FortiWAN WAN/DMZ Private Subnet

WAN/DMZ Private Subnet

After having gone through public subnet configurations, let’s move to private subnet settings. This section lists a few typical topology structures for private subnet. Similarly, FortiWAN supports two different types of private subnet according to the deployment, direct or indirect connecting to FortiWAN.The two settings are configured from [Basic Subnet] and [Static Routing Subnet]. FortiWAN supports both IPv4 and IPv6 for the two private subnet types.

On its UI, [IPv4 Basic Subnet] and [IPv6 Basic Subnet] could be one of:

Subnet in WAN l Subnet in DMZ l Subnet in WAN and DMZ
Subnet on Localhost (Not support in [IPv6 Basci Subnet])

And [IPv4 Static Routing Subnet] and [IPv6 Static Routing Subnet] could be one of:

Subnet in WAN l Subnet in DMZ

[Basic Subnet]: Subnet in WAN

This topology is frequently found where cluster hosts in the IPv4 private subnet are located on the WAN. In this example, FortiWAN port2 has been mapped to WAN port, with IP 192.168.3.1. Select [Subnet in WAN] from [Subnet Type] in [Basic Subnet]. Then enter 192.168.3.1 in [IP(s) on Localhost] and the netmask offered by ISP in [Netmask].

Note: FortiWAN assumes that IP addresses that are unlisted in [IP(s) on Localhost] are all in WAN.

[Basic Subnet]: Subnet in DMZ

This topology is frequently found where cluster hosts in IPv4 private subnet are located on the DMZ. In this example, FortiWAN port5 has been mapped to DMZ port, with private IP 192.168.4.254. And subnet 192.168.4.X is located on the DMZ as a whole. From UI, select [Subnet in DMZ] from [Subnet Type] in [Basic Subnet].

Check [Enable DHCP] if hosts in the subnet in DMZ require DHCP service. And enter the starting and ending address in [DHCP Range]. If any host in the subnet uses static IP address, then in [Static Mapping], enter its IP and MAC address. Note: FortiWAN assumes IP addresses that are unlisted in [IP(s) on Localhost] are all in DMZ. Thus there is no need to configure them.

[Basic Subnet]: Subnet in WAN and DMZ

This topology is found where cluster hosts in IPv4 private subnet are located in both WAN and DMZ. FortiWAN hereby assumes IP addresses that are unlisted in [IP(s) on Localhost] and [IP(s) in WAN] are all in the DMZ. Port2 and port5 are connected in dotted line, indicating the subnet spreads across WAN (port2) and DMZ (port5). FortiWAN employs Proxy ARP to connet the whole subnet togther. In this example, more than one IP addresses are needed for FortiWAN in bridging. These IP addresses therefore have to be on the same network segment.

Enter 192.168.5.20-192.168.5.30 in [IP(s) on Localhost], and 192.168.5.10-192.168.5.19 in [IP(s) in WAN].

[Basic Subnet]: Subnet on Localhost

This topology is found where a whole IPv4 private subnet is designated on FortiWAN. And the IP addresses in this subnet can be utilized by Virtual Server. An IPv6 private subnet is not supported for this subnet type.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

LAN Private Subnet

Leave a reply

LAN Private Subnet

[LAN Private Subnet] is the second most important part for deploying FortiWAN in your network. In contrast with configurations on WAN Settings to active the WAN link transmission from FortiWAN to Internet (external network), LAN Private Subnet is the configuration for deploying the internal network on FortiWAN’s LAN ports. There are two parts for setting LAN private subnet: Basic Subnet and Static Routing Subnet, which respectively are the subnets connected directly to FortiWAN’s LAN ports and the subnets connected indirectly to FortiWAN via a router. (See “Scenarios to deploy subnets”)

Basic Subnet

Here is a simple example to demonstrate a configuration for the basic subnet in the typical LAN environment.

As the illustration, FortiWAN port3 has been mapped to LAN port via [System / Network Setting / VLAN and Port Mapping] (See “VLAN and Port Mapping”), and is assigned with private IP 192.168.34.254. Enter this IP address in the field [IP(s) on Localhost]. For hosts in LAN, port3 (192.168.34.254) serves as gateway as well. Enter the netmask (255.255.255.0) for the subnet in the field [Netmask]. Select the LAN port.

IPv4 Basic Subnet
IP(s) on Localhost	192.168.34.254
Netmask	255.255.255.0
LAN Port	Port3

Check the field in [Enable DHCP], to allocate IP address (any of 192.168.34.175~192.168.34.199) dynamically via DHCP to PCs in LAN. If any host in LAN requires static IP addresses, then enter in [Static Mapping] the IP addresses to designate, and MAC addresses of the PCs as well. Check the field in [NAT Subnet for VS], which is an optional choice. When users in LAN or DMZ access the WAN IP of virtual server, their packets may bypass FortiWAN and flow to internal server directly. This function can translate the source IP address of the users’ packets into IP address of FortiWAN, to ensure the packets flow through FortiWAN. If no check is made, the system will determine which IP address it may translate into by itself. Similarly, to deploy an IPv6 private LAN on FortiWAN port4 which has been mapped to LAN port, with IPv6 address 2001:a:b:cd08::1 served as gateway for PCs in LAN. Check the field in [Enable SLAAC] or [Enable DHCPv6 Service] to allocate IP addresses dynamically to PCs in LAN. [NAT Subnet for VS] is not supported in IPv6 private LAN. The SLAAC and DHCPv6 in FortiWAN are designed to work together, which the SLAAC responses router advertisement (including default gateway and DNS server) to a host and DHCPv6 responses the host an appropriate IPv6 address.

For the details about DHCP, DHCP Relay, SLAAC and DHCPv6, see “Automatic addressing within a basic subnet”.

Static Routing Subnet

[Static Routing Subnet] is useful when in LAN a router .is used to cut out a separate subnet which does not connect to FortiWAN directly. The topology is similar to [Static Routing Subnet: Subnet in DMZ] mentioned previously, and the only difference is this example is set in LAN rather than in DMZ. In this topology below, a subnet 192.168.99.x is located in the LAN and connects to router 192.168.34.50, while another subnet 192.168.34.x is located on the LAN port as well, but connects to FortiWAN directly. The configurations here indicate how FortiWAN to route packets to subnet 192.168.99.x.

IPv4 Static Routing Subnet
Network IP	192.168.99.0
Netmask	255.255.255.0
Gateway	192.168.34.50

RIP

FortiWAN supports the Routing Information Protocol (RIP v1, v2), RIP employs hot count as the metric, and uses timer broadcast to update the router. As RIP features configuration simplicity and operation convenience, it has been widely used across all fields. RIP version 1 (v1)1 was designed to suit the dynamic routing needs of LAN technology-based IP internetworks, and to address some problems associated with RIP v1, a refined RIP, RIP version 2 (v2) was defined. RIP v2 supports sending RIP announcements to the IP multicast address and supports the use of authentication mechanisms to verify the origin of incoming RIP announcements.

Check the field in [RIP] if you have enabled RIP on your private subnet router. Check the field in [RIP v1] if you have enabled RIP v1 on your private subnet router behind FortiWAN. Thus, FortiWAN can forward packets from the RIP v1-enabled private subnet. Otherwise, check the field in [RIP v2] if you have enabled RIP v2 on your private subnet router. Thus, FortiWAN can forward RIP v2 packets. Moreover, if you have enabled RIP v2 authentication, type the password in [Password]. Otherwise, keep [Password] blank.

OSPF

Apart from RIP, FortiWAN also supports OSPF (Open Shortest Path First), to assign LAN port router with given preference. Like RIP, OSPF is designated by the Internet Engineering Task Force (IETF) as one of several Interior Gateway Protocols (IGPs). Rather than simply counting the number of hops, OSPF bases its path descriptions on “link states” that take into account additional network information. Using OSPF, a host that obtains a change to a routing table or detects a change in the network immediately multicasts the information to all other hosts in the network so that all will have the same routing table information.

OSPF Interface	Displays the LAN port in the network. Check the box to enable OSPF over the port.
Area Setting	Network is logically divided into a number of areas based on subnets. Administrators can configure area ID, which accepts numbers or IPs only.
Authentication Setting	Routers in different areas require authentication to communicate with each other. Authentication types: Null, Simple Text Password, MD5.
Router Priority	Set router priority. Router that sends the highest OSPF priority becomes DR (Designated Router). The value of the OSPF Router Priority can be a number between 0 and 255.
Hello Interval	Set the interval, in seconds, to instruct the router to send out OSPF keepalive packets to inform the other routers.
Dead Interval	Set the length of time, in seconds, that OSPF neighbors will wait without receiving an OSPF keepalive packet from a neighbor before declaring the neighbor router is down.
Retransmit Interval	Set the interval, in seconds, between retransmissions of Link ups. When routers fail to transmit hello packets, it will retransmit packets in the defined interval.
Authentication Type	This specifies whether the router will perform authentication of data passing the LAN. Choices are: Null, Simple Text Password, MD5.

FortiWAN provides statistics for the RIP & OSPF service, see “RIP & OSPF Status”.

VRRP

VRRP is a Virtual Router Redundancy Protocol that runs on a LAN port. A system can switch between VRRP or HA mode; when switched, the system will reboot first for changes to take effect. When VRRP mode is enabled, the HA mode will be automatically disabled, and also a VRID field will appear available for input in [VLAN and Port Mapping] setting page (See “VLAN and Port Mapping”). In general, VRRP is faster in detecting the master unit compared to HA mode. Although FortiWAN’s VRRP implementation is based on VRRP version 3, some restrictions may apply:

Always in non-preempt mode. l Always in non-accept mode.
IPv6 is not supported. l Active-active mode is not supported.

When FortiWAN switches to master mode, it automatically starts WAN link health detection. When it switches to backup mode, it automatically stops WAN link health detection and sets WAN status to “failed”.

In addition, DHCP servers in LAN and DMZ should let clients use FortiWAN virtual IP and the default gateway (as FortiWAN’s DHCP service does). If RIP and OSPF is used in LAN, FortiWAN uses real IP at OSPF and virtual IP at RIP to exchange route information. Clone-MAC settings will be ignored if VRRP function is enabled. FortiWAN doesn’t exchange NAT table with VRRP peers. When VRRP master changes, existing connection might break.

Local Priority	The priority field specifies the sending VRRP router’s priority for the virtual router. Select a number from 1 to 254 as the priority for the VR.
Advertisement Interval	Set the time interval in centi-seconds between advertisements. (Default is 100)
Virtual address	Enter a virtual IP address for the virtual router.
Double-check Link	Click the checkbox to enable. When enabled, the backup router will check whether the master is responding ARP on the specified WAN port.

FortiWAN Configurations for a WAN link in Brideg Mode: PPPoE

1 Reply

Configurations for a WAN link in Brideg Mode: PPPoE

[Bridge Mode: PPPoE] is used for PPPoE WAN link (ISP provides dynamic or static IP addresses via PPPoE). In

[Basic Settings], you shall configure upstream and downstream, user name, password and service name given by ISP. Left [IP Address] blank if you are assigned an dynamic IP address; otherwise, enter your static IP address. Select an FortiWAN WAN port to which PPPoE ADSL Modem is connected, e.g. port1. Checks [Redial Enable] to enable redial. As some ISPs automatically reconnect to the network within a certain time interval, [Redial Enable] will avoid simultaneous redialing of WAN links, which properly staggers WAN redial time. In case of connecting several DHCP/PPPoE WAN links to the same ISP, the connections might fail if they are deployed on the same physical WAN port via VLAN because the same MAC address. Via [Clone MAC Enable] you can configure MAC address clone on FortiWAN for this deployment.

Basic Setting

WAN Port	The physical port (network interface) on FortiWAN used to connect the WAN link. For the deployment of multiple WAN links on one WAN port, set this field with the same value for those WAN links. For example, select Port1 for configurations of WAN link1, WAN link2 and WAN link3 for deploying the three WAN links on WAN port1. Note: The port has to be mapped to [WAN] beforehand in [VLAN and Port Mapping] (See “WAN link and WAN port”, “VLAN and port mapping” and “Configurations for VLAN and Port Mapping”).
Up/Down Stream	The WAN link’s transfer speed at which you can upload/download data to/from the Internet e.g. 512Kbps.
Up/Down Stream Threshold	Specify upstream/downstream (Kbps) threshold for the WAN link. WAN link with traffic that exceeds the threshold values will be considered as failed. FortiWAN’s Auto Routing and Multihoming (See “Outbound Load Balancing and Failover (Auto Routing)” and “Inbound Load Balancing and Failover (Multihoming)”) use the value while balancing traffic between WAN links if the Threshold function is enabled. Leave it blank or zero if you do not apply threshold to the WAN link.
MTU	(Maximum Transmission unit) refers to the size of the largest packet or frame that a given layer of a communications protocol can pass onwards. It allows dividing the packet into pieces, each small enough to pass over a single link.
User Name	Fill in the Username provided by ISP.
Password	Fill in Password provided by ISP.
Service Name	Fill in service name provided by ISP. Left it blank if ISPs do not require it.
IPv4 Address	Fill in the IPv4 address provided by ISP. Left it blank if ISPs do not require it.
IPv6 Enable	Check to enable IPv6 over PPPoE.
Redial Enable	Since some ISPs tend to turn off PPPoE connection at a certain schedule, FortiWAN will automatically re-establish every disconnected PPPoE link when detected. In order to prevent simultaneous re-connection of multiple links, different re-connection schedules can be configured for different WAN links to avoid conjunction. After reconnection schedule is configured (HH:MM), the system will perform PPPoE reconnection as scheduled daily.
Clone MAC Enable	Configure MAC address clone.

Bridge-mode (one static IP) WAN link

Leave a reply

Bridge-mode (one static IP) WAN link

Configuration of a one-static-IP bridge-mode WAN link starts from selecting and enabling the WAN link on Web UI (see Start to configure a WAN link in Configuring your WAN and DMZ), and select Bridge Mode: One Static IP from the WAN Type drop-down menu in Basic Setting panel. After that, you start configuring the following settings:

IPv4-based bridge-mode WAN link l Only Basic setting is necessary.

IPv4 basic subnets and IPv4 static routing subnets are not supported here. IPv4/IPv6 Dual-stack bridge-mode WAN link l Only Basic setting is necessary.
IPv4 basic subnets and IPv4 static routing subnets are not supported here; IPv6 basic subnets and IPv6 static routing subnets are optional.

Different from routing mode, configuration of static routing is contained in Basic Setting for a bridge-mode WAN link.

Basic Setting

Besides the WAN Type, the rest setting fields of Basic Setting of a one-static-IP bridge-mode WAN link are as followings:

WAN Port	A FortiWAN’s network port used to connect the WAN link with the FortiWAN (you need to physically install the network cable to this port for the WAN link). All the physical and VLAN ports that are mapped to WAN (see Aggregated, Redundant, VLAN Ports and Port Mapping) are listed here for your options. The WAN link field is unrelated to the WAN port. For example, you can install WAN link 1 to WAN Port3, or WAN link 3 to WAN Port 1. (See WAN link and WAN port).
Up/Down Stream	The WAN link’s transfer speed at which you can download/upload data from/to the Internet. Please input the value in Kbps, e.g. 10240Kbps/640Kbps. FortiWAN Bandwidth Management’s default inbound and outbound classes use the two values actively to limit the download and upload rates on the WAN link (see Bandwidth Management).
Up/Down Stream Threshold	Specify upstream/downstream (Kbps) threshold to the WAN link. WAN links with traffic exceeding the thresholds will be considered as failed. FortiWAN’s Auto Routing and Multihoming will ignore the WAN links failed by exceeding traffic while distributing traffic over WAN links, if the Threshold function is enabled in their load-balancing policies (See Outbound Load Balancing and Failover (Auto Routing) and Inbound Load Balancing and Failover (Multihoming)). Leave it blank or zero if you do not apply threshold to the WAN link.
MTU	(Maximum Transmission unit) refers to the size of the largest packet or frame that a given layer of a communications protocol can pass onwards on the WAN port. It allows dividing the packet into pieces, each small enough to pass over a single link. It is set to 1500 by default.
IPv4 Localhost IP	The IPv4 address that ISP provides (See “Scenarios to deploy subnets”). IP addresses specified here can be used for NAT to transfer the source IP address of packets to, and will be used to generate the NAT default rules of the WAN link (See “NAT”).
IPv4 Netmask	The IPv4 netmask that ISP provides.
IPv4 Gateway	The IPv4 address of the default gateway.
IPv6 Localhost IP	The IPv6 address that ISP provides (See “Scenarios to deploy subnets”). IP addresses specified here can be used for NAT to transfer the source IP address of packets to, and will be used to generate the NAT default rules of the WAN link. For FortiWAN V4.0.x, system does not generate NAT default rules for IPv6 WAN links, setting NAT rules manually is required (See “NAT”).
IPv6 Prefix	The IPv6 prefix that ISP provides.
IPv6 Gateway	The IPv6 address of the default gateway.

[Bridge Mode: One Static IP] is used when ISP gives one static IPv4 address to a user. Usually, the IPv4 address a user obtained is one IP address of a C class IPv4 network; it is indicated by the netmask 255.255.255.0. The default gateway that ISP assigned is located at ISP’s network, while the ATU-R works in bridge mode.

FortiWAN’s Bridge Mode: One Static IP is suggested to apply for this case. IPv6/IPv4 dual static is supported for

FortiWAN’s Bridge Mode: One Static IP. In the dual static similar as previous case, ISP might provide you a WAN IPv6 subnet and a LAN IPv6 subnet. You can deploy the LAN IPv6 subnet as a basic subnet in DMZ. Although the deployment is under FortiWAN’s Bridge Mode, FortiWAN routes packets between WAN and DMZ for the IPv6 subnets. Basic subnets are not supported for IPv4 network deployed in Bridge Mode. The following topology is widely seen where a user gets one static IP from ISP.

Bridge-mode (multiple static IP) WAN link

Leave a reply

Bridge-mode (multiple static IP) WAN link

Configuration of a multiple-static-IP bridge-mode WAN link starts from selecting and enabling the WAN link on

Web UI (see Start to configure a WAN link in Configuring your WAN and DMZ), and select Bridge Mode: Multiple Static IP from the WAN Type drop-down menu in Basic Setting panel. After that, you start configuring the following settings:

IPv4-based bridge-mode WAN link l Only Basic setting is necessary.

IPv4 basic subnets and IPv4 static routing subnets are not supported here. IPv4/IPv6 Dual-stack bridge-mode WAN link l Only Basic setting is necessary.
IPv4 basic subnets and IPv4 static routing subnets are not supported here; IPv6 basic subnets and IPv6 static routing subnets are optional.

Different from routing mode, configuration of static routing is contained in Basic Setting for a bridge-mode WAN link. Similar to routing mode, FortiWAN uses ProxyARP to combine the WAN area and DMZ area as one logical network segment.

Basic Setting

Besides the WAN Type, the rest setting fields of Basic Setting of a multiple-static-IP bridge-mode WAN link are as followings:

WAN Port A FortiWAN’s network port used to connect the WAN link with the FortiWAN (you need to physically install the network cable to this port for the WAN link). All the physical and VLAN ports that are mapped to WAN (see Aggregated, Redundant, VLAN Ports and Port Mapping) are listed here for your options. The WAN link field is unrelated to the WAN port. For example, you can install WAN link 1 to WAN Port3, or WAN link 3 to WAN Port 1. (See WAN link and WAN port).
Up/Down Stream The WAN link’s transfer speed at which you can download/upload data from/to the Internet. Please input the value in Kbps, e.g. 10240Kbps/640Kbps. FortiWAN Bandwidth Management’s default inbound and outbound classes use the two values actively to limit the download and upload rates on the WAN link (see Bandwidth Management).
^{Up/Down Stream Threshold}Specify upstream/downstream (Kbps) threshold to the WAN link. WAN links with traffic exceeding the thresholds will be considered as failed. FortiWAN’s Auto Routing and Multihoming will ignore the WAN links failed by exceeding traffic while distributing traffic over WAN links, if the Threshold function is enabled in their load-balancing policies (See Outbound Load Balancing and Failover (Auto Routing) and Inbound Load Balancing and Failover (Multihoming)). Leave it blank or zero if you do not apply threshold to the WAN link.
MTU (Maximum Transmission unit) refers to the size of the largest packet or frame that a given layer of a communications protocol can pass onwards on the WAN port. It allows dividing the packet into pieces, each small enough to pass over a single link. It is set to 1500 by default.
IPv4 IP(s) on Localhost The IPv4 addresses that are deployed on localhost (See “Scenarios to deploy subnets”). IP addresses specified here can be used for NAT to transfer the source IP address of packets to. The first IP address listed here will be used to generate the NAT default rules of the WAN link (See “NAT”).
IPv4 IP(s) in WAN The IPv4 addresses that are deployed in WAN.
IPv4 IP(s) in DMZ The IPv4 addresses that are deployed in DMZ.
Different from configuration of Routing mode’s basic subnets, it requires exactly specifying IPs to fields IP(s) in WAN and IP(s) in DMZ for a Bridge mode WAN link if you want to deploy those IP addresses in the WAN and DMZ areas. FortiWAN would not automatically classifies the rest IPs of a subnet as IPs in WAN or IPs in DMZ for bridge-mode WAN links (FortiWAN does it for a routing-mode WAN link), since the bridge mode is supposed to work with certain IPs of a large-scale network (see WAN types: Routing mode and Bridge mode) and FortiWAN is not aware of what the IPs are that an ISP provides you for the WAN link (the remaining IPs of the large-scale subnet are not valid to be deployed in your network).
IPv4 Netmask	The IPv4 netmask that ISP provides.
IPv4 Gateway	The IPv4 address of the default gateway.
IPv6 IP(s) on Localhost	The IPv6 addresses that are deployed on localhost (See “Scenarios to deploy subnets”). IP addresses specified here can be used for NAT to transfer the source IP address of packets to. The first IP address listed here will be used to generate the NAT default rules of the WAN link. For FortiWAN V4.0.x, system does not generate NAT default rules for IPv6 WAN links, setting NAT rules manually is required (See “NAT”).
IPv6 IP(s) in WAN	The IPv6 addresses that are deployed in WAN.
IPv6 IP(s) in DMZ	The IPv6 addresses that are deployed in DMZ.
IPv6 Prefix	The IPv6 prefix that ISP provides.
IPv6 Gateway	The IPv6 address of the default gateway.
Subnet	The IPv6 subnet deployed on the WAN link.
DMZ Port	The network port of FortiWAN used to connect the DMZ area. All the physical and logical ports that are mapped to DMZ (see Configurations for VLAN and Port Mapping) are listed here for options. Hosts deployed in the DMZ are required to connected to this port. Public IP pass-through (see Public IP Pass-through) is supported to combine the selected WAN port and DMZ port.
Enable DHCP/DHCP Relay/SLAAC/DHCPv6 Service	Click to enable automatic addressing on the specified DMZ port for hosts in the connected IPv4/IPv6 DMZ segment (see Automatic addressing within a basic subnet for configuration details). Note that only the IP addresses defined in fields IPv4 IP(s) in DMZ and IPv6 IP(s) in DMZ are the candidates for related IP pools of automatic addressing.

The SLAAC and DHCPv6 in FortiWAN are designed to work together, which the SLAAC responses router advertisement (including default gateway and DNS server) to a host and DHCPv6 responses the host an appropriate IPv6 address.

This topology can be seen where a group of valid IP addresses ranging 211.21.40.32~211.21.40.34 have been given by ISP and assigned to port1 on FortiWAN. And their default gateway is 211.21.40.254 given by ISP as well. If there are other hosts deployed on the WAN, then configure their IP addresses in [IP(s) in WAN]. And if there are hosts deployed on the DMZ, then configure their IP addresses in [IP(s) in DMZ].

Basic Setting
WAN Port	Port1
IPv4 IP(s) on Localhost	211.21.40.32
IPv4 IP(s) in WAN	211.21.40.33
IPv4 IP(s) in DMZ	211.21.40.34
IPv4 Netmask	255.255.255.0
IPv4 Gateway	211.21.40.254
DMZ Port	Port5

Static routing information

FortiWAN assumes that the near WAN and DMZ areas of a bridge-mode WAN link (both of IPv4-based and dualstack) are parts of a large-scale network, not a complete network, with the exception of extra IPv6 subnets being available for dual-stack WAN links. Static routing information is set to FortiWAN by assigning individual IP in Basic Setting, rather than specifying a network in Basic Subnet. FortiWAN’s bridge-mode accepts complete IPv6 networks to be deployed to the DMZ. In case that ISP provides multiple IPv6 subnets for a dual-stack connectivity, it is an option for you to use. Configurations of IPv6 basic subnets and IPv6 static routing subnets are so that the routing information for the FortiWAN.

[IPv6 Basic Subnet]: Subnet in DMZ

This is the only type that FortiWAN provides for basic subnets of a bridge-mode WAN link. Click the add button on the IPv6 Basic Subnet panel to add a configuration, and select Subnet in DMZ from the Subnet Type drop-down menu. The rest configuration fields are as followings:

IP(s) on Localhost	The IP address(es) of the IPv6 network that you want to assign to localhost of the specified DMZ port (the DMZ port that is specified below) of the WAN link. At least one IP address is required here. You can type a range of IP addresses here in format “IPstart-IPend” or click the add button to individually add more IP addresses to the localhost. Note that the rest IP addresses of the network that are not assigned to the localhost here will be automatically considered as being located in DMZ area.
Prefix Length	Prefix Length of the IPv6 network that is being deployed as a subnet in DMZ and associated with the WAN link.
DMZ Port	A FortiWAN’s network port used to connect a subnet of the WAN link with the FortiWAN as a DMZ subnet (you need to physically install the network cable to this port for the DMZ subnet). All the physical, logical and VLAN ports that are mapped to DMZ (see Aggregated, Redundant, VLAN Ports and Port Mapping) are listed here for your options.
Enable SLAAC/DHCPv6 Service	Click to enable automatic addressing on the specified DMZ port for hosts in the connected IPv6 DMZ subnet (see Automatic addressing within a basic subnet for configuration details). Note that only the IP addresses of the IPv6 basic subnet defined here are the candidates for related IP pools of automatic addressing.

[IPv6 Static Routing Subnet]: Subnet in DMZ

This is the only type that FortiWAN provides for static routing subnets of a bridge-mode WAN link. Click the add button on the IPv6 Static Routing Subnet panel to add a configuration, and select Subnet in DMZ from the Subnet Type drop-down menu. The rest configuration fields are as followings:

Subnet	The IPv6 static routing subnet that you want to deploy in DMZ area of the WAN link in format such as 2000::123f:0:0:1/32.
Gateway	IPv6 address of the gateway (router) connecting a basic subnet with the static routing subnet. This IP address is the path that FortiWAN uses to forward packets destined to the static routing subnet to.

