Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
s_inderjit
New Contributor

Created on ‎09-27-2017 10:02 PM

Virtual IP and BGP routing

Hi

I have a WAN connection from My ISP and /30 network and we have our own /29 subnet. I have divided the /29 subnet into two networks. one is used to connect  a physical device and second network's IPs are used a Virtual ips bound to WAN interface from where they NAt to dmz.

 

My question is how can I advertise my /29 subnet to my ISP when I don't have anything physically connected on my second network (all host ip are used as Virtual IP)

 

Hope someone will be able to help me ??

 

Regards

 

 

12643
0 Kudos
7 REPLIES 7
MikePruett
Valued Contributor

Created on ‎10-11-2017 08:00 PM

Do you have BGP configured at all at this point? Is it accepting and sending any routes?

Do you have a drawing of what you are trying to do? and what is where (vips, /29's, etc)

 

BGP you can redistribute connected, statics, etc so you have some options on how you want to approach it.

Mike Pruett

Fortinet GURU | Fortinet Training Videos

Mike Pruett Fortinet GURU | Fortinet Training Videos
4859
0 Kudos
orrsjo
New Contributor
In response to MikePruett

Created on ‎01-22-2018 06:01 AM

Hello,

 

I have the same problem.

BGP is working as long as I advertise interfaces with hosts directly connected to it. But when I set up a virtual IP for that IP, it won't advertise the network containing that virtual IP. (That network is not used to anything more than acting as a pool of virtual IPs.)

How can this be solved?

4859
0 Kudos
Benoit_Rech_FTNT
Staff
Staff
In response to orrsjo

Created on ‎01-22-2018 09:01 AM

Hello,

By default, BGP check that the network you announce are in the routing table.

so, you can either:

* enter a static route for this networkin the routing table,

or 

* under 'config router bgp', set the network-import-check disable

 

Best regards

Benoit

4859
0 Kudos
orrsjo
New Contributor
In response to Benoit_Rech_FTNT

Created on ‎01-23-2018 11:42 AM

Ok thanks it worked fine disabling the network-import-check. :)

4859
0 Kudos
spaulis
New Contributor
In response to orrsjo

Created on ‎09-12-2018 12:22 AM

Hi Guys,

 

Maybe you can help me out. I have a similar setup and i am aware of the bgp necessity to have the network in the routing table. I've done that with a static route to blackhole my subnet.

My issue is with the reachability of the VIPs. I can't seem to reach my VI, i do see traffic in the firewall but it is hitting the local-in-policy and is denied.

 

I don't have an interface using any address of that public range and all is within one vdom. What am i overseeing?

 

Thanks in advance.

4859
0 Kudos
orrsjo
New Contributor
In response to spaulis

Created on ‎09-12-2018 03:51 AM

Do you have the VIP-object as destination address in the access policy?

NAT need to be enabled as well.

When I set this up I didn't use a blackhole at all. Advertising VIPs worked fine even if those IPs did not exist on any interface as long as I have disabled network-import-check.

4859
0 Kudos
spaulis
New Contributor
In response to orrsjo

Created on ‎09-12-2018 04:33 AM

Yes i have the VIP as destination in my access rule.

I disabled NAT though, because the VIP is the static NAT for this address.

 

If all is well you can use either the Blackhole static or the network-import-check disabled.

I'll try and switch that.

 

Thanks for your reply.

4859
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.