Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Autumn 2024 badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- RE: Using FortiGate as an ISP
Options
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
Using FortiGate as an ISP
Hi all,
A client received a /22 subnet of external IP addresses from the main ISP and they would like to offer their own customers internet access via /30 subnets. (out of the same /22 subnet)
I' m trying to get an idea how to configure this on the FortiGate.
VDOMs ?
Perhaps create a VLAN for each customer with a /30 mask?
Any help is highly appreciated.
Thanks in advance.
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
Hi
easy to to which means:
You have a Router which has the interface confgured out of /22 example .1/22
Create a VDOM-Transparent and add to outside world a interface which physically connects to the router' s ip .1. The Interface on Transparent Mode site does not have a IP which means Bridge Mode.
Create a VDOM NAT and connect the NAT VDOM to the Transparent VDOM by interVDOM link. The Interface within the InterVDOM link which connects the Transparent VDOM does not have a IP (Transparent or/and Bridge Mode). The Interface within the InterVDOM link connecting the NAT VDOM does have a IP out of /22 with the Subnet /22. If you need another IP on this Interface add a Secodnary IP out of /22 with Subnet /22.
At least add to the VDOM NAT a internal physical Interface which connects the lan.
Thats it which means actually Request from Internal and visa verse is going:
--> From internal LAN to VDOM NAT over pbulic IP /22 over the interVDOM link to the Transparent InterVDOM link through the Transparent VDOM to the ouside physical interface of Transparent VDOM through this link to the router .1/22.
If you need another VDOM do the same with another NAT VDOM using another /22 IP etc. etc. etc. etc.
Works out of the box like a charm and is often used by hosters.
hope this helps
have fun
Andrea
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
AndreaSolivaWhat about trunk interface. If I use this as a Access interface ok, but in my case, I have many valid Ip and my interface (Wan used in transparent vdom) is trunk.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
Or just get a L3 switch or router like everybody else :)
Why put a /22 of ip-traffic and try to manage the access via a firewall? Are the customer paying for security via firewall? I never heard of a ISP doing this & with a firewall ( been working in the SP arena for over 15years and currently work in a SP arena as a consultant )
Keep in mind, how many /30 do you need and how many interfaces , # of vdoms , and the #s of vlans could be a limiting factor & based on the hardware. I would recommend you review the specification matrix to look at this and the pure number of sessions.
Andrea, I would like to see a topology drawing of what your proposing to ensure a clear view. Can you draft that and post it here ?
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
Using the transparent VDOM is the only current way to have multiple other VDOMs share a single IP subnet without any workarounds on the upstream switch/router. Until recently (scarcity of public IP space) I would have gone for each VDOM having its own /30, either on a VLAN interface to an appropriate L3 switch or a dedicated interface if needed. Unfortunately, this means that you end up using 4 IPs for each customer. With the transparent VDOM approach each VDOM only needs 1 IP from the shared pool on its VDOM link interface, using a single network, broadcast and router IP for the entire lot. You could split this up into smaller subnets but the same principle applies.
If you have a /22 and don' t foresee running out of IPs very soon, the /30 approach is much ' nicer' but you use up IPs much faster.
Depending on the hardware you' re using, going for the transparent VDOM approach may also lose you a lot of the ASIC acceleration when using VDOM links for the WAN side of each remaining vdom. You also lose one VDOM ' license' which may be an issue if you' re planning to use multiple low/mid range devices as opposed to a larger device with more than 10 VDOMs available.
Basically, if you can afford to waste a few IPs - go for individual /30s as VLAN interfaces connected to a decent L3 switch. It' s much cleaner, uses less ports, is easier to troubleshoot and is likely to behave in exactly the way you anticipate it to work. If this is a problem, you' re going to need to make some sacrifices in either performance or complexity (or both).
One last option is to use the same /22 but a different IP for each VDOM wan link and to use one of:
1. Physical interfaces for each VDOM connected to the same L2 broadcast domain (VLAN) - uses up switch and firewall ports pretty quickly. Does at least guarantee each customer the full port speed for their VDOM though.
2. Some form of VLAN translation to bridge VLANs together on the L3 switch - messy config and prone to troubleshooting problems and isn' t even an option on many switches. Could potentially be an issue for cross customer traffic depending on the switch' s forwarding logic.
3. Use an intermediary switch between the router and the Fortigate which allows multiple untagged VLANs on the port connected to the gateway router - also messy and could potentially be an issue for cross customer traffic depending on the switch' s forwarding logic.
