- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- WAN Interface with DHCP and Multiple IPs
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
WAN Interface with DHCP and Multiple IPs
Hello,
We run a Fortigate 100E running 5.4.6 and have an ISP that will only assign IPs through DHCP. They do reserve the IP so it remains static however they can only assign 1 IP per MAC address. So far I cannot find a way to make the Fortigate have multiple MAC addresses on the one interface. I thought maybe I could plug more than 1 interface in my ISP's modem but I imagine this would give me routing issues as both interfaces would be on the same subnet.
Has anyone tested a solution to this? The firewall at my old job was configured to allowed us to add MAC addresses. I'd rather not put a switch between my modem and firewall and use the switches MAC address for the 2nd IP.
Thank you for any suggestions,
Neil
- « Previous
-
- 1
- 2
- Next »
16 REPLIES 16
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ran into this exact same issue as the OP with Telus Pure Fibre. The most frustrating part is it would work perfectly fine for about a half a day, then start failing.
Device is an older 60c and have a sever with 2 vm's that we want to map to 2 external ip's both responding on port 443. We did the usual ViP setup and it worked, then the next day it didn't, then it did, then it didn't and so on. That's the most frustrating part as I was swapping out the 60c with other devices and it would work sometimes and other times not.
Wasn't until I ran debug sniffer this morning and say all the arp (and other) traffic regarding the 2nd IP that it became clear what the problem was.
Going to call Telus and see about getting a block of ip's assigned now and if not will try the LLB feature. This device is running 5.2.13 due to it's age and is slated for replacement in the next couple of months. Is it likely to work with LLB since it's not the 5.4.0+ that you mention Sidewayguy?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well so far not so good. After running
set allow-subnet-overlap enable
Using the "static" on Wan1, I am able to get one of their temporary dynamics in a different subnet on Wan2, but as soon as I assign the "static" to the mac address for Wan2, reboot the 60c for good measure, it comes back up with no ip address on Wan2.
Actually, after manually assigning the "static" to Wan2 in the 60c interface settings, it all seems to be working...
For the LLB I chose source-destination based. Is there a better choice?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Scratch that, just like the last few days, it works fine for part of the day and fails again. I suspect the fact that it worked as per my above posting is likely coincidental more than anything else.
Back to the drawing board
Though removing the ip from wan2 and re-adding seems to have made the connection happy again,
diag sniffer packet wan2 none 4 a shows a LOT of arp traffic which jumps up in volume when removing and re-adding the Wan2 ip's. Basically feels like after a few hours (4-6 typically) Telus just stops responding to traffic to/from the secondary ip address.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
After a chat with a Telus helpdesk tech on the weekend, he indicated the ARP config (arp relay) on the Fibre modem wasn't setup and was the likely root cause of the issue. He fixed that and now access to the 2nd ip from outside the Telus gateway no longer works. Works fine from other firewalls behind the Telus Gateway.
Back on long periods of being on hold with Pure Fibre support, hopefully this will all get resolved today.
As to getting a block of IP's assigned to the modem, tech indicated they can't provide that on their unmanaged infrastruture, technical limitation purportedly.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Turns out that this does work using sidewaysguy's suggestions with dual wan. However in my case, their arp and routing is horribly broken so connectivity typically stops after a few hours. After many phone calls, this is finally being routed up to the Telus NOC team and I hope to have a resolution within a few days.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
forti4sure wrote:Turns out that this does work using sidewaysguy's suggestions with dual wan. However in my case, their arp and routing is horribly broken so connectivity typically stops after a few hours. After many phone calls, this is finally being routed up to the Telus NOC team and I hope to have a resolution within a few days.
Did you ever get a resolution from Telus? I'm running into the same issue right now and will probably be contacting them myself.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
<snort of derision>
If only.... I've given up on them, they've basically ignored my requests for them to fix this. I've now got 3 firewalls on Telus doing what 1 firewall did quite nicely on Shaw. I am moving the servers to our DC as it's clear that Telus' Pure Fibre service leaves a lot to be desired if you want to host servers/content as opposed to consuming it. Their customer/technical support is even worse <sigh>.
Good luck, happy to pass you any info I found along with any contacts who've been working on this.
- « Previous
-
- 1
- 2
- Next »
Related Posts
- Captive portal issue - fails to... 181 Views
- Understanding the application control 371 Views
- Using FortiSwitch Interfaces in multiple VDOMs 290 Views
- DHCP on a Fortiswitch 124F from... 253 Views
- Duplicate a working Cisco Router config... 1215 Views
Labels
-
FortiGate
6,716 -
FortiClient
1,336 -
5.2
801 -
5.4
639 -
FortiManager
578 -
FortiAnalyzer
422 -
6.0
416 -
5.6
362 -
FortiSwitch
344 -
FortiAP
342 -
FortiClient EMS
272 -
FortiMail
261 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
159 -
6.4
128 -
FortiNAC
110 -
FortiGuard
106 -
FortiSIEM
92 -
FortiGateCloud
87 -
FortiCloud Products
85 -
IPsec
82 -
FortiToken
73 -
Customer Service
70 -
SSL-VPN
67 -
4.0MR3
64 -
Wireless Controller
61 -
FortiProxy
46 -
FortiADC
44 -
FortiEDR
41 -
Fortivoice
41 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
33 -
FortiSandbox
31 -
FortiSwitch v6.4
30 -
Firewall policy
30 -
SD-WAN
30 -
High Availability
24 -
FortiConnect
24 -
FortiAuthenticator
22 -
VLAN
22 -
FortiWAN
22 -
FortiConverter
21 -
ZTNA
20 -
FortiPortal
18 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
Certificate
16 -
FortiMonitor
14 -
SAML
14 -
Interface
14 -
BGP
13 -
DNS
13 -
FortiGate v5.0
13 -
FortiDDoS
13 -
Logging
13 -
LDAP
12 -
Routing
12 -
FortiCASB
12 -
VDOM
12 -
fortilink
11 -
RADIUS
10 -
Virtual IP
10 -
FortiRecorder
10 -
FortiWeb v5.0
9 -
Authentication
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
SSID
8 -
SSL SSH inspection
8 -
Traffic shaping
8 -
SSO
8 -
Application control
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
SNMP
6 -
Proxy policy
5 -
Traffic shaping policy
5 -
FortiAP profile
5 -
Web application firewall profile
5 -
Web profile
5 -
FortiTester
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
IPS signature
4 -
Packet capture
4 -
Antivirus profile
4 -
Automation
4 -
WAN optimization
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Port policy
4 -
FortiToken Cloud
3 -
DoS policy
3 -
Email filter profile
3 -
Intrusion prevention
3 -
FortiDB
3 -
trunk
3 -
FortiDeceptor
2 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Fortinet Engage Partner Program
2 -
Traffic shaping profile
2 -
FortiPAM
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Protocol option
2 -
4.0MR1
1 -
Users
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Web rating
1 -
Internet Service Database
1 -
Fabric connector
1 -
Multicast routing
1 -
Explicit proxy
1 -
Zone
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.