Solved

Spitting up an internet connection.

Posted on 2016-08-29
7
57 Views
Last Modified: 2016-09-04
Hello

I have a network routing issue I need some help with.

What I have:
ISP has provided me with a 200 mbs internet line.
/30 network for the WAN connection between my network and ISP's router(Cisco 150CCf-825)
An additional /27 public IP block on a separate public subnet.

The Plan:
The plan is to split the broadband line & /27 public IPs addresses between 20 Independent companies.
A Firewall Appliance(FortiGate 140D) is being used to do this.
I installed a Switch/Wifi Appliance (FortiAP 14C) in each company, providing them with internet, LAN and WiFi. The FortiAP 14C is patched back to the main firewall(FortiGate 140D).

The problem:
6 of the 20 companies, don't want to use the FortiAP 14C WiFi/switch I provided. They need to keep their own firewalls.
So for these companies I need to provide a pass-through internet line - i.e. where they will be able to configure their firewalls with a public IP address on our Public IP block.


Thinking one option would be to spit the /27 public subnet into two /28 subnets.
Create a 6 port VLAN on the firewall & assign it one of the /28 subnets.

Any advice is greatly appreciated.
0
Comment
Question by:ESSupport
  • 4
  • 3
7 Comments
 
LVL 25

Accepted Solution

by:
Fred Marshall earned 500 total points
Comment Utility
Perhaps I have a simple-minded view of this sort of thing but here goes:

If one has a public IP address then for all intents and purposes a device with this address is connected directly to the internet.  
Well, that is, if there isn't a firewall of some sort that's intervening.  

We are all used to having devices with public IP addresses and know what to do with them (such as installing firewalls as your 6 companies want to do).

What I do in this case (i.e. the case of a public IP address block) is to interface with the ISP with a switch.  I call this switch the "Internet Switch" and, to me, it's a mini-instance of the entire internet.\
Any device connected to this switch has to be configured with a unique IP address out of the block.
That is all that's needed.

Now, when I control all of the devices that are connected this way (firewalls and VPN boxes), there is no issue of the addresses being duplicated or misused.  When you are distributing the block out to others then you may (or may not) be concerned about this.  If you are concerned about it then you might introduce your own router with those public IP addresses configured at each company and then they can introduce whatever firewall they like thereafter.

It's not clear to me what you're trying to accomplish with more subnets and VLANs....
1
 

Author Comment

by:ESSupport
Comment Utility
Hi Fred,
Thanks very much for taking the time to respond. Problem is much clearer in my mind after reading your comment.

I think I should be able to replicate the switch & router u suggested within the FortiGate.
FortiGate has the option of running multiple instances ("vdoms") of the OS on the same devices.

What I plan on doing is created 3 vdom instances on the FortiGate.
vdom_Transparent - configured in transparent mode.
vdom_switch -  configured as a L2 network switch.
vdom_Routing - running Fortigate in NAT/Routing mode

With everything running through the firewall in transparent mode. Transparent mode will allow me to  enforce traffic shaping rules on all all companies -  which is one of the project requirements.

Have attached a simple image of the config, I'm going to test when onsite tomorrow.
Any followup comments are welcome!
Thanks
0
 
LVL 25

Expert Comment

by:Fred Marshall
Comment Utility
image?
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 

Author Comment

by:ESSupport
Comment Utility
Will try that again.
fortigate.png
0
 
LVL 25

Expert Comment

by:Fred Marshall
Comment Utility
I don't probably understand the wireless / router part.  Does that mean LANs?  I guess that's what you've said.

The transparent part stays on the public internet block/subnet?

This all seems consistent with what could be workable.
0
 

Author Closing Comment

by:ESSupport
Comment Utility
Hi Fred,
Finally got sorted! . So for it to work, Connected up devices in following order
ISP interface <-> Router
Router <-> Switch
Switch <-> Firewalls
Basically I implemented what you had said in your original post.
My ISP had a point to point connection configured on their interface - which means it will only communicate with one other interface. So putting a router between the ISP interface and the network switch was required.

Thanks again
0
 
LVL 25

Expert Comment

by:Fred Marshall
Comment Utility
Yes.  That's what we do as well.  In our case, the router separates a public IP address provided for this router from our public IP address block/subnet - from which the router uses up one address.  The others are available to be used by plugging into the internet switch.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

In every aspect, security is essential for your business, and for that matter you need to always keep an eye on it. The same can be said about your computer network system too. Your computer network is prone to various malware and security threats t…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now