give or sell me any help under any circumstances. I literally spent the day on the phone with them. I can' t expose the public IPs on the LAN side of the Actiontec, they don' t have any hardware that will do that for free or for sale, they will be glad to tell me that I can replace the ActionTec with " any router" (that is an exact quote and obviously a lie) and they do not have any idea of the name or model number of any router that would do the job. One guy suggested I go buy any LinkSys router and I would certainly be able to figure it out!!! A home-grade LinkSys!! I' m spitting nails here. OK. I' m very open to a routed solution, maybe even buying some more hardware to do it, but I' ve been burned once and I' m not spending any money without a guarantee that whatever I' m buying will do the job. I' ve ben told " any router" , " any switch" . " a Level 3 switch" , I don' t know what-all. Got any suggestions? Or pointers to where to look? I think I' m doing double NAT already, at least sort of. The ActionTec is doing DHCP\NAT on the 192.168.16.x/24 subnet onit' s LAN on the WAN1 side of the Fortigate. My main server is doing DHCP on the 192.168.0.x/24 subnet on the LAN side of the Fortigate (and its Small Business Server which gets really unhappy if it doesn' t do the DHCP) and I sure think the Fortigate is doing NAT. If I put a route in the ActionTec that just hops to the Fortigate WAN1, don' t I lose the 192.168.16.x/24 network and its ability to access the Internet? And how do I split out the traffic for the two different servers in the FOrtigate? That 192.168.16.x network is very convenient for our visitors and very nice for securing our LAN from our visitors. I suppose I could put a home-grade wireless router in with its WAN port on the 192.168.0.x/24 subnet that is our main network and it' s LAN ports on some other subnet. Does that sound reasonable to you? Or (I think I hear you saying) I could leave things as they are at the moment (with the ActionTec forwarding a bunch of ports from my first public IP to 192.168.16.16 which the Fortigate forwards to 192.168.0.250), add a port forwarding rule in the ActionTec that forwards ports from my second public IP to 192.168.1.32, add a VIP of 192.168.1.32 to WAN1 on the Fortigate, and add appropriate forwards in the Fortigate to forward the stuff coming in on 192.168.1.32 to the second server. Is that it? (I' m not where I can look at the FOrtigate right now, and I forget whether the port forwards include the IP of WAN1 or jus the fact that it' s WAN1). I do need to have the same port forwarded to different places depending on which public IP it came in on.
rwpatterson
Valued Contributor III

The ActionTec router is a big turd. Dump it, clone the MAC on the Fortigate, and place it on the edge. I have done this in 3 locations, my home for one. Works fine. The tech support drones know what they' re taught in Verizon school. By the book, or it won' t work...

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Jon_Fleming
New Contributor

Well, I certainly could dump the ActionTec, but then how do I program the Fortigate? Put the first static IP as the WAN1 IP and add the other static IPs as virtual IPs?
rwpatterson
Valued Contributor III

Precisely.... Use the DMZ port for visitors to surf. Only one set of mappings to manage, and easier to debug.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Jon_Fleming
New Contributor

OK, it' s all working now. FWIW, I didn' t have to clone the ActionTec MAC. So I just hooked both routers and the FIOS feed to a switch, gave the ActionTec the last fixed IP address, and now I' m managing the first four IP addresses in the Fortigate. Much nicer than the original plan! Thanks.
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors