Public IP Pass-through (DMZ Transparent Mode)

Public IP Pass-through (DMZ Transparent Mode)

As an intelligent router, FortiWAN is generally supposed to forwards packets between networks connected to its network ports according to the specified IP routing table, and any IP broadcast packet, including the ARP request, would not be forwarded. So that each of the connected network segments should be a separate layer 3 IP network. However, this can be different for particular WAN link deployments – routing-mode WAN links and multiple-static -IP bridge-mode WAN links. FortiWAN’s Public IP Pass-through logically combines a WAN port and a DMZ port to one localhost. By performing Proxy ARP (for IPv4) and ND Proxy (for IPv6) on the combined localhost, the connected layer 1 segments are combined to a common layer 2 segment. An IP network can be deployed and operate correctly over the two network segments. Public IP Pass-through minimizes the adaptation to current network topology and requires no changes to configurations on existing servers while introducing FortiWAN into the network. It is flexible to deploy some of the multiple public IPs that ISP provides for the WAN link to DMZ for external-facing services. Note that Public IP Pass-through will be activated automatically if a WAN link is configured as routing mode and deployed with “subnet in WAN and DMZ”, or configured as multiple-static -IP bridge mode with IP addresses being deployed in both WAN and DMZ segments. The following diagram shows how an IP network 203.69.118.11/255.225.255.248 is deployed over a WAN port and a DMZ port.

See also

l WAN types: Routing mode and Bridge mode l Scenarios to deploy subnets l Configuring your WAN

Scenarios to deploy subnets

No matter an available subnet (routing mode) or an IP range of a shared subnet you obtain from ISP, you will need making a plan how to deploy the multiple IP addresses.

To deploy the available subnet that ISP provides (routing mode) on FortiWAN, there are four different scenarios (be called subnet types as well) for your options:

Subnet in WAN : Deploy the subnet in WAN.
Subnet in DMZ : Deploy the subnet in DMZ.
Subnet in WAN and DMZ : Deploy the subnet in both WAN and DMZ. FortiWAN’s Public IP Passthrough function makes the two Ethernet segments in WAN and in DMZ one IP subnetwork (See “Public IP Pass-through”).
Subnet on Localhost : Deploy the whole subnet on localhost.

For cases of obtaining an IP range (bridge mode), the IP addresses could be allocated to:

IP(s) on Localhost    :   Allocate the IP addresses on localhost.

IP(s) in WAN    :   Allocate the IP addresses in WAN.

IP(s) in DMZ    :   Allocate the IP addresses in DMZ.

Static Routing Subnet

If there are subnets, which are called static routing subnets, connected to a basic subnet, it’s necessary to configure the static routing for external accessing to the static routing subnets.

See also
  • WAN types: Routing mode and Bridge mode
  • Public IP Pass-through
  • Configuring your WAN
  • LAN Private Subnet

VLAN and port mapping

Customers can assign every physical port (except the HA port) to be a WAN port, LAN port or a DMZ port on demand, which is called Port Mapping as well. The WAN ports, LAN ports and DMZ ports are actually physical ports on FortiWAN, they are just not at the fixed positions. The port mapping will be reflected in related configurations. FortiWAN supports IEEE 802.1Q (also known as VLAN Tagging), but it does not support Cisco’s ISL. Every physical port (except the HA port) can be divided into several VLAN with a VLAN switch, and those virtual ports can be mapped to WAN port, LAN port or DMZ port as well.

See also

Configurations for VLAN and Port Mapping

IPv6/IPv4 Dual Stack

FortiWAN supports deployment of IPv6/IPv4 Dual Stack in [Routing Mode], [Bridge Mode: One Static IP], [Bridge Mode: Multiple Static IP] and [Bridge Mode: PPPoE]. For configuration of IPv6/IPv4 Dual Stack, please select appropriate WAN Type (See “WAN types: Routing mode and Bridge mode”) for the WAN link according to the

IPv4 you are provided by ISP as mentioned previously, and configure for IPv4 and IPv6 at the WAN link together.

Except a WAN IPv6 subnet used to deploy for a WAN link, ISP might provide an extra LAN IPv6 subnet for deploying your LAN. Depending on the demand, the LAN IPv6 subnet can be deployed as basic subnet in DMZ as well for the WAN link.

This entry was posted in Administration Guides, FortiWAN on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

One thought on “Public IP Pass-through (DMZ Transparent Mode)

  1. dmytriv

    Hello,

    I have /24 block advertised by BGP: 7*.40.40.0/24. This entire block is assigned to a Loopback interface WAN1 – 7*.40.40.1/24 and all policies are configured abound it.
    I’m utilizing less than half of the block by using IP pools and Virtual IPs. All of the addresses in use are withing the range of 7*.40.40.1 – 7*.40.40.127

    I would like to slice this block in 2 subnets 7*.40.40.0/25 and 7*.40.40.128/25. Keep 7*.40.40.1/25 on the same WAN1 interface and assign 7*.40.40.129/25 to a new Loppback or physical interface.

    The second I change mask on WAN1 to /25 all of my Internet facing devices are going down.

    What is the effective way to accomplish this, so I can have two active /25 network segments (7*.40.40.0/25 and 7*.40.40.128/25) while still successfully advertising /24 (7*.40.40.0/24) out over BGP?
    I’m sure people would want to do it to preserve and reassign public IP addresses to devices/services downstream of Fortigate.

    Thank you,

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.