As a last resort, bug Fortinet or your Fortinet partner to push for a new feature request to allow multiple VDOMs to share a single broadcast domain (physical interface or VLAN) without having to use a dedicated VDOM for this purpose. I' ve tried to no avail but with enough interest it may get pushed up the priority list.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
Hi
this what is Adrian writting is true this means it depends on the implementation what has to be addtional implemented like broadcast domain etc. This means this implementation -as mentioned in my email- is " very" often used by ISP and Hoster to connect customers to there env. based on citrix. This means on the client site/location we have a FGT connecting to the main gateway over VPN. On client site we only have thin clients nothing else. Each customer receives such a NAT VDOM connected over Inter-VDOM link to the transparent fiewall. In the back which means in the local lan they have there own subnet with all stuff like ldap etc. (no need for forward domain config). Of course this is based on service and very granular and transparent also to be conf by special implementations needed on the customer site etc. If you go such a way and you plan for multiple implementation you need at least a FG-1000 (better a FG-1500) because only with 1000 and above you can buy addtional packages for VDOM' s. Again every implemetation have to be looked clearly if it makes sense or not. Only to split a /22 I would never do this. I would only do such implementation if the seperate firewall is needed based on service like described here.
hope this helps
have fun
Andrea
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
AndreaSoliva
Can you provide a resource for this type of configuration? I' m curious how to include this in my hosted environment.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
A followup, we never seen the big design topology of how you would fit a /22 worth of space into a fortigate for individual customers, but I wanted to point out that /31s would waste less space and double the counts vrs a /30.
Fortigates, support /31 ( 255.255.255.254 ) mask, but not as secondarys ip_address.
Still the pure numbers of; interfaces ( real or virtual ), vdom, vlans and even secondaries ( your still limited to 32 per interface iirc ) would be a big limiting factor in this approach and it would not scale very well.
Just keep all of this in mind, when designing this approach the complexity & potential problems it could create.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- Log event when a WAN fails 64 Views
- Wrong login behaviour Fortigate 7.4.4 and... 67 Views
- issue for HA fG remote 47 Views
- U231F access point - aggregated bandwidth... 63 Views
- Document for PCI-DSS (v4) requirement 5.2.3 77 Views
Labels
-
FortiGate
8,382 -
FortiClient
1,694 -
5.2
801 -
FortiManager
709 -
5.4
639 -
FortiAnalyzer
538 -
FortiSwitch
454 -
FortiAP
450 -
6.0
416 -
FortiClient EMS
397 -
5.6
362 -
FortiMail
308 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
208 -
5.0
196 -
FortiWeb
195 -
IPsec
179 -
FortiNAC
173 -
FortiGuard
133 -
6.4
128 -
SD-WAN
107 -
FortiGateCloud
100 -
FortiSIEM
98 -
FortiCloud Products
95 -
FortiToken
88 -
FortiAuthenticator
82 -
Customer Service
77 -
Wireless Controller
76 -
Firewall policy
68 -
4.0MR3
64 -
FortiProxy
57 -
FortiADC
52 -
High Availability
51 -
Fortivoice
50 -
FortiEDR
50 -
vlan
47 -
ZTNA
46 -
FortiSandbox
43 -
FortiExtender
43 -
FortiDNS
42 -
Routing
39 -
DNS
38 -
LDAP
38 -
BGP
37 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SAML
32 -
Certificate
32 -
Interface
31 -
Authentication
30 -
NAT
30 -
SSO
29 -
FortiConnect
27 -
RADIUS
27 -
FortiLink
26 -
FortiWAN
25 -
FortiConverter
25 -
FortiGate v5.2
24 -
VDOM
24 -
Logging
24 -
Application control
24 -
Web profile
23 -
Virtual IP
22 -
FortiPAM
21 -
Fortigate Cloud
19 -
FortiSwitch v6.2
18 -
FortiPortal
18 -
FortiMonitor
18 -
SSL SSH inspection
18 -
Traffic shaping
17 -
FortiDDoS
15 -
OSPF
15 -
WAN optimization
15 -
FortiGate v5.0
14 -
IP address management - IPAM
14 -
SSID
13 -
Static route
13 -
FortiCASB
12 -
snmp
12 -
Automation
12 -
Admin
12 -
System settings
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiSOAR
11 -
FortiManager v4.0
10 -
FortiRecorder
10 -
IPS signature
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
FortiAP profile
9 -
Proxy policy
9 -
RMA Information and Announcements
8 -
Security profile
8 -
Traffic shaping policy
8 -
Port policy
8 -
4.0
7 -
FortiDeceptor
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
Fabric connector
7 -
Intrusion prevention
7 -
Explicit proxy
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Antivirus profile
6 -
FortiCarrier
5 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Traffic shaping profile
5 -
Email filter profile
5 -
Web rating
5 -
Fortinet Engage Partner Program
5 -
3.6
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
VoIP profile
3 -
Multicast routing
3 -
Cloud Management Security
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
TACACS
2 -
Schedule
2 -
SDN connector
2 -
Service
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1640 | |
| 1066 | |
| 751 | |
| 443 | |
| 210 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.