Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
landonious
New Contributor III

Proper way to setup multiple public ip addresses with multiple web servers

Hello. We have 3 public ip addresses and 2 web servers. I would like both to be behind the FortiGate but I want to make sure I set it up properly. From what I understand, I am not supposed to use both WAN interfaces and instead I am supposed to assign multiple ip addresses to one interface. If it matters, one of our ip addresses is on one subnet and the other two ip addresses are on a separate subnet. Ideally, the two webservers would use the single ip address and one of the other two. The only reason is that the dns records already point to these two and i don't want to change them if i don't have to. But if it's easier or better to use the two ip addresses that are on the same subnet, I can update everything as needed. I will still be using the same Fortigate and internet connection for all the devices on the network as well. What all do I need to do to set this up properly? Let's say the following:

 

Public IP address info:

Static Ip 123.45.25.105
Gateway 123.45.25.254
Subnet Mask 255.255.255.0

 

Static Ip 123.45.24.122
Gateway 123.45.24.254
Subnet Mask 255.255.255.0

 

Static Ip 123.45.24.123
Gateway 123.45.24.254
Subnet Mask 255.255.255.0

 

Sales Server 192.168.0.88 (only needs ports 80, 443, 8443) (ideally using public ip 123.45.25.105)

CentOS Server 192.168.1.75 (needs pretty much all ports) (ideally using public ip 123.45.24.122)

 

The CentOS server sends mail so it MUST use the same ip address for outgoing connections. I suppose I could add all the ip addresses to the spf record if absolutely necessary. But I would prefer to keep it all to one public ip address.

 

As far as every other device on the network, ideally I would like all traffic for that to use the third unused ip address, but I don't overly care about that part if it's a problem.

1 Solution
pminarik
Staff
Staff

I would suggest the following as a start, then you can tweak further.

Decide what will be the "generic" IP that your local clients will use to connect to the internet (including the FortiGate itself). Use that as the IP address of the WAN interface.

 

Sales server: Use the public IP in a VIP object to create the 123.45.25.105->192.168.0.88 mapping. Apply further restrictions as needed.

 

CentOS mail server: Use the public IP in a VIP object to create the 123.45.24.122->192.168.1.75. In this case, consider not configuring any port translation, let it be a simple IP->IP mapping. The benefit of this is that it will automatically SNAT the server's outbound traffic to the external IP of the VIP as long as this outbound policy has SNAT enabled. (this "automatic SNAT to the VIP's IP" is a special scenario)

 

Don't forget to use these VIPs in firewall policies (as destination address object), this is what "enables" them.

 

sample configuration: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Virtual-IP-VIP-port-forwarding-configurati...

[ corrections always welcome ]

View solution in original post

19 REPLIES 19
pminarik
Staff
Staff

I would suggest the following as a start, then you can tweak further.

Decide what will be the "generic" IP that your local clients will use to connect to the internet (including the FortiGate itself). Use that as the IP address of the WAN interface.

 

Sales server: Use the public IP in a VIP object to create the 123.45.25.105->192.168.0.88 mapping. Apply further restrictions as needed.

 

CentOS mail server: Use the public IP in a VIP object to create the 123.45.24.122->192.168.1.75. In this case, consider not configuring any port translation, let it be a simple IP->IP mapping. The benefit of this is that it will automatically SNAT the server's outbound traffic to the external IP of the VIP as long as this outbound policy has SNAT enabled. (this "automatic SNAT to the VIP's IP" is a special scenario)

 

Don't forget to use these VIPs in firewall policies (as destination address object), this is what "enables" them.

 

sample configuration: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Virtual-IP-VIP-port-forwarding-configurati...

[ corrections always welcome ]
landonious
New Contributor III

So, to clarify, I do NOT add the the additional IP addresses as secondary IP addresses on the WAN interface?

ebilcari

It's not necessary to configure it as a secondary IP, FGT will respond to ARP requests for the IP that is configured as VIP, you can get more info on this article or in the admin guide.

Regarding the first IP that is outside of the main subnet (123.45.25.105) it will not work with a simple VIP, unless these subnets are from the same ISP and it has static/dynamic routing to find this subnet through 123.45.24.122 as next-hop or another point-to-point interface.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
landonious
New Contributor III

So I was hoping to use the 25.105 as the main IP address for the WAN and the 24.122 and 24.123 as the two server IPs...but as you stated I'm having a problem with local computers being able to access those servers when setup this way. Is there anything I can set or change on FortiGate to get this to work? It's working correctly for computers not on the network. I can disable wifi on my phone and I can then connect to both servers just fine.

 

EDIT: Also, I do realize that is not what I originally said I wanted to do...it just seemed cleaner to do it this way.

 

2nd EDIT: Actually, it appears that I had to set a new firewall policy because it's trying to connect without going through the WAN interface. I believe I'm good and will further test and report back.

pminarik

When firewall policies are evaluated for a match, the real ingress and egress interfaces are considered. Given users on LAN-X and server on LAN-Y, the policy with the VIP(for DNAT) for these users would need to be in the LAN-X->LAN-Y direction, despite the users superficially communicating with a "WAN IP" of the VIP.

 

(a hairpin policy for a specific-interface-bound VIP would be a sort of exception, but let's not complicate matters here :) )

[ corrections always welcome ]
landonious
New Contributor III

So the new problem I am running into is that when I move our cPanel server from it's lone internet connection (using it's own router) to the FortiGate I am unable to get any outgoing internet. I removed power from that router to release the IP address, changed the network settings on the server to where I need it (192.168.0.78) which is where the VIP is pointed, plugged it into the FortiSwitch, restarted the network service on the IP. I can ping the gateway 192.168.0.1 and my local machines can access the server using the public IP address (but not the domain name...it won't resolve), but nothing outside the network can access it. Which to me seems like a firewall issue, but I have a policy from wan1->_default.fortilink allowing all services to the cPanel VIP. But since I cannot ping anything other than the fortigate (I did not try pinging other machines before I switched it back but could not ping even google DNS servers by IP), i'm thinking there is some other issue. Could it be a static route issue since it's trying to use the 24.122 IP address but the main IP is the 25.105? I'm at a loss on this one. I'm sure I've done something wrong and I'm just missing it.

ebilcari

If the server is reachable from the public IP but not by the domain that is clearly a DNS issue. Make sure that the local hosts (maybe using local DNS) can resolve the domain to the public IP. Also update the global DNS entries to use the new public IP you have used as VIP. A simple ping or nslookup from the end host to the server domain can give you more insight on which IP it get resolved.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
landonious
New Contributor III

It's a DNS issue only because that server is unreachable (as it is also the nameserver). When I said it's not reachable by domain, that is because nothing outside of the local network can access it. The local network can access it by public and private ip address without issue, but nothing outside the local network can access it even by public ip address. And the server cannot access the internet which is why the domain won't resolve since it cannot respond to DNS requests. I am perplexed on this one.

ebilcari

Than I guess that your ISP is not routing that 2nd subnet through your network (25.x or 24.x). You can reach it only locally because the internet doesn't know how to reach that public IP, is like an isolated island.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
Top Kudoed Authors