Hi everyone.
I'm aware, that there were similar topics, but I couldn't find any relevant "enough" to what I want to do. And I have to say that I'm a newbie to Fortigates, so spare me :)
Anyway, what I have is Fortigate 200B (firmware - v 5.2.3) and a bunch of 14 public IP addresses from one pool (/28). What I want to achieve is having some Fortigate ports (let's say half) NATed and other half should be in Transparent mode. Ports in Transparent mode are for devices that have to use public IP but of course I want to secure access to those devices. As far as I know - this can be done with VDOMs, and as someone told me - for each server in transparent mode I need 2 ports (one Internet facing and one connected to server).
Now, the problem is - is it really possible to do? When I tried to configure something like this and was trying to setup new transparent VDOM, I have to provide Management IP and Gateway IP. I don't know how to deal with this and I cannot get around the problem. Can I have something like a group of two bridged ports with no "management IP"? I want to configure everything using only one public IP - the one that is in front of NAT.
I'd either like to have it
- like on the picture on the left side - two ports grouped together
- or, even better, like on the picture on the right side - one port is Internet facing and others are bridged with it, less ports used
I'd really appreciate your help.
Thank you
Lucas
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Would it not be possible to put a switch on the "inside" port with all your devices connected to it, then the bridged port used for the "outside".
......
-Jake
Hi Jake.
Well, it's not about if I can place a switch in the internal network part (although I would prefer to use ports that Fortigate already have), but rather if I can do things that I want to do, and if "yes" then how it can be done.
You can create a switch interface on the FortiGate grouping multiple ports, you could use this as the internal, then pair with the external port.
......
-Jake
I will caution you on the following,
1: not all ports are accelerated on a 200B, this may or may not be a issue but you should be aware regardless
2: not sure you could even do what your attempting or wanting, and by running transparent and nat-routed in a dual vdom with just one /28 block between the 2
3: you will need to research this fully and see or change your plan or design. I personally would just place NAT_POOLS for the singles hosts that need direct public and interface nat overload for all of the other. Assign private address and getaway from running dual-vdoms but that's just what I would do.
BTW; I believe you can't create multiple switch-controller groups ( somebody can confirm this based on 5.2.3 and a 200B )
PCNSE
NSE
StrongSwan
emnoc wrote:I will caution you on the following,
1: not all ports are accelerated on a 200B, this may or may not be a issue but you should be aware regardless
2: not sure you could even do what your attempting or wanting, and by running transparent and nat-routed in a dual vdom with just one /28 block between the 2
3: you will need to research this fully and see or change your plan or design. I personally would just place NAT_POOLS for the singles hosts that need direct public and interface nat overload for all of the other. Assign private address and getaway from running dual-vdoms but that's just what I would do.
BTW; I believe you can't create multiple switch-controller groups ( somebody can confirm this based on 5.2.3 and a 200B )
You're right, there may well be limitations. That being said, you should be able to create a VLAN sub-interface on the switched-interface and assign that to a VDOM. I haven't tested this myself.
......
-Jake
emnoc wrote:I will caution you on the following,
1: not all ports are accelerated on a 200B, this may or may not be a issue but you should be aware regardless
2: not sure you could even do what your attempting or wanting, and by running transparent and nat-routed in a dual vdom with just one /28 block between the 2
3: you will need to research this fully and see or change your plan or design. I personally would just place NAT_POOLS for the singles hosts that need direct public and interface nat overload for all of the other. Assign private address and getaway from running dual-vdoms but that's just what I would do.
BTW; I believe you can't create multiple switch-controller groups ( somebody can confirm this based on 5.2.3 and a 200B )
Ad. 1. Well, it probably doesn't really matter and I'd treat it as a minor problem right now.
Ad. 2. Isn't it possible to let through just a single public IP? Does it have to be a whole subnet?
Ad. 3. The problem is that at least one or two devices cannot be placed in NAT at the moment. One server that we are running currently does not support all functions which we need in NATed mode.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1641 | |
1069 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.