Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Autumn 2024 badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiBridge
- FortiAuthenticator
- FortiCache
- FortiCarrier
- FortiConnect
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDB
- FortiDDoS
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecorder
- FortiRecon
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiWAN
- FortiVoice
- FortiWeb
- FortiWebCloud
- Lacework
- RMA Information and Announcements
- Wireless Controller
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- RE: PPOE secondary IP
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
PPOE secondary IP
Hi, I have installed a 60D with an adsl router acting in bridged mode so I configured the 60D with the PPOE credentials and it connects fine.
However, the client had two IP addresses previously on a PIX firewall and I need to be able to use this 2nd address too. Anyone come across this before? The IP assigned by the ISP has a /32 subnet mask :(
Thanks,
Matt
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
" If" the secondary IP is routed to the already using /32 of the firewall you can use two possibilities:
--> Add to the PPoE interface a virtuelle Address which means over the Gui:
System > Network > Interfaces > [choose your PPoE Interface] > [Below the Gui activate Secondary Address] > [Enter the second IP as /32]
--> Use a static ARP entrie for the secondary address which has to be entered on the CLI:
# config system arp-table
# edit 1
new entry ' 1' added
# get
id : 1
interface :
ip : 0.0.0.0
mac : 00:00:00:00:00:00
# set interface [Name of interface example " pppoe"
# set ip [IPv 4 address]
# set mac [MAC address of pppoe Interface]
# end
In this way the device/firewall knows that the corresponding interface is responsible of the IP/Subnet. The disadvantage of the ARP is that it has to be known that such a entry exisits because the entry itself is not visible over the gui. This means also in migration scenario it has to be known that this ARP entry has to be done. From this point of view the most people are using Secondary Address over the gui for such a config. The overall thing which is important is that the ISP " has to be" route the scondary IP address to your first IP address used on the PPoE interface or you have to route the secondary address from your router to your PPoE interace. This can be tested in this way that you configure the stuff and afterwards you test with a ping or tracert and in the same time you sniff on the PPoE interface with the command:
diagnose sniffer packet [name of interface] " host [public IP address of host you are testing]"
Have fun
Andrea
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Andrea:
why would the FGT NOT respond to arp requests for the secondary address without the manual entry into the arp table? I don' t use secondary addresses often but if I do they are served just like primary addresses.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Under 4.0 MR3 (and I assume 5.0 as well) you lose the secondary IP option once the interface is configured for a PPPoE connection (just doesn' t show up, even if you use " full-configuration" ). The closest option to setting an IP on the interface (PPPoE mode) is the " ipunnumbered" option. Never used it myself nor able to test that option.
I think we need more information here; like are both static IPs from two differnet subnets with default gateways? Are these IPs routable on the Internet or NATed through the ISP?
You may have better luck going to the DSL modem to see if there are options for setting up a block of ipnummbered IPs (see attached pic as an example). But next question I have is how that info is relayed to the Fortigate.
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0
(FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
regarding the question:
" why would the FGT NOT respond to arp requests for the secondary address without the manual entry into the arp table? "
I think we have here a misunderstanding. A secondary address on a main interface has not a under normal circumstances a seperate MAC meaning ARP entriy. This is the reason why it works. Example:
If you have a interface with IP 192.168.1.1/32 this IP takes the MAC of the main interface like 00:00:00:AA. If you configure now on the same interace a secondary address like 10.10.10.1/23 the scondary address is also listening on the MAC from the main interface like 00:00:00:AA. This meanis if in this segment a ARP request " who is" will be launched and as replay " I am" will be launched from the main interface regarding the secondary address with MAC 00:00:00:AA. If you do a manual ARP entry you do the same meaning IP 10.10.10.1/23 for MAC 00:00:00:AA. Both are functioning in the same way the only difference is that the secondary is listining on a virtuelle interface. The best way to explain is if you look to linux. Main interface is eth0:0. If you use a secondary address on the eth0:0 it will at leas be represented as eth0:1. If you do a manual ARP entry on linux the eth0:1 is not existing because the config is done in the static ARP table.
