hi all. i'm not sure i'm aiming the question correctly, but i'll try
my goal is to expose a server with a fixed public ip address. a real one, not by 1:1 nat like today.
i've read that maybe there is a way to do that by subneting a public ip pool?
meaning, breaking for example a 64 ip pool, into smaller chunks, lets say i take 1 chunk and break it to a 4 pool
so i have a broadcast address, 2 usable addresses, and a network address. and i'm not sure which should be the gateway address for the host in such a setup. to my understanding, i'm supposed to represent them somehow to make the lan host "think" that the fortigate is it's public isp gateway by using this method. as stated, the end result is to setup a fixed real public ip directly on the host's NIC, same way i would do if i was to take the physical feed directly from the isp and have the ip settings provided by him setup directly on this nic. i'm aware of the fact that in order to do that, i'll to lose some addresses from my pools, but still...
If your company was assigned a small block range of IPs (say 4 IPs) and one of them is assigned as a public IP for your fgt, but also want the fgt to listen/pass traffic for an internal server that is using one of the other public IPs - you may want to set up a VIP from WAN to Internal network using one of the public Ips as source and dest is an internal IP for the server, then you need a firewall rule from the server's internal IP to WAN using a one-to-one nat IP pool to change the internal IP of the server to it's public IP on the out (WAN). (And of course the fgt's manage ports need to be changed to accommodate this.)
There may be other ways to accomplish what you want rather than above. But if you are are going to have multiple devices using the public IP addresses assigned to your company, but don't really need to have them all behind the fgt - you may be better off sticking a switch between the ISP gateway device and the fgt and connect the other "public" devices to the other ports on the switch. IMO.
Why do you think it would be a problem? L3 routing/router feature is separated from FW features. As long as you can identify the traffic by IP addresses, services, etc., you can apply traffic shaping on it.
You said totally 64 IPs, that's a /26 subnet. You can divide it whatever you want like 2 x /27s, or 1 x /27 + 2 x /28s, and so on. Then assign one of available IPs in each subnet on the FGT's interface (maybe a VLAN int if a switch is behind) to be a GW, or even just pass them down to a downstream L3 router or a route/switch, which would handle the entire subnets.
ok. what you said is probably what i'm looking for. but i don't know how to do that technicly.
for example, if my subnet is 126.96.36.199/26, that's 64 addresses, 62 usable
so if i break this into 16 small subnets and take one of them : 188.8.131.52/30
so my subnet address is 184.108.40.206/30, my broadcast address is 220.127.116.11 and i have 18.104.22.168 and 22.214.171.124 usable.
what's the proper way to configure it so it'll work? let's say i'm setting up a vlan that will communicate with the lan host. what ip should i assign to the interface, and what ip should i assign to the nic of the internal host? and what will be that host's default gateway?
In case of a /30 only 2 IPs are usable for hosts, so like GW/FGT is 126.96.36.199/30 and the server side is 188.8.131.52/30. If you make each subnet smaller, you waste more IPs. You can still use those with VIPs at the FGT though, like 184.108.40.206 and .67.
You can VIP any of those IPs as long as they don't conflict with "routed" devices that have the public IPs. But in case of /28 as you asked, only 14 IPs are assignable to host including the GW device. The first one (ex. .0) is network address I might use for VIP. Then I would make the second one (ex. .1) for GW/FGT and use/reserve 12 (ex. .2 - .14) of them for routed devices connected to the FGT. Then might use the last broadcast address (ex. .15) for VIP.
"my goal is to expose a server with a fixed public ip address. a real one, not by 1:1 nat like today.
i've read that maybe there is a way to do that by subneting a public ip pool?"
Yes you can, it all depends on how you will achieve that goal, because as somebody else has already stated you may need extra HW.
But... the role of that extra hardware might be played by a VDOM just dedicate for routing. If you don't have VDOMs enables then it's tricky because I guess you will have to start the configuration from scratch, but eventually your system will be more flexible.
"...to make the lan host "think" that the fortigate is it's public isp gateway by using this method."
Try to get rid of any T9 or the likes because sometimes suggestions are really annoying and make the read difficult.
My 2 cents and of course is I's suggestion ;-)
If you shared your range in an anonimazed way we might be able to help you better .
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.