Solved

Spitting up an internet connection.

Posted on 2016-08-29
7
78 Views
Last Modified: 2016-09-04
Hello

I have a network routing issue I need some help with.

What I have:
ISP has provided me with a 200 mbs internet line.
/30 network for the WAN connection between my network and ISP's router(Cisco 150CCf-825)
An additional /27 public IP block on a separate public subnet.

The Plan:
The plan is to split the broadband line & /27 public IPs addresses between 20 Independent companies.
A Firewall Appliance(FortiGate 140D) is being used to do this.
I installed a Switch/Wifi Appliance (FortiAP 14C) in each company, providing them with internet, LAN and WiFi. The FortiAP 14C is patched back to the main firewall(FortiGate 140D).

The problem:
6 of the 20 companies, don't want to use the FortiAP 14C WiFi/switch I provided. They need to keep their own firewalls.
So for these companies I need to provide a pass-through internet line - i.e. where they will be able to configure their firewalls with a public IP address on our Public IP block.


Thinking one option would be to spit the /27 public subnet into two /28 subnets.
Create a 6 port VLAN on the firewall & assign it one of the /28 subnets.

Any advice is greatly appreciated.
0
Comment
Question by:ESSupport
  • 4
  • 3
7 Comments
 
LVL 26

Accepted Solution

by:
Fred Marshall earned 500 total points
ID: 41775456
Perhaps I have a simple-minded view of this sort of thing but here goes:

If one has a public IP address then for all intents and purposes a device with this address is connected directly to the internet.  
Well, that is, if there isn't a firewall of some sort that's intervening.  

We are all used to having devices with public IP addresses and know what to do with them (such as installing firewalls as your 6 companies want to do).

What I do in this case (i.e. the case of a public IP address block) is to interface with the ISP with a switch.  I call this switch the "Internet Switch" and, to me, it's a mini-instance of the entire internet.\
Any device connected to this switch has to be configured with a unique IP address out of the block.
That is all that's needed.

Now, when I control all of the devices that are connected this way (firewalls and VPN boxes), there is no issue of the addresses being duplicated or misused.  When you are distributing the block out to others then you may (or may not) be concerned about this.  If you are concerned about it then you might introduce your own router with those public IP addresses configured at each company and then they can introduce whatever firewall they like thereafter.

It's not clear to me what you're trying to accomplish with more subnets and VLANs....
1
 

Author Comment

by:ESSupport
ID: 41778955
Hi Fred,
Thanks very much for taking the time to respond. Problem is much clearer in my mind after reading your comment.

I think I should be able to replicate the switch & router u suggested within the FortiGate.
FortiGate has the option of running multiple instances ("vdoms") of the OS on the same devices.

What I plan on doing is created 3 vdom instances on the FortiGate.
vdom_Transparent - configured in transparent mode.
vdom_switch -  configured as a L2 network switch.
vdom_Routing - running Fortigate in NAT/Routing mode

With everything running through the firewall in transparent mode. Transparent mode will allow me to  enforce traffic shaping rules on all all companies -  which is one of the project requirements.

Have attached a simple image of the config, I'm going to test when onsite tomorrow.
Any followup comments are welcome!
Thanks
0
 
LVL 26

Expert Comment

by:Fred Marshall
ID: 41778977
image?
0
Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

 

Author Comment

by:ESSupport
ID: 41779508
Will try that again.
fortigate.png
0
 
LVL 26

Expert Comment

by:Fred Marshall
ID: 41780269
I don't probably understand the wireless / router part.  Does that mean LANs?  I guess that's what you've said.

The transparent part stays on the public internet block/subnet?

This all seems consistent with what could be workable.
0
 

Author Closing Comment

by:ESSupport
ID: 41783211
Hi Fred,
Finally got sorted! . So for it to work, Connected up devices in following order
ISP interface <-> Router
Router <-> Switch
Switch <-> Firewalls
Basically I implemented what you had said in your original post.
My ISP had a point to point connection configured on their interface - which means it will only communicate with one other interface. So putting a router between the ISP interface and the network switch was required.

Thanks again
0
 
LVL 26

Expert Comment

by:Fred Marshall
ID: 41783805
Yes.  That's what we do as well.  In our case, the router separates a public IP address provided for this router from our public IP address block/subnet - from which the router uses up one address.  The others are available to be used by plugging into the internet switch.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
parental control on huwei HG658b 1 26
Network Vs Redistribute Connected Commands 3 38
BGP prefix and routing 3 57
Best adsl router for small MS network 6 38
It’s 2016. Password authentication should be dead — or at least close to dying. But, unfortunately, it has not traversed Quagga stage yet. Using password authentication is like laundering hotel guest linens with a washboard — it’s Passé.
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

791 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question