Routing-mode WAN link

Leave a reply

Routing-mode WAN link

Configuration of a routing-mode WAN link starts from selecting and enabling the WAN link on Web UI (see Start to configure a WAN link in Configuring your WAN and DMZ), and select Routing Mode from the WAN Type dropdown menu in Basic Setting panel. After that, you start configuring the following settings: IPv4-based routing-mode WAN link l Basic setting and at least one IPv4 basic subnet are necessary.

IPv4 static routing subnet is for your option.
IPv4/IPv6 Dual-stack routing-mode WAN link
Basic setting, one IPv4 basic subnet and one IPv6 basic subnet are necessary.
IPv4/IPv6 static routing subnets are for your options.

Basic Setting

Besides the WAN Type, the rest setting fields of Basic Setting of a routing-mode WAN link are as followings:

WAN Port		A FortiWAN’s network port used to connect the WAN link with the FortiWAN (you need to physically install the network cable to this port for the WAN link). All the physical and VLAN ports that are mapped to WAN (see Aggregated, Redundant, VLAN Ports and Port Mapping) are listed here for your options. The WAN link field is unrelated to the WAN port. For example, you can install WAN link 1 to WAN Port3, or WAN link 3 to WAN Port 1. (See WAN link and WAN port).
Down/Up Stream		The WAN link’s transfer speed at which you can download/upload data from/to the Internet. Please input the value in Kbps, e.g. 10240Kbps/640Kbps. FortiWAN Bandwidth Management’s default inbound and outbound classes use the two values actively to limit the download and upload rates on the WAN link (see Bandwidth Management).
Down/Up Stream Threshold		Specify upstream/downstream (Kbps) threshold to the WAN link. WAN links with traffic exceeding the thresholds will be considered as failed. FortiWAN’s Auto Routing and Multihoming will ignore the WAN links failed by exceeding traffic while distributing traffic over WAN links, if the Threshold function is enabled in their load-balancing policies (See Outbound Load Balancing and Failover (Auto Routing) and Inbound Load Balancing and Failover (Multihoming)). Leave it blank or zero if you do not apply threshold to the WAN link.
MTU		(Maximum Transmission unit) refers to the size of the largest packet or frame that a given layer of a communications protocol can pass onwards on the WAN port. It allows dividing the packet into pieces, each small enough to pass over a single link. It is set to 1500 by default.
IPv4 Gateway		IPv4 address of the default gateway of the WAN link. This field is mandatory.
IPv6 Gateway		IPv6 address of the default gateway of the WAN link. This field is optional. Ignore it for IPv4-based links or configure it for IPv4/IPv6 dual stack links.

Static routing information

As mentioned previously, FortiWAN requires the correct routing information to deliver packets among the connected near WAN, DMZ and LAN networks. Configurations of basic subnets and static routing subnets of a WAN link are the routing information for the FortiWAN.

A routing-mode WAN link is attached with an IP network which should be deployed as a basic subnet to the WAN link. Since localhost of the WAN port is a part of the subnet, at least one basic subnet is necessary for configuring a routing-mode WAN link. For the reason, IP(s) on Localhost and Netmask fields of a routing-mode WAN link are contained in configuration of Basic Subnet, rather than Basic Setting.

IPv4/IPv6 Basic Subnet

Basic subnets are the subnets connecting directly to FortiWAN. A DMZ must be associated with a WAN link, therefore, basic subnet of a WAN link can be divided into four types according to combination of WAN and DMZ:

Subnet in WAN: A subnet deployed in WAN. This type requires at least one IP for localhost of the WAN port, and the rest of the subnet can be used for hosts in WAN (near WAN).
Subnet in DMZ: A subnet deployed in DMZ. This type requires at least one IP for localhost of the DMZ port, and the rest of the subnet can be used for hosts in DMZ.
Subnet in WAN and DMZ: A subnet deployed in two segments, WAN and DMZ. Proxy ARP combines the two segments into a logic segment for the IP subnet (see ). Proxy ARP logically combines the specified WAN port and DMZ port into a logical port. This type requires at least one IP for localhost of the WAN port, and the rest of the subnet can be used for hosts in WAN (near WAN) and DMZ.
Subnet on Localhost: A subnet deployed on the localhost of a WAN port (This is not supported for IPv6 basci

subnets). All the IP addresses of the subnet will be deployed on the WAN port.

A subnet in WAN and DMZ might be the most practical deployment for a routing-mode WAN link. If the ISP provides only one network with your IPv4 WAN link (this is the most general case for a routing-mode link), you can deploy it as any of the subnet types but a subnet in DMZ. Remember, at least one IP address must be assigned to localhost of a WAN port for the IPv4 link, therefore, at least one subnet must be associated with the WAN port. If you get more than one network from the ISP with the IPv4 link, you still have to deploy at least one of them as a subnet in WAN, a subnet in WAN and DMZ or a subnet on localhost, but there is not limitation to the rest networks. Briefly, if you are given only one network for the WAN link, you can not deploy it as a subnet in DMZ. As for configuring a dual stack link, similarly, it requires at least one IPv4 network and one IPv6 network get deployed individually as a subnet in WAN, a subnet in WAN and DMZ or a subnet on localhost. Next comes the configuration of basic subnet for each type:

[IPv4/IPv6 Basic Subnet]: Subnet in WAN

Click the add button on the IPv4 Basic Subnet panel or IPv6 Basic Subnet panel to add a configuration, and select Subnet in WAN from the Subnet Type drop-down menu. The rest configuration fields to deploy a IPv4/IPv6 network as a subnet in WAN are as followings:

IP(s) on Localhost

The IP address(es) that you want to assign to localhost of the specified WAN port (the WAN port that is specified in Basic Setting panel) for the WAN link. At least one IP address is required here. You can type a range of IP addresses here in format “IPstart-IPend” or click the add button to individually add more IP addresses to the localhost.

Note that the rest IP addresses of the network that are not assigned to the localhost here will be automatically considered as being located in WAN area.

Netmask/Prefix Length

Netmask/Prefix Length of the IPv4/IPv6 network that you are deploying to the WAN link as a subnet in WAN.

This topology is frequently used for where cluster hosts being deployed in WAN.

In the this diagram, we have a WAN link attached with a given network that netmask is 255.255.255.248, gateway is 203.69.118.9 and the available IP addresses are 203.69.118.10 – 203.69.118.14. The WAN link is connected to FortiWAN’s Port2 (mapped to a WAN port) with IP address 203.69.118.10 being assigned to the localhost. In this case, FortiWAN will consider that the rest IP addresses 203.69.118.11 – 203.69.118.14 are located in the WAN area (actually, the near WAN) of the WAN link. The following is the configuration for this case:

Basic Setting
WAN Port	Port2
IPv4 Gateway	203.69.118.9
IPv4 Basic Subnet
Subnet Type	Subnet in WAN
IP(s) on localhost		203.69.118.10
Netmask		255.255.255.248

Configuration of the settings implies a route to FortiWAN that any packet destined to 203.69.118.9 – 203.69.118.14 will be directly forwarded through this WAN port, without Auto Routing and Bandwidth

Management processes. In this case, subnet 203.69.118.8/29 (203.69.118.9 – 203.69.118.14) is the near WAN of the link.

