Solved

Spitting up an internet connection.

Posted on 2016-08-29
7
84 Views
Last Modified: 2016-09-04
Hello

I have a network routing issue I need some help with.

What I have:
ISP has provided me with a 200 mbs internet line.
/30 network for the WAN connection between my network and ISP's router(Cisco 150CCf-825)
An additional /27 public IP block on a separate public subnet.

The Plan:
The plan is to split the broadband line & /27 public IPs addresses between 20 Independent companies.
A Firewall Appliance(FortiGate 140D) is being used to do this.
I installed a Switch/Wifi Appliance (FortiAP 14C) in each company, providing them with internet, LAN and WiFi. The FortiAP 14C is patched back to the main firewall(FortiGate 140D).

The problem:
6 of the 20 companies, don't want to use the FortiAP 14C WiFi/switch I provided. They need to keep their own firewalls.
So for these companies I need to provide a pass-through internet line - i.e. where they will be able to configure their firewalls with a public IP address on our Public IP block.


Thinking one option would be to spit the /27 public subnet into two /28 subnets.
Create a 6 port VLAN on the firewall & assign it one of the /28 subnets.

Any advice is greatly appreciated.
0
Comment
Question by:ESSupport
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 26

Accepted Solution

by:
Fred Marshall earned 500 total points
ID: 41775456
Perhaps I have a simple-minded view of this sort of thing but here goes:

If one has a public IP address then for all intents and purposes a device with this address is connected directly to the internet.  
Well, that is, if there isn't a firewall of some sort that's intervening.  

We are all used to having devices with public IP addresses and know what to do with them (such as installing firewalls as your 6 companies want to do).

What I do in this case (i.e. the case of a public IP address block) is to interface with the ISP with a switch.  I call this switch the "Internet Switch" and, to me, it's a mini-instance of the entire internet.\
Any device connected to this switch has to be configured with a unique IP address out of the block.
That is all that's needed.

Now, when I control all of the devices that are connected this way (firewalls and VPN boxes), there is no issue of the addresses being duplicated or misused.  When you are distributing the block out to others then you may (or may not) be concerned about this.  If you are concerned about it then you might introduce your own router with those public IP addresses configured at each company and then they can introduce whatever firewall they like thereafter.

It's not clear to me what you're trying to accomplish with more subnets and VLANs....
1
 

Author Comment

by:ESSupport
ID: 41778955
Hi Fred,
Thanks very much for taking the time to respond. Problem is much clearer in my mind after reading your comment.

I think I should be able to replicate the switch & router u suggested within the FortiGate.
FortiGate has the option of running multiple instances ("vdoms") of the OS on the same devices.

What I plan on doing is created 3 vdom instances on the FortiGate.
vdom_Transparent - configured in transparent mode.
vdom_switch -  configured as a L2 network switch.
vdom_Routing - running Fortigate in NAT/Routing mode

With everything running through the firewall in transparent mode. Transparent mode will allow me to  enforce traffic shaping rules on all all companies -  which is one of the project requirements.

Have attached a simple image of the config, I'm going to test when onsite tomorrow.
Any followup comments are welcome!
Thanks
0
 
LVL 26

Expert Comment

by:Fred Marshall
ID: 41778977
image?
0
Don't miss ATEN at NAB Show April 24-27!

Visit ATEN at NAB Show to learn how our "Seamlessly Entertaining" solutions deliver fast, precise video streaming without delays for the broadcasting and media environment. ATEN will showcase its 16x16 Modular Matrix Switch (VM1600) and KVM Over IP Solution (KE6900 series).

 

Author Comment

by:ESSupport
ID: 41779508
Will try that again.
fortigate.png
0
 
LVL 26

Expert Comment

by:Fred Marshall
ID: 41780269
I don't probably understand the wireless / router part.  Does that mean LANs?  I guess that's what you've said.

The transparent part stays on the public internet block/subnet?

This all seems consistent with what could be workable.
0
 

Author Closing Comment

by:ESSupport
ID: 41783211
Hi Fred,
Finally got sorted! . So for it to work, Connected up devices in following order
ISP interface <-> Router
Router <-> Switch
Switch <-> Firewalls
Basically I implemented what you had said in your original post.
My ISP had a point to point connection configured on their interface - which means it will only communicate with one other interface. So putting a router between the ISP interface and the network switch was required.

Thanks again
0
 
LVL 26

Expert Comment

by:Fred Marshall
ID: 41783805
Yes.  That's what we do as well.  In our case, the router separates a public IP address provided for this router from our public IP address block/subnet - from which the router uses up one address.  The others are available to be used by plugging into the internet switch.
0

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Home firewall recommendations 11 91
Failover for DMVPN 3 31
Barracuda WAF Training? 2 31
Tool to test the firewall  protection 9 40
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Transferring data across the virtual world became simpler but protecting it is becoming a real security challenge.  How to approach cyber security  in today's business world!
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question