Description
This article describes how to configure a FortiGate network interface so that the secondary IP addresses belongs to the same subnet, as the already configured primary IP address.
However, by default, when trying to set a secondary IP overlapping with the primary, the FortiGate will give the following error messages, CLI or GUI :
Subnets overlap between 'port6' with primary IP of 'port5'
node_check_object fail! for ip X.X.X.X 255.255.255.0
value parse error before '255.255.255.0'
Command fail. Return code -54
Or
'Conflict with ‘portx’ subnet.'
'Conflict with ‘portx’ subnet.'
Scope
FortiGate.
Solution
FortiGate gives the option to enable overlapping subnets, by using the following CLI command and no option on GUI:
(If the VDOM is enabled on the configurations, make sure to enter the correct VDOM before).
config vdom
edit <VDOM>)
config system settings
set allow-subnet-overlap [enable/disable]
end
Note:
By design, subnets should not overlap.
In real networks, if two interfaces have overlapping subnets, the FortiGate may forward the packet to the wrong interface when it needs to send a packet to an IP address inside that range of overlapped addresses.
Using subnet overlapping is not recommended, as it might cause issues with routing in the network. The best recommendation is using 'variable-length subnet masking' (VLSM) so it is possible to assign different subnets to each interface used in the environment.
Note:
To overcome routing issues with subnet overlapping, the interface must be on a different VRF than the main interface.
Using CLI:
config system interface
edit <interface name/port no.>
set vrf <integer>
next
end
Related documents:
Site-to-site IPsec VPN with overlapping subnets
Technical Tip: SSL VPN with overlapping subnets
Configuring DHCP relay over IPSec VPN with overlapping subnets