[IPv4/IPv6 Basic Subnet]: Subnet in DMZ

Click the add button on the IPv4 Basic Subnet panel or IPv6 Basic Subnet panel to add a configuration, and select Subnet in DMZ from the Subnet Type drop-down menu. The rest configuration fields are as followings:

IP(s) on Localhost	The IP address(es) of the IPv4/IPv6 network that you want to assign to localhost of the specified DMZ port (the DMZ port that is specified below) of the WAN link. At least one IP address is required here. You can type a range of IP addresses here in format “IPstart-IPend” or click the add button to individually add more IP addresses to the localhost. Note that the rest IP addresses of the network that are not assigned to the localhost here will be automatically considered as being located in DMZ area.
Netmask/Prefix Length	Netmask/Prefix Length of the IPv4/IPv6 network that is being deployed as a subnet in DMZ and associated with the WAN link.
DMZ Port	A FortiWAN’s network port used to connect a subnet of the WAN link with the FortiWAN as a DMZ subnet (you need to physically install the network cable to this port for the DMZ subnet). All the physical, logical and VLAN ports that are mapped to DMZ (see Aggregated, Redundant, VLAN Ports and Port Mapping) are listed here for your options.
Enable DHCP/DHCP Relay/SLAAC/DHCPv6 Service	Click to enable automatic addressing on the specified DMZ port for hosts in the connected IPv4/IPv6 DMZ subnet (see Automatic addressing within a basic subnet for configuration details). Note that only the IP addresses of the IPv4/IPv6 basic subnet defined here are the candidates for related IP pools of automatic addressing.

This topology is frequently used for where a cluster of hosts being deployed in DMZ. The following example for a subnet in DMZ is based on the above example that a WAN link with a subnet being deployed in WAN. Please click the [+] button on IPv4/IPv6 Basic Subnet panel to add a subnet to the WAN link. Remember a subnet in DMZ must coexist with a subnet in WAN, a subnet in WAN and DMZ or a subnet on localhost.

As described in the topology, since the cluster of hosts are deployed in DMZ. FortiWAN port5 has to be mapped to DMZ with IP address 140.112.8.9. Thus the hosts in the subnet take the default gateway as 140.112.8.9. In this case, IP addresses 203.69.118.9 – 203.69.118.14 are treated as in near WAN, while IP addresses 140.112.8.9 – 140.112.8.14 in DMZ do not belong to near WAN. Check [Enable DHCP] if hosts in the subnet in DMZ require DHCP service. And enter the starting and ending address in [DHCP Range]. If any host in the subnet uses static IP address, then in [Static Mapping], enter its IP and MAC address. Similarly, if ISP provides another LAN IPv6 subnet, you can deploy it in DMZ. The SLAAC and DHCPv6 in FortiWAN are designed to work together, which SLAAC responses router advertisement (including default gateway and DNS server) to a host and DHCPv6 responses the host an appropriate IPv6 address. Note: FortiWAN assumes that IP addresses that are unlisted in [IP(s) on Localhost] can be used for hosts in the subnet.

In the this diagram, we have another network that ISP provides to the WAN link, which the netmask is

255.255.255.248, gateway is 140.112.8.9 and the available IP addresses are 140.112.8.10 – 140.112.8.14. This network is connected to FortiWAN’s Port5 (mapped to a DMZ port) with IP address 203.69.118.10 being assigned to the localhost. In this case, FortiWAN will consider that the rest IP addresses 203.69.118.11 – 203.69.118.14 are located in the WAN area (actually, the near WAN) of the WAN link. The following is the configuration for this case:

Basic Setting
WAN Port	Port2
IPv4 Gateway	203.69.118.9
IPv4 Basic Subnet 1
Subnet Type	Subnet in WAN
IP(s) on localhost	203.69.118.10
Netmask	255.255.255.248
IPv4 Basic Subnet 2
Subnet Type	Subnet in DMZ
IP(s) on localhost	140.112.8.9
Netmask	255.255.255.248
DMZ Port	Port5

For the details about DHCP, DHCP Relay, SLAAC and DHCPv6, see “Automatic addressing within a basic subnet”.

[IPv4/IPv6 Basic Subnet]: Subnet in WAN and DMZ

Click the add button on the IPv4 Basic Subnet panel or IPv6 Basic Subnet panel to add a configuration, and select Subnet in WAN and DMZ from the Subnet Type drop-down menu. The rest configuration fields are as followings:

IP(s) on Localhost	The IP address(es) of the IPv4/IPv6 network that you want to assign to localhost of the specified WAN port (the WAN port that is specified in Basic Setting panel) and DMZ port (the DMZ port that is specified below) of the WAN link. The WAN port and DMZ port will be logically combined for Public IP Passthrough. At least one IP address is required here. You can type a range of IP addresses here in format “IPstart-IPend” or click the add button to individually add more IP addresses to the localhost.
IP(s) in WAN	The IP address(es) of the IPv4/IPv6 network that you want to assign to the WAN area (near WAN) of the WAN link. You can leave it blank, type one IP address or a range of IP addresses (in format “IPstart-IPend” ) here. You can also click the add button to individually add more IP addresses to the near WAN. Note that the rest IP address(es) of the network that are not assigned to the localhost (above) and WAN (here) will be automatically considered as being located in DMZ. Therefore, no matter how you deploy IP addresses in WAN area, at least one IP address, IP address of gateway of the WAN link (what you set in Basic Setting for IPv4 Gateway and/or IPv6 Gateway), must be contained in this field.
Netmask/Prefix Length	Netmask/Prefix Length of the IPv4/IPv6 network that you are deploying to the WAN link as a subnet in WAN.
DMZ Port	A FortiWAN’s network port used to connect a part of the subnet to the WAN link as segment in DMZ (you need to physically install the network cable to this port for the DMZ subnet). All the physical, logical and VLAN ports that are mapped to DMZ (see Aggregated, Redundant, VLAN Ports and Port Mapping) are listed here for your options.
Enable DHCP/DHCP Relay/SLAAC/DHCPv6 Service	Click to enable automatic addressing on the specified DMZ port for hosts in the connected IPv4/IPv6 DMZ segment (see Automatic addressing within a basic subnet for configuration details). Note that only the IP addresses assigned to the DMZ part of the defined basic subnet are the candidates for related IP pools of automatic addressing.

This topology is frequently found where a cluster of hosts in one subnet are deployed in both WAN side and DMZ side.

As described in the topology, port2 and port5 are connected in dotted line, indicating an IP range in the same subnet 203.69.118.8/29 spreads across WAN (port2) and DMZ (port5). FortiWAN employs Proxy ARP to connect those hosts becoming in the same network segment (See “Public IP pass through (DMZ Transparent Mode)”).

