- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
WAN intreface
Hi,
We are recieving a single WAN connection from our ISP direct to Fortigate. They are providing a /30 linknet address and /29 for Internet trafic.
I was thinking of using a VLAN interface for the /29 Routable public address attached to the WAN interface which will have linknet /30 address.
Does this sound right or is there an alternate way to do this.
- Labels:
-
FortiGate
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Mark,
You can achieve this even without creating a vlan interface. Instead you can use VIP and pools to NAT from this public IP pool. ISP will have this subnet pointed towards your firewall.
yashwani
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Yashwani,
Thanks for the quick reply.
Could you please clarify for me, If the /30 linknet was 192.168.0.1/30 my address 192.168.0.2 ISP 192.168.0.1
and the routable network is 172.16.0.0/29
(name/ip changed to protect the innocent :))
What would my VIP external address be ?
What would my mapped IP address be ?
I am struggling to get my head around this.
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Mark,
It depends on the use you will give, and there are different ways to do it. As Yashwani told you, you can just use VIPs and Nat pools.
For example, if you are going to publish web services, you can use VIPs:
- VIP1 : 172.16.0.2 to 192.168.12.2; VIP2: 172.16.0.3 to 192.168.12.3 and so on.... In that case, when traffic arrives to your public IP, will be nat'd to your private one (the subnet 192.168.12.0/24 is you LAN/DMZ network in my example).
Another option (or you can use both according your needs) is to create a nat pool for outbound traffic.
- NAT POOL: 172.16.0.4 to 172.16.0.5. Then you can use this pool into a firewall policy to perform source nat for outbound traffic to internet.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I need to terminate a site-to-site VPN on this interface, how is this done with a VIP ?
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi.
You can just create a loopback interface like 172.16.0.6/32.
bye.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Another alternative would be to have both subnets on the same interface using secondary IP. The suggestion from yashwani is cleaner however and should allow you to use all 8 of the /29 IP addresses as there would be no network or broadcast addresses involved.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For example, if you are going to publish web services, you can use VIPs of io games acc:
- VIP1 : 172.16.0.2 to 192.168.12.2;
- VIP2: 172.16.0.3 to 192.168.12.3 and so on.... In that case, when traffic arrives to your public IP, will be nat'd to your private one (the subnet 192.168.12.0/24 is you LAN/DMZ network in my example).