Fortinet FortiGate 200B Allow Multiple ISP IPs On 1 Port
We have a Fortinet FortiGate 200B. Our ISP gave us 5 IPs to use. The first is our main address assigned to the 200B's MAC address. They also have 3 IPs looking for our DVR security systems also by MAC address. Here is the set up:
X.X.X.150 = Our main IP.
X.X.X.151 = DVR #1.
X.X.X.152 = DVR #2.
X.X.X.153 = DVR #3.
X.X.X.154 = Nothing used yet.
My question is how do I set up the Fortinet FortiGate 200B to see all 5 of these IPs coming from the modem?
There are no WAN ports so I sat up Port 11 as DHCP for the ISP.
I went to Firewall Objects > Virtual IP > Virtual IP and created the ports that need to be forwarded to. There are four ports needed for each DVR. The port numbers are the same for each DVR, but the external IP is different. Therefore, there are 12 entries.
I then went to Firewall Objects > Virtual IP > VIP Group and created three groups for each DVR using the four ports forwarded to for each group.
Last of all, I want to Policy > Policy > Policy and created a Port 11 > The Switch and added each VIP Group in this order:
ered what your question was. Everything should be working now, your config is correct.
There are 2 ways a FGT can handle multiple IP addresses on a port:
1- via VIP
2- as secondary address
Going the VIP path here is 100% the way to go, as you need port forwarding as well, and as you use more than 2 addresses. Remember that a port-forwarding VIP will not respond to ping, only to ARP and the specified services/ports (UDP or TCP). [the exception being FortiOS v5.4 where you can additionally allow ICMP]
So if you have difficulties or more questions feel free to post here.
Thanks for the welcome. Mainly I was just wondering if I was doing something wrong in my setup.
Yeah I thought that would be the right way to do it. I even did an IP Pool of the extra ISP-provided IPs on an individual basis and that didn't work. The IP Pool made no difference and probably isn't needed so I deleted it.
I am starting to wonder if it is because the ISP has them going to the MAC addresses of the DVRs. I am not sure how they would set it up on their end so it works on our end.
The way it is is now, the extra IPs going to the DVRs are not working.
- VIPs do destination NAT - the destination IP address is substituted
- IP pools do source NAT - the source IP address is substituted
When using a VIP, reply traffic and even traffic originating from the NATted internal host is automatically source NATted by the VIP, as a convenience. This way, the true source IP of the exposed host is fully hidden.
If you get the other IPs by DHCP as well, a VIP cannot work - the FGT needs to negotiate first to get the assignment.
@MikePruett Our ISP says, "That is not typical protocol for our network and our block addressing structure does not lend itself to that configuration very well. It would be easiest for us to simply allocate several public addresses directly to you."
@ede_pfau Yes the extra IPs are also DHCP-supplied by the ISP and are set to look for the MAC addresses of the DVRs by the ISP. How can I make the firewall negotiate first to get the assignment in that case?
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.