Note that although IP address 203.69.118.9 has been configured as default gateway in Basic Setting table, you are still required to add it in the field [IP(s) in WAN]. When you select [Subnet in WAN and DMZ] from [Subnet Type], FortiWAN will assume the IP addresses that are unlisted in [IP(s) on Localhost] and [IP(s) in WAN] are all in DMZ. Thus, in this example, except 203.69.118.10, 203.69.118.9 and 203.69.118.11-203.69.118.12, the rest IP addresses of subnet 203.69.118.8/29 are assigned to DMZ for Public IP Pass-through. In this case, IP addresses 203.69.118.9 – 203.69.118.12 in WAN side are treated as in near WAN, while IP addresses 203.69.118.13 – 203.69.118.14 in DMZ side do not belong to near WAN.

Check [Enable DHCP] if hosts in the subnet in DMZ require DHCP service. And enter the starting and ending address in [DHCP Range]. If any host in the subnet uses static IP address, then in [Static Mapping], enter its IP and MAC address. Similarly, the configuration to deploy an IPv6 public subnet in WAN and DMZ.

Basic Setting
WAN Port	Port2
IPv4 Gateway	203.69.118.9
IPv4 Basic Subnet
Subnet Type	Subnet in WAN and DMZ
IP(s) on localhost	203.69.118.10
IP(s) in WAN	203.69.118.11-203.69.118.12
Netmask	255.255.255.248
DMZ Port	Port5

For the details about DHCP, DHCP Relay, SLAAC and DHCPv6, see “Automatic addressing within a basic subnet”.

[IPv4/IPv6 Basic Subnet]: Subnet on Localhost

Click the add button on the IPv4 Basic Subnet panel (this subnet type is not supported for IPv6 basic subnets) to add a configuration, and select Subnet on Localhost from the Subnet Type drop-down menu. The rest configuration fields are as followings:

Network IP	The network IP of the subnet that you want to assign to localhost of the specified WAN port (the WAN port that is specified in Basic Setting panel).
Netmask	Netmask of the IPv4 subnet that you are deploying to the WAN link as a subnet on localhost.

This topology is found where subnet is designated on FortiWAN to better use Virtual Server.

This deployment is much simpler than other subnet types. Except the gateway, all the IP addresses of the subnet are assigned to the WAN port of the WAN link; there is no IP addresses available for deployment in WAN and/or DMZ areas. All of the IP addresses will indicate the associated WAN link to services NAT, Multihoming and Virtual Server. For this example, the configuration just requires 203.69.118.8 and 255.255.255.248 being entered in [Network IP] and [Netmask] respectively.

Basic Setting
WAN Port	Port2
IPv4 Gateway	203.69.118.9
IPv4 Basic Subnet
Subnet Type	Subnet on Localhost
Network IP	203.69.118.8
Netmask	255.255.255.248

Note that, for all of the subnet types described above, the IP addresses (IPv4 or IPv6) specified to field [IP(s) on

Localhost] can be used for NAT to transfer the source IP address of packets to. The first IP address on the list of [IP(s) on Localhost] will be used for the NAT default rules of the WAN link. System generates NAT default rules automatically for a WAN link so that a host with private IP address in LAN can access Internet without setting NAT rules manually. For FortiWAN V4.0.x, system does not generate NAT default rules for IPv6 WAN links, setting NAT rules manually is required (See “NAT”).

IPv4/IPv6 Static Routing Subnets

A WAN link’s static routing subnets are the subnets connected to the WAN link’s basic subnets via routers or L3 switches. The same as those basic subnets, FortiWAN needs the corresponding static route (dynamic routing protocols are not supported for WAN links’ networks), so that FortiWAN can find the path to forward packets to the static routing subnets. Configuring a static routing subnet to a WAN link here implies adding the routing information to FortiWAN. A routing-mode WAN link supports both IPv4 and IPv6 static routing subnets for pure IPv4-based WAN link and IPv4/IPv6 dual stack WAN link. According to the area a subnet deployed in, the static routing subnets of a WAN link are divided into:

Subnet in WAN: A static routing subnet deployed in WAN, connected to a basic subnet in WAN or basic subnet in WAN and DMZ.
Subnet in DMZ: A static routing subnet deployed in DMZ, connected to a basic subnet in DMZ or basic subnet in WAN and DMZ.

Next comes a few examples to further illustrate configurations in [Basic Subnet] and [Static Routing Subnet].

[IPv4/IPv6 Static Routing Subnet]: Subnet in WAN

Click the add button on the IPv4 Static Routing Subnet panel or IPv6 Static Routing Subnet panel to add a configuration, and select Subnet in WAN from the Subnet Type drop-down menu. The rest configuration fields are as followings:

Network IP	The network IP of the IPv4 static routing subnet that you want to deploy in (near) WAN area of the WAN link. This field is in IPv4 Static Routing Subnet panel.
Netmask	Netmask of the IPv4 static routing subnet that you want to deploy in (near) WAN area of the WAN link. This field is in IPv4 Static Routing Subnet panel.
Subnet	The IPv6 static routing subnet that you want to deploy in (near) WAN area of the WAN link in format such as 2000::123f:0:0:1/32. This field is in IPv6 Static Routing Subnet panel.
Gateway	IPv4/IPv6 address of the gateway (router) connecting a basic subnet with the static routing subnet. This IP address is the path that FortiWAN uses to forward packets destined to the static routing subnet to. This field is in both IPv4 and IPv6 Static Routing Subnet panels.
Proxy ARP	Check to enable Proxy ARP on FortiWAN for the static routing subnet; FortiWAN will answer the ARP queries for a network address that is in the static routing subnet. This field is in IPv4 Static Routing Subnet panel.

This topology is rarely seen in actual network where static routing subnet is located on the WAN. In other words, the subnet in WAN does not connect to FortiWAN directly, but needs a router instead to transfer packets. In this example, a subnet 202.3.1.8/29 located on the WAN connects to the basic subnet 203.69.118.8/29 via a router (202.3.1.9 and 203.69.118.10). Subnet 202.3.1.8/29 is so that a static routing subnet of the WAN link. Configuration of the static routing subnet indicates the route to FortiWAN for packets destined to subnet 202.3.1.8/29.

As described in the UI, FortiWAN transfers packets to the gateway 203.69.118.10 to deliver them to subnet 202.3.1.8/255.255.255.248.

