2

I have a FortiGate 310B with WAN port with /27 public IP pool from the ISP. The WAN port is configured with primary IP 1.1.1.1/27

I would like to provide servers within the Internal port a public IP. but this public IP will be configured on the equipment in the Internal zone (as if it was bridged).

[INTERNET] - [FG PORT1 WAN 1.1.1.1] - [FG PORT2 INTERNAL] - [SOME SERVER 1.1.1.2]

The WAN interface is NAT, and the Internal port has some private IP subnets.

How can this be done?

EDIT:

  • The whole subnet 1.1.1.1/27 is forwarded to IP 1.1.1.1 which terminates on the WAN Port1 of the FortiGate.
  • My gateway on the ISP side is 1.1.1.3.
  • The LAN 172.16.x.x is NATed with IP 1.1.1.1 (which is working).

See drawing (Red circle is what I try to achieve):

enter image description here

Pierre.Vriens
  • 1,159
  • 34
  • 15
  • 19
adambg
  • 156
  • 5
  • 1
    You need to subnet your subnets. Meaning, make yourself less complex. Hit up [gliffy.com](http://gliffy.com) and draw a diagram to consider what you want, and then remember you have to follow the rules of IP networks. Long-short, you want to NAT to and from a single host on your internal subnet. What routes back to the Global/WAN IP? Either the network stack in the fortigate or the first hop router on the outside of the fortigate. – brandeded Feb 19 '15 at 22:40
  • He doesn't want to NAT, so he'll need to slice that /27 losing IP addresses in the process. I'd say it's not worth it and to go the NAT way as you've pointed out. – Pedro Perez Feb 21 '15 at 21:18
  • Slicing will lose too many IP addresses. So how can I forward the public addresses into internal zone so that the internal server will have a real public IP (and not virtual, mapped or whatever)? – adambg Feb 22 '15 at 21:22
  • I think your friend will be `transparent mode`: [video](http://goo.gl/X5Mek8), [doc](http://docs-legacy.fortinet.com/fos50hlp/50/index.html#page/FortiOS%205.0%20Help/concepts.066.25.html), since you want to bridge two interfaces maintaining layer 2 between them. Looks like fun. Also see, `config system settings` \ `set allow-subnet-overlap enable`: [doc](http://goo.gl/3cLeP9) if you're into trying to hack away at layer 3: [doc](http://docs-legacy.fortinet.com/fos50hlp/50/index.html#page/FortiOS%25205.0%2520Help/gw-to-gw.114.12.html). – brandeded Feb 26 '15 at 13:55

0 Answers0