Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Spitting up an internet connection.

Posted on 2016-08-29
7
Medium Priority
?
103 Views
Last Modified: 2016-09-04
Hello

I have a network routing issue I need some help with.

What I have:
ISP has provided me with a 200 mbs internet line.
/30 network for the WAN connection between my network and ISP's router(Cisco 150CCf-825)
An additional /27 public IP block on a separate public subnet.

The Plan:
The plan is to split the broadband line & /27 public IPs addresses between 20 Independent companies.
A Firewall Appliance(FortiGate 140D) is being used to do this.
I installed a Switch/Wifi Appliance (FortiAP 14C) in each company, providing them with internet, LAN and WiFi. The FortiAP 14C is patched back to the main firewall(FortiGate 140D).

The problem:
6 of the 20 companies, don't want to use the FortiAP 14C WiFi/switch I provided. They need to keep their own firewalls.
So for these companies I need to provide a pass-through internet line - i.e. where they will be able to configure their firewalls with a public IP address on our Public IP block.


Thinking one option would be to spit the /27 public subnet into two /28 subnets.
Create a 6 port VLAN on the firewall & assign it one of the /28 subnets.

Any advice is greatly appreciated.
0
Comment
Question by:ESSupport
  • 4
  • 3
7 Comments
 
LVL 26

Accepted Solution

by:
Fred Marshall earned 2000 total points
ID: 41775456
Perhaps I have a simple-minded view of this sort of thing but here goes:

If one has a public IP address then for all intents and purposes a device with this address is connected directly to the internet.  
Well, that is, if there isn't a firewall of some sort that's intervening.  

We are all used to having devices with public IP addresses and know what to do with them (such as installing firewalls as your 6 companies want to do).

What I do in this case (i.e. the case of a public IP address block) is to interface with the ISP with a switch.  I call this switch the "Internet Switch" and, to me, it's a mini-instance of the entire internet.\
Any device connected to this switch has to be configured with a unique IP address out of the block.
That is all that's needed.

Now, when I control all of the devices that are connected this way (firewalls and VPN boxes), there is no issue of the addresses being duplicated or misused.  When you are distributing the block out to others then you may (or may not) be concerned about this.  If you are concerned about it then you might introduce your own router with those public IP addresses configured at each company and then they can introduce whatever firewall they like thereafter.

It's not clear to me what you're trying to accomplish with more subnets and VLANs....
1
 

Author Comment

by:ESSupport
ID: 41778955
Hi Fred,
Thanks very much for taking the time to respond. Problem is much clearer in my mind after reading your comment.

I think I should be able to replicate the switch & router u suggested within the FortiGate.
FortiGate has the option of running multiple instances ("vdoms") of the OS on the same devices.

What I plan on doing is created 3 vdom instances on the FortiGate.
vdom_Transparent - configured in transparent mode.
vdom_switch -  configured as a L2 network switch.
vdom_Routing - running Fortigate in NAT/Routing mode

With everything running through the firewall in transparent mode. Transparent mode will allow me to  enforce traffic shaping rules on all all companies -  which is one of the project requirements.

Have attached a simple image of the config, I'm going to test when onsite tomorrow.
Any followup comments are welcome!
Thanks
0
 
LVL 26

Expert Comment

by:Fred Marshall
ID: 41778977
image?
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 

Author Comment

by:ESSupport
ID: 41779508
Will try that again.
fortigate.png
0
 
LVL 26

Expert Comment

by:Fred Marshall
ID: 41780269
I don't probably understand the wireless / router part.  Does that mean LANs?  I guess that's what you've said.

The transparent part stays on the public internet block/subnet?

This all seems consistent with what could be workable.
0
 

Author Closing Comment

by:ESSupport
ID: 41783211
Hi Fred,
Finally got sorted! . So for it to work, Connected up devices in following order
ISP interface <-> Router
Router <-> Switch
Switch <-> Firewalls
Basically I implemented what you had said in your original post.
My ISP had a point to point connection configured on their interface - which means it will only communicate with one other interface. So putting a router between the ISP interface and the network switch was required.

Thanks again
0
 
LVL 26

Expert Comment

by:Fred Marshall
ID: 41783805
Yes.  That's what we do as well.  In our case, the router separates a public IP address provided for this router from our public IP address block/subnet - from which the router uses up one address.  The others are available to be used by plugging into the internet switch.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Keystroke loggers have been around for a very long time. While the threat is old, some of the remedies are new!
A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…

963 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question