Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
s_inderjit
New Contributor

Virtual IP and BGP routing

Hi

I have a WAN connection from My ISP and /30 network and we have our own /29 subnet. I have divided the /29 subnet into two networks. one is used to connect  a physical device and second network's IPs are used a Virtual ips bound to WAN interface from where they NAt to dmz.

 

My question is how can I advertise my /29 subnet to my ISP when I don't have anything physically connected on my second network (all host ip are used as Virtual IP)

 

Hope someone will be able to help me ??

 

Regards

 

 

7 REPLIES 7
MikePruett
Valued Contributor

Do you have BGP configured at all at this point? Is it accepting and sending any routes?

Do you have a drawing of what you are trying to do? and what is where (vips, /29's, etc)

 

BGP you can redistribute connected, statics, etc so you have some options on how you want to approach it.

Mike Pruett Fortinet GURU | Fortinet Training Videos
orrsjo

Hello,

 

I have the same problem.

BGP is working as long as I advertise interfaces with hosts directly connected to it. But when I set up a virtual IP for that IP, it won't advertise the network containing that virtual IP. (That network is not used to anything more than acting as a pool of virtual IPs.)

How can this be solved?

Benoit_Rech_FTNT

Hello,

By default, BGP check that the network you announce are in the routing table.

so, you can either:

* enter a static route for this networkin the routing table,

or 

* under 'config router bgp', set the network-import-check disable

 

Best regards

Benoit

orrsjo

Ok thanks it worked fine disabling the network-import-check. :)

spaulis
New Contributor

Hi Guys,

 

Maybe you can help me out. I have a similar setup and i am aware of the bgp necessity to have the network in the routing table. I've done that with a static route to blackhole my subnet.

My issue is with the reachability of the VIPs. I can't seem to reach my VI, i do see traffic in the firewall but it is hitting the local-in-policy and is denied.

 

I don't have an interface using any address of that public range and all is within one vdom. What am i overseeing?

 

Thanks in advance.

orrsjo
New Contributor

Do you have the VIP-object as destination address in the access policy?

NAT need to be enabled as well.

When I set this up I didn't use a blackhole at all. Advertising VIPs worked fine even if those IPs did not exist on any interface as long as I have disabled network-import-check.

spaulis
New Contributor

Yes i have the VIP as destination in my access rule.

I disabled NAT though, because the VIP is the static NAT for this address.

 

If all is well you can use either the Blackhole static or the network-import-check disabled.

I'll try and switch that.

 

Thanks for your reply.

Labels
Top Kudoed Authors