Hello,
We run a Fortigate 100E running 5.4.6 and have an ISP that will only assign IPs through DHCP. They do reserve the IP so it remains static however they can only assign 1 IP per MAC address. So far I cannot find a way to make the Fortigate have multiple MAC addresses on the one interface. I thought maybe I could plug more than 1 interface in my ISP's modem but I imagine this would give me routing issues as both interfaces would be on the same subnet.
Has anyone tested a solution to this? The firewall at my old job was configured to allowed us to add MAC addresses. I'd rather not put a switch between my modem and firewall and use the switches MAC address for the 2nd IP.
Thank you for any suggestions,
Neil
Is it possible for the ISP to assign a block instead of a single IP? Which ISP is it out of curiosity?
Off the top of my head, probably the fastest way around will be to use a switch between the Fotigate and the Modem. The good news is that if you use Wan LLB and define the gateway for each WAN interface as 0.0.0.0, which as of 5.4.x+ should let you configure without having the routing issue. The scenario I have this in currently is a very remote school in the Artic with two DSL modems, both assigning IP's from the same subnet to Wan1/2 in a LLB scenario. Fully realizing that you scenario is different in that you have one modem, it should be relatively similar.
I know that this isn't what you are wanting to hear, but as you can't use DHCP with a secondary IP on the interface this may be the option that will work if you can't get a block of IP's assigned by the ISP.
Hello Sidewaysguy,
Thanks for replying.
The ISP is TELUS and I would rather not have to put a switch in between the modem and router. I don't know how the fortigate's policies would handle an IP that isn't assigned to one of its interfaces - it may work but I'm not sure and don't have a test network to work it out on. I was thinking that I could use a second connection and load balance them. However I can't seem to find the LLB option on my Fortigate. All documentation seems to say I should find it under the network section but I don't seem to have it (see the attached picture). I thought the 100E was a more feature rich model but maybe it doesn't have that ability?
I think LLB might just solve the issue.
Hi there nmackie,
No problem at all. Telus is also one of the ISPs that I deal with regularly. What type of connection are you on (eg. VDSL, Fibre), as you may want to call your rep or sales about getting a block of multiple IPs. It should be doable, you may just need to fill out a justification form. Requesting a /29/30/31 shouldn't be too bad. There are some other options on the ISP side that may be doable, depending on which city you are in that could provide other options while using the same infrastructure.
As for Wan LLB, you will need to go to System --> Feature Visibility and turn it on if you don't see it under the Network area.
Hope that helps some.
Cheers,
Sidewaysguy
Try to WAN LLB and feature can be enabled as per above comment from Sidewaysguy
System --> Feature Visibility and turn on "SD-WAN Interface" or "WAN Link Load balancing" depending on the FortiOS you are in.
Also use the below command to allow-subnet-overlap if the IP assigned to both the interfaces are from the range to avoid conflict.
config system settings
set allow-subnet-overlap enable end
Hope this helps.
regards, San.
Hello,
Thank you both for the replies. I've got the LLB feature visible now and will report back once I get this internet connection installed. It is a fibre connection sideways guy.
Neil
Hey Neil,
If it is Telus fibre, then definitely just request a block of ip's that will be the best way to go. Is it the Pure Fibre or regular managed fiber?
Cheers,
Jared
I've confirmed that we do have a block of IPs. Hopefully we can get the load balancing working without issue.
Oh if you have a block of IP's then load balancing is not needed as the block is assigned to the WAN interface. For virtual IPs, you can reference whichever IP in the block associated with the WAN interface and it will work as it already is aware of the other IP's in the block.
Does that help?
WAN load balancing is really only of use if you have two or more diverse paths into your firewall. One X Gbit/Mbit pipe with 10 IP addresses will still only yield the sum total bandwidth no matter how you slice things up. You can in theory over subscribe by IP, but your ISP will more than likely only let you have what you are paying for over the pipe. Server load balancing is another issue altogether.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.