Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
NORVIN
New Contributor

Fortinet FortiGate 200B Allow Multiple ISP IPs On 1 Port

We have a Fortinet FortiGate 200B.  Our ISP gave us 5 IPs to use.  The first is our main address assigned to the 200B's MAC address.  They also have 3 IPs looking for our DVR security systems also by MAC address.  Here is the set up:

 

X.X.X.150 = Our main IP.

X.X.X.151 = DVR #1.

X.X.X.152 = DVR #2. X.X.X.153 = DVR #3.

X.X.X.154 = Nothing used yet.

 

My question is how do I set up the Fortinet FortiGate 200B to see all 5 of these IPs coming from the modem?

 

There are no WAN ports so I sat up Port 11 as DHCP for the ISP.

 

I pretty much followed these directions:

 

http://kb.kaminskiengineering.com/node/377

 

I went to Firewall Objects > Virtual IP > Virtual IP and created the ports that need to be forwarded to.  There are four ports needed for each DVR.  The port numbers are the same for each DVR, but the external IP is different.  Therefore, there are 12 entries.

 

I then went to Firewall Objects > Virtual IP > VIP Group and created three groups for each DVR using the four ports forwarded to for each group.

 

Last of all, I want to Policy > Policy > Policy and created a Port 11 > The Switch and added each VIP Group in this order:

[ul]
  • Port 11
  • all
  • The Switch
  • VIP Group #1
  • always
  • ANY
  • ACCEPT[/ul]

    No boxes are checked.

  • 22 REPLIES 22
    ede_pfau
    Esteemed Contributor III

    Hi,

     

    and welcome to the forums.

    When I first read your post I won

    ered what your question was. Everything should be working now, your config is correct.

    There are 2 ways a FGT can handle multiple IP addresses on a port:

    1- via VIP

    2- as secondary address

     

    Going the VIP path here is 100% the way to go, as you need port forwarding as well, and as you use more than 2 addresses. Remember that a port-forwarding VIP will not respond to ping, only to ARP and the specified services/ports (UDP or TCP). [the exception being FortiOS v5.4 where you can additionally allow ICMP]

     

    So if you have difficulties or more questions feel free to post here.


    Ede

    "Kernel panic: Aiee, killing interrupt handler!"
    NORVIN

    Thanks for the welcome.  Mainly I was just wondering if I was doing something wrong in my setup.

     

    Yeah I thought that would be the right way to do it.  I even did an IP Pool of the extra ISP-provided IPs on an individual basis and that didn't work.  The IP Pool made no difference and probably isn't needed so I deleted it.

     

    I am starting to wonder if it is because the ISP has them going to the MAC addresses of the DVRs.  I am not sure how they would set it up on their end so it works on our end.

     

    The way it is is now, the extra IPs going to the DVRs are not working.

    Toshi_Esumi
    Esteemed Contributor II

    Is the main IP .150 pulled via DHCP? You mentioned about DHCP so I was wondering. Then the rest might not work.

    NORVIN

    Yes it is pulled via DHCP.  Let me try Manual with the primary ISP IP provided to us.

     

    That killed the Internet so now I will have to run into work and switch it back.  I did see I could now add Secondary IP Address(es) when I switched it to manual.

     

    EDIT...

     

    I tried it twice using manual settings for the ISP and made sure the gateway was defined under Router > Static > Static Route as:

     

    0.0.0.0/0.0.0.0          X.X.X.1          port11

     

    It refuses to work using manual settings.

    MikePruett
    Valued Contributor

    You could have the ISP route the block of IP's to the IP that your WAN interface is getting. Providers like WOW and Windstream have done that for me in the past.

    ede_pfau
    Esteemed Contributor III

    Just to clarify:

    - VIPs do destination NAT - the destination IP address is substituted

    - IP pools do source NAT - the source IP address is substituted

     

    When using a VIP, reply traffic and even traffic originating from the NATted internal host is automatically source NATted by the VIP, as a convenience. This way, the true source IP of the exposed host is fully hidden.

    If you get the other IPs by DHCP as well, a VIP cannot work - the FGT needs to negotiate first to get the assignment.


    Ede

    "Kernel panic: Aiee, killing interrupt handler!"
    NORVIN

    @MikePruett Our ISP says, "That is not typical protocol for our network and our block addressing structure does not lend itself to that configuration very well.  It would be easiest for us to simply allocate several public addresses directly to you."

     

    @ede_pfau Yes the extra IPs are also DHCP-supplied by the ISP and are set to look for the MAC addresses of the DVRs by the ISP.  How can I make the firewall negotiate first to get the assignment in that case?

    ede_pfau
    Esteemed Contributor III

    I'd say you can't.

    Follow your ISP to get directly allocated IPs. Then use them either by VIP or as secondary addresses where VIPs are far more flexible.


    Ede

    "Kernel panic: Aiee, killing interrupt handler!"
    michaelbazy_FTNT

    Quick question : have you checked your subnet mask? maybe the ISP made an error in the mask he allocated...

     

    Also, have you tried a diag sniff packet to check that the packet you should receive are actually forwarded to you?

     

    (last thing I can think of : is the proxy-arp disabled?)

    NSE8 #3112