Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Technigogo
New Contributor

Created on ‎06-28-2023 07:26 AM

Configure Google Fiber static IP s on FortiGate 80F

The client had a single IP from Google Fiber before my company took over support. We installed an 80F, and the "static" is issued by DHCP from Google Fiber on the WAN interface. We have upgraded their Google Fiber account to add 5 static IPs. The statics are in a different subnet. 

 

I am unsure what to do. Very important - if I create VLAN(s) for the static IP(s), what will change for the static IP issued by DHCP over the WAN? All traffic is currently using that DHCP static IP, including VPN. Will that render that IP unusable since it becomes a gateway for the block of static IPs?

 

If the statics require VLAN, what interface? the main LAN or the WAN? What is the Role that I select: LAN? WAN? DMZ? Undefined?

 

Can this be done with VIPs or IP Pools? If IP Pools, what type do I use? One-to-One, Fixed-Port Range, or something else?

 

Here is Google's depiction of the necessary layout for using static IPs.

Technigogo_0-1687961380285.png

 

 

 

Labels:
2038
0 Kudos
1 Solution
Toshi_Esumi
SuperUser
SuperUser
In response to Technigogo

Created on ‎06-28-2023 09:22 AM Edited on ‎06-28-2023 09:23 AM

Google's doc or any other ISP's would NOT include a case their customer has a FW to terminate the circuit. Never assume they're used as VIPs. Their explanation, as the diagram indicates, assumes a "router" terminates the circuit, let's say a cheap Linksys or TP-Link router, which can only route the additional subnet to LAN side. In that case, you have to assign it on the LAN interface.

With VIPs, the additional public IPs never leave the FGT. Just stay inside of it.

 

If you still have some doubt, you can configure a VIP to one device, get a maintenance window, then swap it with the current router/FW they have then verify it actually works.

 

Or open a ticket at TAC and ask them. They would say exactly the same.

 

Toshi

View solution in original post

1998
12 REPLIES 12
Toshi_Esumi
SuperUser
SuperUser

Created on ‎06-28-2023 07:51 AM

I've never seen that kind of helpful diagram provided by any ISPs who offer additional static IP blocks before. That tells exactly what you can do with the additional /29 subnet. Let's say you got 1.1.1.0/29. Then you can use 1.1.1.1/29 on your 80F's LAN interface IP, then other devices that should get a public IP take like 1.1.1.2/29 - 1.1.1.6/29 each. Of course the GW for those devices is 1.1.1.1.

 

Toshi

1617
0 Kudos
Technigogo
New Contributor
In response to Toshi_Esumi

Created on ‎06-28-2023 08:02 AM Edited on ‎06-28-2023 08:03 AM

Thanks, Toshi.

 

Where do I put the 1.1.1.1 then? As an additional IP on the existing LAN interface or does this have to be a VLAN?

What do you make of the 23.23.23.23 reference in this part of the diagram?

23232323.png
1614
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to Technigogo

Created on ‎06-28-2023 08:07 AM

It's up to you or what the customer currently has/previously had. If no private IP needed, you can swap the "internal" interface IP 192.168.1.99/24 with 1.1.1.1/29. If you want/need it as a separate subnet, either need to use the secondary IP on the internal or a new VLAN interface. 

1608
Technigogo
New Contributor
In response to Toshi_Esumi

Created on ‎06-28-2023 08:48 AM Edited on ‎06-28-2023 08:49 AM

Is this the right way to do this?

 

  1. I set the 1.1.1.1/29 as a Secondary IP on the existing LAN Interface.
    secondaryIP.png
    LANinterface.png
  2. Set the Public static IPs of 1.1.1.2 to a VIP, setting the Interface to internal, Static NAT,   mapped to the desired LAN IP.
    VIP.png

 

1598
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to Technigogo

Created on ‎06-28-2023 08:53 AM

If you want to use them in VIPs only, you don't need to have it on any FGT's interfaces. Only in case the devices need to have one of public IPs, you need to set it at an interface.

1596
Technigogo
New Contributor
In response to Toshi_Esumi

Created on ‎06-28-2023 09:08 AM

I don't understand. Here is the information from Google regarding this configuration. Specifically, the highlighted text.

googleIPinfo.png

1594
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to Technigogo

Created on ‎06-28-2023 09:22 AM Edited on ‎06-28-2023 09:23 AM

Google's doc or any other ISP's would NOT include a case their customer has a FW to terminate the circuit. Never assume they're used as VIPs. Their explanation, as the diagram indicates, assumes a "router" terminates the circuit, let's say a cheap Linksys or TP-Link router, which can only route the additional subnet to LAN side. In that case, you have to assign it on the LAN interface.

With VIPs, the additional public IPs never leave the FGT. Just stay inside of it.

 

If you still have some doubt, you can configure a VIP to one device, get a maintenance window, then swap it with the current router/FW they have then verify it actually works.

 

Or open a ticket at TAC and ask them. They would say exactly the same.

 

Toshi

1999
Technigogo
New Contributor
In response to Toshi_Esumi

Created on ‎06-28-2023 11:39 AM

Toshi, I fully appreciate how much you are trying to help me. I am testing several scenarios now in my own environment.

1569
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to Technigogo

Created on ‎06-28-2023 11:50 AM Edited on ‎06-28-2023 11:51 AM

In case you didn't know, you can use full /29 8 IPs for VIPs, including 1.1.1.0/29 and 1.1.1.7/29. Goodle side routes all packets destined to the subnet including the subnet address and broadcast address. Only in case you assigned it to a LAN interface those IPs wouldn't be usable/routable.

 

Toshi

1566
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.