This is the reason I explained the advantage and disadvantag of ARP static and secondary meaning the secondary you see on the gui and on linux at the name of the interface. If you do a static ARP you do not see it except in the ARP table to be as static ARP entry which will also exisit if you flush the ARP table.
Hope this verifies your question.
Have fun
Andrea
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Call me dumb but I still haven' t grasped the difference fully...
Both ways, the FGT will reply to arp requests with the physical' s interface MAC address. Even if you flush the arp table, for both methods.
The only difference I can spot is that I would be able to configure a different MAC address with a static arp table entry. Why would I do that, would it work for traffic...
maybe I get it later.
Thanks for the time anyway.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- HA out of sync since 7.2.10 60 Views
- One VLAN, multiple subnets issue 192 Views
- Upload firmware only in Primary FW? 283 Views
- FortiManager unset mode config for dynamic... 335 Views
- Fortigate 50G-SFP, Dual WAN 354 Views
Labels
-
FortiGate
8,180 -
FortiClient
1,648 -
5.2
801 -
FortiManager
688 -
5.4
639 -
FortiAnalyzer
522 -
FortiSwitch
438 -
FortiAP
434 -
6.0
416 -
FortiClient EMS
376 -
5.6
362 -
FortiMail
302 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
190 -
SSL-VPN
186 -
FortiNAC
164 -
IPsec
162 -
6.4
128 -
FortiGuard
127 -
FortiGateCloud
99 -
FortiSIEM
94 -
FortiCloud Products
94 -
SD-WAN
94 -
FortiToken
87 -
FortiAuthenticator
76 -
Customer Service
75 -
Wireless Controller
75 -
4.0MR3
64 -
Firewall policy
63 -
FortiProxy
54 -
Fortivoice
50 -
FortiEDR
50 -
FortiADC
50 -
VLAN
44 -
FortiExtender
43 -
High Availability
43 -
FortiDNS
42 -
ZTNA
42 -
FortiSandbox
40 -
DNS
36 -
FortiGate v5.4
35 -
Routing
35 -
BGP
35 -
LDAP
35 -
FortiSwitch v6.4
33 -
SAML
31 -
Interface
31 -
Certificate
31 -
Authentication
28 -
SSO
28 -
NAT
28 -
FortiConnect
27 -
FortiWAN
25 -
FortiConverter
25 -
RADIUS
24 -
VDOM
24 -
FortiLink
24 -
FortiGate v5.2
23 -
Application control
21 -
Web profile
21 -
Virtual IP
20 -
Fortigate Cloud
19 -
Logging
19 -
FortiSwitch v6.2
18 -
FortiPortal
18 -
FortiMonitor
17 -
Traffic shaping
17 -
FortiPAM
17 -
FortiDDoS
15 -
SSL SSH inspection
15 -
FortiGate v5.0
14 -
OSPF
14 -
IP address management - IPAM
13 -
FortiCASB
12 -
SSID
12 -
Admin
12 -
Static route
12 -
FortiManager v5.0
11 -
FortiSOAR
11 -
Automation
11 -
System settings
11 -
WAN optimization
11 -
Web application firewall profile
11 -
FortiRecorder
10 -
SNMP
10 -
IPS signature
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiManager v4.0
9 -
FortiWeb v5.0
9 -
FortiAP profile
9 -
FortiBridge
8 -
RMA Information and Announcements
8 -
Proxy policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
Security profile
7 -
Traffic shaping policy
7 -
Fabric connector
7 -
Port policy
7 -
Intrusion prevention
7 -
FortiCache
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
FortiCarrier
5 -
FortiDeceptor
5 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Antivirus profile
5 -
Traffic shaping profile
5 -
Fortinet Engage Partner Program
5 -
3.6
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Email filter profile
4 -
Netflow
4 -
Replacement messages
4 -
Web rating
4 -
FortiDB
3 -
FortiHypervisor
3 -
Explicit proxy
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
API
2 -
FortiNDR
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
Schedule
2 -
SDN connector
2 -
Service
2 -
Zone
2 -
Cloud Management Security
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
TACACS
1 -
Multicast policy
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1560 | |
| 1034 | |
| 749 | |
| 443 | |
| 210 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.