We run a Fortigate 100E running 5.4.6 and have an ISP that will only assign IPs through DHCP. They do reserve the IP so it remains static however they can only assign 1 IP per MAC address. So far I cannot find a way to make the Fortigate have multiple MAC addresses on the one interface. I thought maybe I could plug more than 1 interface in my ISP's modem but I imagine this would give me routing issues as both interfaces would be on the same subnet.
Has anyone tested a solution to this? The firewall at my old job was configured to allowed us to add MAC addresses. I'd rather not put a switch between my modem and firewall and use the switches MAC address for the 2nd IP.
Is it possible for the ISP to assign a block instead of a single IP? Which ISP is it out of curiosity?
Off the top of my head, probably the fastest way around will be to use a switch between the Fotigate and the Modem. The good news is that if you use Wan LLB and define the gateway for each WAN interface as 0.0.0.0, which as of 5.4.x+ should let you configure without having the routing issue. The scenario I have this in currently is a very remote school in the Artic with two DSL modems, both assigning IP's from the same subnet to Wan1/2 in a LLB scenario. Fully realizing that you scenario is different in that you have one modem, it should be relatively similar.
I know that this isn't what you are wanting to hear, but as you can't use DHCP with a secondary IP on the interface this may be the option that will work if you can't get a block of IP's assigned by the ISP.
The ISP is TELUS and I would rather not have to put a switch in between the modem and router. I don't know how the fortigate's policies would handle an IP that isn't assigned to one of its interfaces - it may work but I'm not sure and don't have a test network to work it out on. I was thinking that I could use a second connection and load balance them. However I can't seem to find the LLB option on my Fortigate. All documentation seems to say I should find it under the network section but I don't seem to have it (see the attached picture). I thought the 100E was a more feature rich model but maybe it doesn't have that ability?
No problem at all. Telus is also one of the ISPs that I deal with regularly. What type of connection are you on (eg. VDSL, Fibre), as you may want to call your rep or sales about getting a block of multiple IPs. It should be doable, you may just need to fill out a justification form. Requesting a /29/30/31 shouldn't be too bad. There are some other options on the ISP side that may be doable, depending on which city you are in that could provide other options while using the same infrastructure.
As for Wan LLB, you will need to go to System --> Feature Visibility and turn it on if you don't see it under the Network area.
Oh if you have a block of IP's then load balancing is not needed as the block is assigned to the WAN interface. For virtual IPs, you can reference whichever IP in the block associated with the WAN interface and it will work as it already is aware of the other IP's in the block.
WAN load balancing is really only of use if you have two or more diverse paths into your firewall. One X Gbit/Mbit pipe with 10 IP addresses will still only yield the sum total bandwidth no matter how you slice things up. You can in theory over subscribe by IP, but your ISP will more than likely only let you have what you are paying for over the pipe. Server load balancing is another issue altogether.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.