Configuring IP pools
An IP pool is essentially one in which the IP address that is assigned to the sending computer is not known until the session is created, therefore at the very least it will have to be a pool of at least 2 potential addresses. A quick example would be an IP pool for users of a VPN. IP pools are based upon the version of IP determined by the interface that they are associated with so as expected there are two types of IP pools that can be configured:
l “Creating a IPv4 Pool” on page 189 l “Creating a IPv6 Pool” on page 193
Because of the differences in the configuration for the two types of pools, instructions for configuring them will be done separately.
Creating a IPv4 Pool
- Go to Policy & Objects > IP Pools.
- Select Create New.
- In the IP Pool Type field choose IPv4 Pool
- Enter a name in the Name field for the new service Include any description you would like in the Comments field
- In the Type field choose between:
l Overload l One-to-One l Fixed Port Range l Port Block Allocation
At this point the configurations can start to differ based on the type of type of pool.
For more information on the different types of IP pools, check IP Pools in the Concepts section.
Overload
- For the External IP Range fields, enter the lowest and highest addresses in the range. If you only want a single address used, enter the same address in both fields.
- Enable the ARP Reply field by making sure there is a check in the box
- Select OK
Configuring IP pools
Overload Example for GUI
In this example, the Sales team needs to connect to an Application Service Provider that does the accounting for the company. As a security measure, the ASP only accepts traffic from a white list of IP addresses. There is 1 public IP address of the company on that list.The Sales team consists of 40 people, so they need to share.The external interface is wan1.
| Field | Value |
| IP Pool Type | IPv4 Pool |
| Name | Sales_Team |
| Comments | For the Sales team to use to connect to the Accounting ASP |
| Type | Overload (This is the default) |
| External IP Range | 10.23.56.20 – 10.23.56.20 |
| ARP Reply | enabled |
Overload Example for CLI
config firewall ippool edit Sales_Team set comments “For the Sales team to use to connect to the Accounting ASP” set type overload set startip 10.23.56.20 set endip 10.23.56.20 set arp-reply enable set arp-intf wan1 end
One-to-one
- For the External IP Range fields, enter the lowest and highest addresses in the range. If you only want a single address used, enter the same address in both fields.
- Enable the ARP Reply field by making sure there is a check in the box.
- Select OK
One-to-one Example for GUI
In this example, the external IP address of the mail server is part of a range assigned to the company but not the one that is assigned to the Internet facing interface. A VIP has been set up but in order to properly resolve
Reverse DNS lookups the mail server always has to use a specific IP address.The external interface is wan1.
| Field | Value | |
| IP Pool Type | IPv4 Pool | |
| Field | Value | |
| Name | Mail-Server | |
| Comments | So the the correct IP address is resolved on Reverse DNS look ups of the mail server. | |
| Type | One-to-one | |
| External IP Range | 10.23.56.21 – 10.23.56.21 | |
| ARP Reply | enabled | |
One-to-one Example for CLI
config firewall ippool edit Mail-Server set comments “So the the correct IP address is resolved on reverse DNS look ups of the mail server.”
set type one-to-one set startip 10.23.56.21 set endip 10.23.56.21 set arp-reply enable set arp-intf wan1 end
Fixed Port Range
- For the External IP Range fields, enter the lowest and highest addresses in the range. If you only want a single address used, enter the same address in both fields.
- Fort the Internal IP Range fields, enter the lowest and highest addresses in the range.
- Enable the ARP Reply field by making sure there is a check in the box
- Select OK
Fixed Port Range Example for GUI
In this example, the company has a range of 10 IP address that they want to be used by employees on a specific subnet for NATing.The external interface is wan1.
| Field | Value | |
| IP Pool Type | IPv4 Pool | |
| Name | IPPool-3 | |
| Comments | IP range to be used by outgoing traffic | |
| Type | Fixed Port Range | |
| External IP Range | 10.23.56.22 – 10.23.56.31 |
Configuring IP pools
| Field | Value |
| Internal IP Range | 192.168.23.1 – 192.168.23.254 |
| ARP Reply | enabled |
Fixed Port Range Example for CLI
config firewall ippool edit IPPool-3 set comments “So the the correct IP address is resolved on reverse DNS look ups of the mail server.”
set type fixed-port-range set startip 10.23.56.22 set endip 10.23.56.31 set source-startip 192.168.23.1 set source-endip 192.168.23.254 set arp-reply enable set arp-intf wan1 end
Port Block Allocation
- For the External IP Range fields, enter the lowest and highest addresses in the range. If you only want a single address used, enter the same address in both fields.
- In the Block Size field, either type in the value or use the up or down arrows to set the value of the block size.
- In the Blocks Per User field, either type in the value or use the up or down arrows to set the value for the number of blocks per user.
- Enable the ARP Reply field by making sure there is a check in the box
- Select OK
Port Block Allocation Example for GUI
In this example,an small ISP is setting up NATing for its clients, but to be fair it is putting some restrictions on the number of connections each client can have so that no one hogs all of the possible ports and addresses.The external interface is port12.
| Field | Value | |
| IP Pool Type | IPv4 Pool | |
| Name | Client-IPPool | |
| Comments | IP Pool for clients to access the Internet | |
| Type | Port Block Allocation | |
| External IP Range | 10.23.75.5 – 10.23.75.200 | |
| Block Size | 64 | |
| Field | Value | |
| Blocks Per User | 8 | |
| ARP Reply | enabled | |
Port Block Allocation Example for CLI
config firewall ippool edit Client-IPPool set comments “IP Pool for clients to access the Internet”
set type port-block-allocation set startip 10.23.75.5 set endip 10.23.75.200 set block-size 64 set num-blocks-per-user 8 set permit-any-host disable set arp-intf wan1 set arp-reply enableset arp-intf port12 end
Creating a IPv6 Pool
- Go to Policy & Objects > IP Pools.
- Select Create New.
- In the IP Pool Type field choose IPv6 Pool
- Enter a name in the Name field for the new service
- Include any description you would like in the Comments field
- For the External IP Range fields, enter the lowest and highest addresses in the range.
IPv6 Example for GUI
In this example,there is a similar situation to the One-to-one example earlier.There is a mail server that needs to be resolved to a specific IP address in Reverse DNS look-ups. The difference in this case is the company is an early adopter of IPv6 connectivity to the Internet.
| Field | Value |
| IP Pool Type | IPv6 Pool |
| Name | Mail-svr-ipv6 |
| Comments | Registered IPv6 address for mail server |
| External IP Range | fd2f:50ec:cdea:0663::1025 – fd2f:50ec:cdea:0663::1025 |
Port Block Allocation Example for CLI
config firewall ippool6 edit Mail-svr-ipv6
set comments “Registered IPv6 address for mail server”
set startip fd2f:50ec:cdea:663::102 set endip fd2f:50ec:cdea:663::1025 end
Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!