Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Umesh
Contributor

Created on ‎09-26-2023 01:17 AM

Why do we use another IP pool instead of exit wan interface ip

Dear All,

 

I have few queries which are as follows:-

 

1. Why do we assign WAN IP Pool instead of exit WAN interface to our email server.

2. Let say we have two ISP1 & ISP2 .

ISP1 range is (192.168.99.0/28) and ISP2 range is (193.168.99.0/29)

ISP1 exit interface IPs are - 192.168.99.2 (customer end) and 192.168.99.1 is ISP1 end similarly 

ISP2 exit interface IPs are - 193.168.99.2 (customer end) and 193.168.99.1 is ISP2 end

 

My concern is why do we not use exit interface for email communication. please refer the attached snapshot. WAN.JPG

 

Thank you 

 

 

Labels:
1009
0 Kudos
1 Solution
xshkurti
Staff
Staff

Created on ‎09-29-2023 01:08 AM

@Umesh 
In your case you have 193.168.99.0/29 given from your ISP.
That means that you have 5 usable IPs 193.168.99.1 - 193.168.99.6
The same goes from ISP2
193.168.99.1 is used for all traffic. Now you have 4 left IPs. It is good design practice to use different IPs for different mission critical services. One of the reasons is that the IP you specify for emails, will be declared in other services to whitelist that IP and expect mail flows.
Now if you leave WAN interface IP, on that IP a lot of traffic will pass (web, video, audio etc), and there is a risk that that IP may be blocked by mail checker services --> As a result your outgoing IP will be blacklisted and all your emails will go to spam folders on the receiver side, or worse, being blocked by their spam filters.

There are a lot of reasons why it is recommended that design.
Technically, you can use wan IP and not involve IP Pools at all. So using IP pool is recommendation, but not mandatory.
Once again, it is up to you to decide your infrastructure design, but i advise you follow Best Practices Guides as they have feedback from real live scenarios.

View solution in original post

951
0 Kudos
4 REPLIES 4
xshkurti
Staff
Staff

Created on ‎09-26-2023 01:26 AM

@Umesh You can use WAN exit interface or IP Pool. This depends on how you want to separate traffic.

In this case you may use IP Pool so that emails will use a dedicated IP instead of WAN exit interface IP.
It all depends on you. Technically there are no issues if you use WAN exit interface, or IP Pools.

In the case of 2 ISPs (if you use SDWAN), you use IP Pool, so that your mail server is published with one known external IP, which should be routable from both ISPs (1 IP for mail server may help in SPF, DKIM,DMARC)
Hope that answers your question

1003
0 Kudos
Umesh
Contributor

Created on ‎09-29-2023 12:16 AM

Hi Xshkurti,

 

Can you please make me understand with using scenario  basis Why do we use another IP pool instead of exit wan interface ip.

 

Thank you.

953
0 Kudos
xshkurti
Staff
Staff

Created on ‎09-29-2023 01:08 AM

@Umesh 
In your case you have 193.168.99.0/29 given from your ISP.
That means that you have 5 usable IPs 193.168.99.1 - 193.168.99.6
The same goes from ISP2
193.168.99.1 is used for all traffic. Now you have 4 left IPs. It is good design practice to use different IPs for different mission critical services. One of the reasons is that the IP you specify for emails, will be declared in other services to whitelist that IP and expect mail flows.
Now if you leave WAN interface IP, on that IP a lot of traffic will pass (web, video, audio etc), and there is a risk that that IP may be blocked by mail checker services --> As a result your outgoing IP will be blacklisted and all your emails will go to spam folders on the receiver side, or worse, being blocked by their spam filters.

There are a lot of reasons why it is recommended that design.
Technically, you can use wan IP and not involve IP Pools at all. So using IP pool is recommendation, but not mandatory.
Once again, it is up to you to decide your infrastructure design, but i advise you follow Best Practices Guides as they have feedback from real live scenarios.

952
0 Kudos
Umesh
Contributor
In response to xshkurti

Created on ‎09-29-2023 01:27 AM

Understood, thanks for reply

944
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.