Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
zer0kbps
New Contributor II

Created on ‎01-13-2025 08:30 AM

Using BGP Advertised Prefixed IP without physical interface.

 

Our setup is such that we're trying to get our FG1101E to act as both router and firewall with BGP routing.

 

We have our ISP provided single fiber uplink at 10gbps (SFP+) which has a defined Point to Point IP /29 IP address that's used to peer with a BGP neighbour.

 

The BGP side of things appears to work ok, with our prefix for public IPs are being advertised and received to our ISP, and they are sending at default route to us. 



What we're trying to achieve is to be able to egress to the web using an IP on the advertised prefix, these are public IPs assigned to us as an organisation. 

 

We're able to use them in the context of an outbound rule, for this to work we have to create an IP_Pool overload object and use that in the rule which shows to the world we're coming from an IP we own.

 

If we don't do that, then our IP is shown as the BGP peer IP.

 

We are trying to get to a place where we can use some sort of virtual interface with the IP loaded on from our prefix that can be used in policies and other objects..

 

We've tried with an IP from our assigned public prefix range

  • VLANs based interface assigned to a non tagged VLAN (just to get it up)
  • tried EMACS VLAN,
  • tried loopback addresses
  • using a different VRF and trying a variation of the above.

 

 

 

I've looked at multple documents and other pages with no obvious solution.

one example - https://docs.fortinet.com/document/fortigate/7.6.1/administration-guide/184807/defining-a-preferred-...
https://community.fortinet.com/t5/Support-Forum/How-to-change-outgoing-IP-address/m-p/36923?m=128453...


Is it even possible or do I bite the bullet at get a router between the Fortigate and ISP ?

Labels:
767
0 Kudos
1 Solution
funkylicious
SuperUser
SuperUser

Created on ‎01-13-2025 09:10 AM Edited on ‎01-13-2025 09:11 AM

Can you please elaborate on what you are trying to achieve ? 

You just want to advertise via BGP a prefix and not configure it on a interface ? You can achieve that by doing a static route with the nexthop Blackhole and advertised it via network command to the bgp peer.

You can use any IP from that prefix for anything, DNAT/SNAT as long as the peer accepts it and advertises it further in the Internet.

"jack of all trades, master of none"

View solution in original post

"jack of all trades, master of none"
759
0 Kudos
8 REPLIES 8
funkylicious
SuperUser
SuperUser

Created on ‎01-13-2025 09:10 AM Edited on ‎01-13-2025 09:11 AM

Can you please elaborate on what you are trying to achieve ? 

You just want to advertise via BGP a prefix and not configure it on a interface ? You can achieve that by doing a static route with the nexthop Blackhole and advertised it via network command to the bgp peer.

You can use any IP from that prefix for anything, DNAT/SNAT as long as the peer accepts it and advertises it further in the Internet.

"jack of all trades, master of none"
"jack of all trades, master of none"
760
0 Kudos
zer0kbps
New Contributor II

Created on ‎01-13-2025 10:42 AM

I need to use an IP on a WAN interface that's in a prefix I'm advertising to the peer. I only have one physical WAN interface.

 

WAN_BGP is on VL200 between my ISP and my FG, the point to point subnet is x.x.x.101 --> x.x.x.100 /31
-BGP Advertised Prefix is y.y.y.136/29

-Default route 0.0.0.0/0 --> x.x.x.100 is received from BGP neighbour.

 

I need the WAN Interface to have IP y.y.y.137/29 so I can use it in rules, VIP objects and VPN profiles etc...

Currently when I test the internet egress path, my external IP appears as x.x.x.101 but I need it to appear as y.y.y.137/29 (which are our public IPs) I would expect it to then hop to x.x.x.100

722
0 Kudos
funkylicious
SuperUser
SuperUser
In response to zer0kbps

Created on ‎01-13-2025 10:54 AM Edited on ‎01-13-2025 10:55 AM

You can use it as I mentioned and/or as secondary IP on the interface.

In order for a prefix to be advertised into BGP it needs to be in the routing table, either as configured directly or with a static route ( blackhole ) .

"jack of all trades, master of none"
"jack of all trades, master of none"
717
Toshi_Esumi
SuperUser
SuperUser
In response to zer0kbps

Created on ‎01-13-2025 10:58 AM

That shouldn't be your objective but a solution you're thinking. Do you want to use them for specific services or internal devices? Then you can use VIP(inbound)+SNAT(outbound) w/ ippool. With this, you don't have to assign them to any interfaces.

Toshi

715
zer0kbps
New Contributor II
In response to Toshi_Esumi

Created on ‎01-13-2025 12:07 PM

Mixture of both, some IPs are used on VIPs, some are used to push different networks out on different public IPs (we have a few other subnets that will be migrated at a later stage). 

We're education sector so many purchased services are pinned to certain public IPs we have, which we do use IP Pools for those, but invariably we egress internal users via a dedicated IP in our allotted prefix. Guest Wi-Fi networks go via other subnets we have as example, we do this if those IPs respective reputation becomes compromised from student shenanigans.

 

697
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to zer0kbps

Created on ‎01-13-2025 12:43 PM

None of those requires the public IPs to be bound to interfaces. Everything is in VIP/ippool and policies.

Toshi

692
zer0kbps
New Contributor II

Created on ‎01-14-2025 08:27 AM

So as it happens, the Central SNAT feature has made this process more manageable, so I've created a rule to NAT out via my assigned public IPs in the Central SNAT page LAN->WAN NATing with y.y.y.138/29.
I already had reciprocal firewall policies to permit this traffic to the internet using these interfaces, so I believe this mimics using an IP Pool against a firewall rule (the traditional policy way) which I can live with in this context.

 

On testing with a client I can confirm it's egressing with the correct IP. 

 

When I tried with explicit proxy it was using the wrong IP again, but I downgraded from 7.6 to 7.4 firmware and it then honoured what I configured in the explicit proxy GUI settings.

I didn't need it as a secondary IP on the WAN interface to my ISP.

 

I did create a blackhole route in the static routing table though.

 

So usage in this context is to either switch on Central SNAT and create a NAT rule dictating what public IP to egress on, or just use an IP Pool if you don't want to enable that feature.

617
0 Kudos
funkylicious
SuperUser
SuperUser
In response to zer0kbps

Created on ‎01-14-2025 08:31 AM

The secondary IP is optional, if you want to establish IPsec tunnel using an IP from that prefix and not the one directly assigned and used for the BGP peering.

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-IPsec-VPN-settings-on-a-s...

 

"jack of all trades, master of none"
"jack of all trades, master of none"
609
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.