NATed mode + Transparent mode with public IPs

LK_KT · ‎06-30-2015

Hi everyone.

I'm aware, that there were similar topics, but I couldn't find any relevant "enough" to what I want to do. And I have to say that I'm a newbie to Fortigates, so spare me :)

Anyway, what I have is Fortigate 200B (firmware - v 5.2.3) and a bunch of 14 public IP addresses from one pool (/28). What I want to achieve is having some Fortigate ports (let's say half) NATed and other half should be in Transparent mode. Ports in Transparent mode are for devices that have to use public IP but of course I want to secure access to those devices. As far as I know - this can be done with VDOMs, and as someone told me - for each server in transparent mode I need 2 ports (one Internet facing and one connected to server).

Now, the problem is - is it really possible to do? When I tried to configure something like this and was trying to setup new transparent VDOM, I have to provide Management IP and Gateway IP. I don't know how to deal with this and I cannot get around the problem. Can I have something like a group of two bridged ports with no "management IP"? I want to configure everything using only one public IP - the one that is in front of NAT.

I'd either like to have it

- like on the picture on the left side - two ports grouped together

- or, even better, like on the picture on the right side - one port is Internet facing and others are bridged with it, less ports used

I'd really appreciate your help.

Thank you

Lucas

iJake · ‎07-01-2015

Would it not be possible to put a switch on the "inside" port with all your devices connected to it, then the bridged port used for the "outside".

......

-Jake

LK_KT · ‎07-02-2015

Hi Jake.

Well, it's not about if I can place a switch in the internal network part (although I would prefer to use ports that Fortigate already have), but rather if I can do things that I want to do, and if "yes" then how it can be done.

iJake · ‎07-02-2015

You can create a switch interface on the FortiGate grouping multiple ports, you could use this as the internal, then pair with the external port.

......

-Jake

emnoc · ‎07-02-2015

I will caution you on the following,

1: not all ports are accelerated on a 200B, this may or may not be a issue but you should be aware regardless

2: not sure you could even do what your attempting or wanting, and by running transparent and nat-routed in a dual vdom with just one /28 block between the 2

3: you will need to research this fully and see or change your plan or design. I personally would just place NAT_POOLS for the singles hosts that need direct public and interface nat overload for all of the other. Assign private address and getaway from running dual-vdoms but that's just what I would do.

BTW; I believe you can't create multiple switch-controller groups ( somebody can confirm this based on 5.2.3 and a 200B )

PCNSE

NSE

StrongSwan

iJake · ‎07-02-2015

emnoc wrote:
I will caution you on the following,

1: not all ports are accelerated on a 200B, this may or may not be a issue but you should be aware regardless
2: not sure you could even do what your attempting or wanting, and by running transparent and nat-routed in a dual vdom with just one /28 block between the 2

3: you will need to research this fully and see or change your plan or design. I personally would just place NAT_POOLS for the singles hosts that need direct public and interface nat overload for all of the other. Assign private address and getaway from running dual-vdoms but that's just what I would do.

BTW; I believe you can't create multiple switch-controller groups ( somebody can confirm this based on 5.2.3 and a 200B )

You're right, there may well be limitations. That being said, you should be able to create a VLAN sub-interface on the switched-interface and assign that to a VDOM. I haven't tested this myself.

......

-Jake

LK_KT · ‎07-06-2015

emnoc wrote:
I will caution you on the following,

1: not all ports are accelerated on a 200B, this may or may not be a issue but you should be aware regardless
2: not sure you could even do what your attempting or wanting, and by running transparent and nat-routed in a dual vdom with just one /28 block between the 2

3: you will need to research this fully and see or change your plan or design. I personally would just place NAT_POOLS for the singles hosts that need direct public and interface nat overload for all of the other. Assign private address and getaway from running dual-vdoms but that's just what I would do.

BTW; I believe you can't create multiple switch-controller groups ( somebody can confirm this based on 5.2.3 and a 200B )

Ad. 1. Well, it probably doesn't really matter and I'd treat it as a minor problem right now.

Ad. 2. Isn't it possible to let through just a single public IP? Does it have to be a whole subnet?

Ad. 3. The problem is that at least one or two devices cannot be placed in NAT at the moment. One server that we are running currently does not support all functions which we need in NATed mode.