Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Veggie
New Contributor

Created on ‎02-18-2025 03:44 AM

Need advice for BGP config with public IP range

Hello guys,

 

I'm new here and I'd like some help with BGP and public range configuration. It's the first time I configure both.

 

Info :

I have a new setup with one ISP with two connections (Two routers), a primary (10Gig) and a secondary (4Gig).

- Both are connected to a Fortigate 1000D.

- A p2p public IP to both routers with BGP configuration.

- The p2p IPs are non-routed IPs.

- A public range /27.

- Only the default route is shared by the ISP.

 

I would like to know what's the best way to configure the public range to avoid limitation?

 

Just to try the connectivity, I have tested this right now => Set the Public range with loopback interface. It works, but only the first IP is available of course. Also, I realized that I can't use the loopback in local out routing for the DNS/Fortiguard.

 

I also tried to set a loopback with a /32 and did the same with the BGP network command, but even if it's shared to the neighbor, I lose internet connectivity. Maybe it's normal with BGP, but I don't get why?

 

Here is a schema to help you visualized :)

 

BGP - Public IP range.png

If there's not enough info, just ask ;)

 

Thanks!

Labels:
635
0 Kudos
2 REPLIES 2
funkylicious
SuperUser
SuperUser

Created on ‎02-18-2025 03:51 AM

hi,

for most services you can set from cli, set source-ip although indeed from the GUI a loopback interface cannot be selected.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-CLI-command-to-check-the-use-of-source-ip-...

 

what kind of limitation are you think of ?

also, how does the route-map look like?

"jack of all trades, master of none"
"jack of all trades, master of none"
626
Veggie
New Contributor
In response to funkylicious

Created on ‎02-19-2025 02:30 AM

So it's a good practice to use loopback interface for a public IP range?

 

I tried to use the loopback interface in CLI but it doesn't show up. I even tried to force it but it doesn't work:

WAN interface - DNS.png

 

what kind of limitation are you think of ?

Apart from DNS & Fortiguard, I don't know, but I remember with previous Fortigate firmware, when you wanted to setup SD-WAN, you had to remove all dependencies from the interface prior to use it there. That's the kind of stuff I don't want to end up doing :)

So if there is a better way to configure public IP range, i'd gladly take advices ;)

 

also, how does the route-map look like?

# show router prefix-list
 config router prefix-list
  edit "DFT-Route"
  set comments "Default route"
   config rule
    edit 1
    set prefix 0.0.0.0 0.0.0.0
    unset ge
    unset le
  next

# show router route-map
 config router route-map
  edit "Only-DFT-Route"
  config rule
   edit 1
   set match-ip-address "DFT-Route"
  next

It's just to be sure I get only the default route from the SP.

 

Thanks for your help ;)

587
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.