Hello,
We run a Fortigate 100E running 5.4.6 and have an ISP that will only assign IPs through DHCP. They do reserve the IP so it remains static however they can only assign 1 IP per MAC address. So far I cannot find a way to make the Fortigate have multiple MAC addresses on the one interface. I thought maybe I could plug more than 1 interface in my ISP's modem but I imagine this would give me routing issues as both interfaces would be on the same subnet.
Has anyone tested a solution to this? The firewall at my old job was configured to allowed us to add MAC addresses. I'd rather not put a switch between my modem and firewall and use the switches MAC address for the 2nd IP.
Thank you for any suggestions,
Neil
Ran into this exact same issue as the OP with Telus Pure Fibre. The most frustrating part is it would work perfectly fine for about a half a day, then start failing.
Device is an older 60c and have a sever with 2 vm's that we want to map to 2 external ip's both responding on port 443. We did the usual ViP setup and it worked, then the next day it didn't, then it did, then it didn't and so on. That's the most frustrating part as I was swapping out the 60c with other devices and it would work sometimes and other times not.
Wasn't until I ran debug sniffer this morning and say all the arp (and other) traffic regarding the 2nd IP that it became clear what the problem was.
Going to call Telus and see about getting a block of ip's assigned now and if not will try the LLB feature. This device is running 5.2.13 due to it's age and is slated for replacement in the next couple of months. Is it likely to work with LLB since it's not the 5.4.0+ that you mention Sidewayguy?
Well so far not so good. After running
set allow-subnet-overlap enable
Using the "static" on Wan1, I am able to get one of their temporary dynamics in a different subnet on Wan2, but as soon as I assign the "static" to the mac address for Wan2, reboot the 60c for good measure, it comes back up with no ip address on Wan2.
Actually, after manually assigning the "static" to Wan2 in the 60c interface settings, it all seems to be working...
For the LLB I chose source-destination based. Is there a better choice?
Scratch that, just like the last few days, it works fine for part of the day and fails again. I suspect the fact that it worked as per my above posting is likely coincidental more than anything else.
Back to the drawing board
Though removing the ip from wan2 and re-adding seems to have made the connection happy again,
diag sniffer packet wan2 none 4 a shows a LOT of arp traffic which jumps up in volume when removing and re-adding the Wan2 ip's. Basically feels like after a few hours (4-6 typically) Telus just stops responding to traffic to/from the secondary ip address.
After a chat with a Telus helpdesk tech on the weekend, he indicated the ARP config (arp relay) on the Fibre modem wasn't setup and was the likely root cause of the issue. He fixed that and now access to the 2nd ip from outside the Telus gateway no longer works. Works fine from other firewalls behind the Telus Gateway.
Back on long periods of being on hold with Pure Fibre support, hopefully this will all get resolved today.
As to getting a block of IP's assigned to the modem, tech indicated they can't provide that on their unmanaged infrastruture, technical limitation purportedly.
Turns out that this does work using sidewaysguy's suggestions with dual wan. However in my case, their arp and routing is horribly broken so connectivity typically stops after a few hours. After many phone calls, this is finally being routed up to the Telus NOC team and I hope to have a resolution within a few days.
forti4sure wrote:Turns out that this does work using sidewaysguy's suggestions with dual wan. However in my case, their arp and routing is horribly broken so connectivity typically stops after a few hours. After many phone calls, this is finally being routed up to the Telus NOC team and I hope to have a resolution within a few days.
Did you ever get a resolution from Telus? I'm running into the same issue right now and will probably be contacting them myself.
<snort of derision>
If only.... I've given up on them, they've basically ignored my requests for them to fix this. I've now got 3 firewalls on Telus doing what 1 firewall did quite nicely on Shaw. I am moving the servers to our DC as it's clear that Telus' Pure Fibre service leaves a lot to be desired if you want to host servers/content as opposed to consuming it. Their customer/technical support is even worse <sigh>.
Good luck, happy to pass you any info I found along with any contacts who've been working on this.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.