Solved

Spitting up an internet connection.

Posted on 2016-08-29
7
92 Views
Last Modified: 2016-09-04
Hello

I have a network routing issue I need some help with.

What I have:
ISP has provided me with a 200 mbs internet line.
/30 network for the WAN connection between my network and ISP's router(Cisco 150CCf-825)
An additional /27 public IP block on a separate public subnet.

The Plan:
The plan is to split the broadband line & /27 public IPs addresses between 20 Independent companies.
A Firewall Appliance(FortiGate 140D) is being used to do this.
I installed a Switch/Wifi Appliance (FortiAP 14C) in each company, providing them with internet, LAN and WiFi. The FortiAP 14C is patched back to the main firewall(FortiGate 140D).

The problem:
6 of the 20 companies, don't want to use the FortiAP 14C WiFi/switch I provided. They need to keep their own firewalls.
So for these companies I need to provide a pass-through internet line - i.e. where they will be able to configure their firewalls with a public IP address on our Public IP block.


Thinking one option would be to spit the /27 public subnet into two /28 subnets.
Create a 6 port VLAN on the firewall & assign it one of the /28 subnets.

Any advice is greatly appreciated.
0
Comment
Question by:ESSupport
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 26

Accepted Solution

by:
Fred Marshall earned 500 total points
ID: 41775456
Perhaps I have a simple-minded view of this sort of thing but here goes:

If one has a public IP address then for all intents and purposes a device with this address is connected directly to the internet.  
Well, that is, if there isn't a firewall of some sort that's intervening.  

We are all used to having devices with public IP addresses and know what to do with them (such as installing firewalls as your 6 companies want to do).

What I do in this case (i.e. the case of a public IP address block) is to interface with the ISP with a switch.  I call this switch the "Internet Switch" and, to me, it's a mini-instance of the entire internet.\
Any device connected to this switch has to be configured with a unique IP address out of the block.
That is all that's needed.

Now, when I control all of the devices that are connected this way (firewalls and VPN boxes), there is no issue of the addresses being duplicated or misused.  When you are distributing the block out to others then you may (or may not) be concerned about this.  If you are concerned about it then you might introduce your own router with those public IP addresses configured at each company and then they can introduce whatever firewall they like thereafter.

It's not clear to me what you're trying to accomplish with more subnets and VLANs....
1
 

Author Comment

by:ESSupport
ID: 41778955
Hi Fred,
Thanks very much for taking the time to respond. Problem is much clearer in my mind after reading your comment.

I think I should be able to replicate the switch & router u suggested within the FortiGate.
FortiGate has the option of running multiple instances ("vdoms") of the OS on the same devices.

What I plan on doing is created 3 vdom instances on the FortiGate.
vdom_Transparent - configured in transparent mode.
vdom_switch -  configured as a L2 network switch.
vdom_Routing - running Fortigate in NAT/Routing mode

With everything running through the firewall in transparent mode. Transparent mode will allow me to  enforce traffic shaping rules on all all companies -  which is one of the project requirements.

Have attached a simple image of the config, I'm going to test when onsite tomorrow.
Any followup comments are welcome!
Thanks
0
 
LVL 26

Expert Comment

by:Fred Marshall
ID: 41778977
image?
0
Simple, centralized multimedia control

Watch and learn to see how ATEN provided an easy and effective way for three jointly-owned pubs to control the 60 televisions located across their three venues utilizing the ATEN Control System, Modular Matrix Switch and HDBaseT extenders.

 

Author Comment

by:ESSupport
ID: 41779508
Will try that again.
fortigate.png
0
 
LVL 26

Expert Comment

by:Fred Marshall
ID: 41780269
I don't probably understand the wireless / router part.  Does that mean LANs?  I guess that's what you've said.

The transparent part stays on the public internet block/subnet?

This all seems consistent with what could be workable.
0
 

Author Closing Comment

by:ESSupport
ID: 41783211
Hi Fred,
Finally got sorted! . So for it to work, Connected up devices in following order
ISP interface <-> Router
Router <-> Switch
Switch <-> Firewalls
Basically I implemented what you had said in your original post.
My ISP had a point to point connection configured on their interface - which means it will only communicate with one other interface. So putting a router between the ISP interface and the network switch was required.

Thanks again
0
 
LVL 26

Expert Comment

by:Fred Marshall
ID: 41783805
Yes.  That's what we do as well.  In our case, the router separates a public IP address provided for this router from our public IP address block/subnet - from which the router uses up one address.  The others are available to be used by plugging into the internet switch.
0

Featured Post

Does Your Cloud Backup Use Blockchain Technology?

Blockchain technology has already revolutionized finance thanks to Bitcoin. Now it's disrupting other areas, including the realm of data protection. Learn how blockchain is now being used to authenticate backup files and keep them safe from hackers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The use of stolen credentials is a hot commodity this year allowing threat actors to move laterally within the network in order to avoid breach detection.
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question