- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Proper way to setup multiple public ip addresses w...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Proper way to setup multiple public ip addresses with multiple web servers
Hello. We have 3 public ip addresses and 2 web servers. I would like both to be behind the FortiGate but I want to make sure I set it up properly. From what I understand, I am not supposed to use both WAN interfaces and instead I am supposed to assign multiple ip addresses to one interface. If it matters, one of our ip addresses is on one subnet and the other two ip addresses are on a separate subnet. Ideally, the two webservers would use the single ip address and one of the other two. The only reason is that the dns records already point to these two and i don't want to change them if i don't have to. But if it's easier or better to use the two ip addresses that are on the same subnet, I can update everything as needed. I will still be using the same Fortigate and internet connection for all the devices on the network as well. What all do I need to do to set this up properly? Let's say the following:
Public IP address info:
Static Ip 123.45.25.105
Gateway 123.45.25.254
Subnet Mask 255.255.255.0
Static Ip 123.45.24.122
Gateway 123.45.24.254
Subnet Mask 255.255.255.0
Static Ip 123.45.24.123
Gateway 123.45.24.254
Subnet Mask 255.255.255.0
Sales Server 192.168.0.88 (only needs ports 80, 443, 8443) (ideally using public ip 123.45.25.105)
CentOS Server 192.168.1.75 (needs pretty much all ports) (ideally using public ip 123.45.24.122)
The CentOS server sends mail so it MUST use the same ip address for outgoing connections. I suppose I could add all the ip addresses to the spf record if absolutely necessary. But I would prefer to keep it all to one public ip address.
As far as every other device on the network, ideally I would like all traffic for that to use the third unused ip address, but I don't overly care about that part if it's a problem.
Solved! Go to Solution.
Labels:
- Labels:
-
FortiGate
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would suggest the following as a start, then you can tweak further.
Decide what will be the "generic" IP that your local clients will use to connect to the internet (including the FortiGate itself). Use that as the IP address of the WAN interface.
Sales server: Use the public IP in a VIP object to create the 123.45.25.105->192.168.0.88 mapping. Apply further restrictions as needed.
CentOS mail server: Use the public IP in a VIP object to create the 123.45.24.122->192.168.1.75. In this case, consider not configuring any port translation, let it be a simple IP->IP mapping. The benefit of this is that it will automatically SNAT the server's outbound traffic to the external IP of the VIP as long as this outbound policy has SNAT enabled. (this "automatic SNAT to the VIP's IP" is a special scenario)
Don't forget to use these VIPs in firewall policies (as destination address object), this is what "enables" them.
sample configuration: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Virtual-IP-VIP-port-forwarding-configurati...
[ corrections always welcome ]
19 REPLIES 19
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would suggest the following as a start, then you can tweak further.
Decide what will be the "generic" IP that your local clients will use to connect to the internet (including the FortiGate itself). Use that as the IP address of the WAN interface.
Sales server: Use the public IP in a VIP object to create the 123.45.25.105->192.168.0.88 mapping. Apply further restrictions as needed.
CentOS mail server: Use the public IP in a VIP object to create the 123.45.24.122->192.168.1.75. In this case, consider not configuring any port translation, let it be a simple IP->IP mapping. The benefit of this is that it will automatically SNAT the server's outbound traffic to the external IP of the VIP as long as this outbound policy has SNAT enabled. (this "automatic SNAT to the VIP's IP" is a special scenario)
Don't forget to use these VIPs in firewall policies (as destination address object), this is what "enables" them.
sample configuration: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Virtual-IP-VIP-port-forwarding-configurati...
[ corrections always welcome ]
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So, to clarify, I do NOT add the the additional IP addresses as secondary IP addresses on the WAN interface?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's not necessary to configure it as a secondary IP, FGT will respond to ARP requests for the IP that is configured as VIP, you can get more info on this article or in the admin guide.
Regarding the first IP that is outside of the main subnet (123.45.25.105) it will not work with a simple VIP, unless these subnets are from the same ISP and it has static/dynamic routing to find this subnet through 123.45.24.122 as next-hop or another point-to-point interface.
- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
If you have found a solution, please like and accept it to make it easily accessible for others.
Created on 11-14-2023 07:12 AM Edited on 11-14-2023 07:24 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So I was hoping to use the 25.105 as the main IP address for the WAN and the 24.122 and 24.123 as the two server IPs...but as you stated I'm having a problem with local computers being able to access those servers when setup this way. Is there anything I can set or change on FortiGate to get this to work? It's working correctly for computers not on the network. I can disable wifi on my phone and I can then connect to both servers just fine.
EDIT: Also, I do realize that is not what I originally said I wanted to do...it just seemed cleaner to do it this way.
2nd EDIT: Actually, it appears that I had to set a new firewall policy because it's trying to connect without going through the WAN interface. I believe I'm good and will further test and report back.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When firewall policies are evaluated for a match, the real ingress and egress interfaces are considered. Given users on LAN-X and server on LAN-Y, the policy with the VIP(for DNAT) for these users would need to be in the LAN-X->LAN-Y direction, despite the users superficially communicating with a "WAN IP" of the VIP.
(a hairpin policy for a specific-interface-bound VIP would be a sort of exception, but let's not complicate matters here :) )
[ corrections always welcome ]
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So the new problem I am running into is that when I move our cPanel server from it's lone internet connection (using it's own router) to the FortiGate I am unable to get any outgoing internet. I removed power from that router to release the IP address, changed the network settings on the server to where I need it (192.168.0.78) which is where the VIP is pointed, plugged it into the FortiSwitch, restarted the network service on the IP. I can ping the gateway 192.168.0.1 and my local machines can access the server using the public IP address (but not the domain name...it won't resolve), but nothing outside the network can access it. Which to me seems like a firewall issue, but I have a policy from wan1->_default.fortilink allowing all services to the cPanel VIP. But since I cannot ping anything other than the fortigate (I did not try pinging other machines before I switched it back but could not ping even google DNS servers by IP), i'm thinking there is some other issue. Could it be a static route issue since it's trying to use the 24.122 IP address but the main IP is the 25.105? I'm at a loss on this one. I'm sure I've done something wrong and I'm just missing it.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If the server is reachable from the public IP but not by the domain that is clearly a DNS issue. Make sure that the local hosts (maybe using local DNS) can resolve the domain to the public IP. Also update the global DNS entries to use the new public IP you have used as VIP. A simple ping or nslookup from the end host to the server domain can give you more insight on which IP it get resolved.
- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
If you have found a solution, please like and accept it to make it easily accessible for others.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's a DNS issue only because that server is unreachable (as it is also the nameserver). When I said it's not reachable by domain, that is because nothing outside of the local network can access it. The local network can access it by public and private ip address without issue, but nothing outside the local network can access it even by public ip address. And the server cannot access the internet which is why the domain won't resolve since it cannot respond to DNS requests. I am perplexed on this one.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Than I guess that your ISP is not routing that 2nd subnet through your network (25.x or 24.x). You can reach it only locally because the internet doesn't know how to reach that public IP, is like an isolated island.
- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
If you have found a solution, please like and accept it to make it easily accessible for others.
Related Posts
- Log messages when forwarding traffic 132 Views
- How to upgrade WAN bandwidth 76 Views
- SSLVPN Settings Address Range vs SSLVPN... 160 Views
- FortiGate system time and log timestamp... 86 Views
- Fortigate SSLVPN with DUO MFA -... 93 Views
Labels
-
FortiGate
6,534 -
FortiClient
1,304 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
414 -
5.6
362 -
FortiSwitch
333 -
FortiAP
333 -
FortiClient EMS
263 -
6.2
251 -
FortiMail
242 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
150 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
88 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
60 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
24 -
Firewall policy
23 -
FortiConnect
23 -
FortiWAN
22 -
FortiConverter
21 -
VLAN
20 -
High Availability
20 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiAuthenticator
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
LDAP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Security profile
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.