We are recieving a single WAN connection from our ISP direct to Fortigate. They are providing a /30 linknet address and /29 for Internet trafic. I was thinking of using a VLAN interface for the /29 Routable public address attached to the WAN interface which will have linknet /30 address. Does this sound right or is there an alternate way to do this.
Hi Yashwani, Thanks for the quick reply. Could you please clarify for me, If the /30 linknet was 192.168.0.1/30 my address 192.168.0.2 ISP 192.168.0.1 and the routable network is 172.16.0.0/29 (name/ip changed to protect the innocent :)) What would my VIP external address be ? What would my mapped IP address be ? I am struggling to get my head around this. Thanks
It depends on the use you will give, and there are different ways to do it. As Yashwani told you, you can just use VIPs and Nat pools.
For example, if you are going to publish web services, you can use VIPs:
- VIP1 : 172.16.0.2 to 192.168.12.2; VIP2: 172.16.0.3 to 192.168.12.3 and so on.... In that case, when traffic arrives to your public IP, will be nat'd to your private one (the subnet 192.168.12.0/24 is you LAN/DMZ network in my example).
Another option (or you can use both according your needs) is to create a nat pool for outbound traffic.
- NAT POOL: 172.16.0.4 to 172.16.0.5. Then you can use this pool into a firewall policy to perform source nat for outbound traffic to internet.
Another alternative would be to have both subnets on the same interface using secondary IP. The suggestion from yashwani is cleaner however and should allow you to use all 8 of the /29 IP addresses as there would be no network or broadcast addresses involved.
For example, if you are going to publish web services, you can use VIPs of io games acc:
- VIP1 : 172.16.0.2 to 192.168.12.2;
- VIP2: 172.16.0.3 to 192.168.12.3 and so on.... In that case, when traffic arrives to your public IP, will be nat'd to your private one (the subnet 192.168.12.0/24 is you LAN/DMZ network in my example).
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.