Basic Setting
WAN Port	Port2
IPv4 Gateway	203.69.118.9
IPv4 Basic Subnet
Subnet Type	Subnet in WAN
IP(s) on localhost	203.69.118.10
Netmask 255.255.255.248
IPv4 Static Routing Subnet
Subnet Type Subnet in WAN
Network IP 202.3.1.8
Netmask 255.255.255.248
Gateway 203.69.118.10

[IPv4/IPv6 Static Routing Subnet]: Subnet in DMZ

Click the add button on the IPv4 Static Routing Subnet panel or IPv6 Static Routing Subnet panel to add a configuration, and select Subnet in DMZ from the Subnet Type drop-down menu. The rest configuration fields are as followings:

Network IP	The network IP of the IPv4 static routing subnet that you want to deploy in DMZ area of the WAN link. This field is in IPv4 Static Routing Subnet panel.
Netmask	Netmask of the IPv4 static routing subnet that you want to deploy in DMZ area of the WAN link. This field is in IPv4 Static Routing Subnet panel.
Subnet	The IPv6 static routing subnet that you want to deploy in DMZ area of the WAN link in format such as 2000::123f:0:0:1/32. This field is in IPv6 Static Routing Subnet panel.
Gateway	IPv4/IPv6 address of the gateway (router) connecting a basic subnet with the static routing subnet. This IP address is the path that FortiWAN uses to forward packets destined to the static routing subnet to. This field is in both IPv4 and IPv6 Static Routing Subnet panels.
Proxy ARP	Check to enable Proxy ARP on FortiWAN for the static routing subnet; FortiWAN will answer the ARP queries for a network address that is in the static routing subnet. This field is in IPv4 Static Routing Subnet panel.

This topology is very similar with the Static Routing Subnet: Subnet in WAN in last example. The only difference is, the subnet is in DMZ area.

As described in the UI, FortiWAN transfers packets to the gateway 203.69.118.14 to deliver them to subnet 139.3.1.8/255.255.255.248

Basic Setting
WAN Port	Port2
IPv4 Gateway	203.69.118.9
IPv4 Basic Subnet
Subnet Type	Subnet in WAN and DMZ
IP(s) on localhost	203.69.118.10
IP(s) in WAN	203.69.118.11-203.69.118.13
Netmask 255.255.255.248
DMZ Port Port5
IPv4 Static Routing Subnet
Subnet Type Subnet in WAN
Network IP 202.3.1.8
Netmask 255.255.255.248
Gateway 203.69.118.14

Configuring networks to FortiWAN

Leave a reply

Configuring networks to FortiWAN

As the previous description, FortiWAN is an intelligent WAN load balancing device providing services to increase connection efficiency and reliability between the internal and external networks, but basically as an router it is fundamental to route IP packets among the connected networks. According to different purpose and functionality, a connected network could be one of the three types: WAN, LAN and DMZ networks. When you configure setting of a network to a FortiWAN, you are registering the network to the FortiWAN (majorly adding related routing information about the network to the FortiWAN), so that the FortiWAN can find the path to correctly route packets destined to the network. Network settings establish the necessary routing rules to FortiWAN so that the connected WAN, LAN and DMZ networks can communicate to each other. Besides setting routing rules, network setting requires other necessary information used to guarantee a well-cooperation between the connected network and FortiWAN. No matter what types those connected networks are, there are some common concepts among the settings:

Static route: basic subnets & static routing subnets

Within a network site, FortiWAN routes communication among the connected WAN (near WAN actually, see WAN, LAN and DMZ and Near WAN), LAN and DMZ networks according to established static routing entries, without WAN load balancing and fail-over being involved. Those static routing entries of connected networks are manually added to FortiWAN by network settings. A connected network can contain several subnets. Basically, FortiWAN defines two types of subnets to a connected network for it static route, basic subnet and static routing subnet:

Basic subnet: Any subnet connected directly to FortiWAN’s network port is called a basic subnet. Setting for a basic subnet tells FortiWAN the network IP, netmask of the subnet and the connected port, so that FortiWAN is aware of the network port used to directly deliver the packets destined to the subnet.

Static routing subnet: Any subnet connected directly or indirectly to a FortiWAN’s basic subnet is called a static routing subnet. Setting for a static routing subnet tells FortiWAN the network IP, netmask of the subnet and the gateway, so that FortiWAN can fine the next hop to forward packets destined to the subnet, although the static routing subnet does not connect directly to the FortiWAN.

Basically, all the network configurations in WAN Setting (see Configuring your WAN and DMZ), WAN/DMZ Private Subnet (see WAN/DMZ Private Subnet) and LAN Private Subnet (see LAN Private Subnet) contain settings of basic subnet and static routing subnet, except IPv4-based bridge-mode WAN links. FortiWAN’s basic subnets and static routing subnets are static routes, therefore, any physical change to deployment of the subnets requires corresponding modifications to the routing entries. The basic static route is supposed to be suitable for simple topologies. When you have a large-scale network with complex topologies, dynamic routing would be much suitable for it. FortiWAN supports RIP (v1 and v2), OSPF and VRRP on its LAN ports.

IPv4/IPv6 dual stack

FortiWAN supports IPv4/IPv6 dual stack, which means a FortiWAN can be configured with both IPv4 and IPv6 connectivity capabilities (FortiWAN does not support a pure IPv6 based network). None of IPv4 network and IPv6 network is dispensable for configuring a dual stack network to FortiWAN. Therefore, the required static routing information for configuring a dual stack network to a WAN, LAN or DMZ port will include IPv4 basic subnet, IPv4 static routing subnet, IPv6 basic subnet and IPv6 static routing subnet.

Auto addressing

FortiWAN supports auto addressing on each of the WAN, LAN and DMZ ports, so that hosts in any of the connected basic subnet can be automatically assigned IP addresses and relative information. FortiWAN provides the addressing mechanisms including DHCP, DHCP relay, DHCPv6 and SLAAC (see Automatic addressing within a basic subnet).

Configuring your WAN and DMZ

In this section we will talk about the configurations for WAN and DMZ network deployments. To have a FortiWAN accessing to the Internet, it requires an ISP network connected to the FortiWAN. The connectivity between a FortiWAN’s WAN port and an ISP network is called a WAN link, which is the necessary medium for accessing the Internet. FortiWAN’s DMZ is designed to be associated with a WAN link, therefore, configuration of a DMZ must be included in a WAN link.

Compared with a LAN network, there are more concerns need to be taken care of for a WAN link and its DMZ. Besides port mapping for the WAN ports on a FortiWAN, you need to decide the WAN types and the subsequent subnet deployments for a WAN link as well. Generally, ISP provides a connectivity in various ways. Here is a table telling what you will have from ISP for a connectivity in different types:

FortiWAN supports WAN links in both routing mode and bridge mode (See WAN types: Routing mode and Bridge mode).

Internet connectivity type	IP type	No. of IP	Network scale	Modem type
Routing Mode	Static	Multiple	An IP subnet (number of available IP matches the netmask)	A gateway (router)
Bridge Mode: One Static IP	Static	Single	One IP of a large-scale subnet (less number of available IP than the netmask)	A bridge, not a gateway
Bridge Mode: Multiple Static IP	Static	Multiple	An IP range of a large-scale subnet (less number of available IP than the netmask)	A bridge, not a gateway
Bridge Mode: PPPoE	Dynamic	Single	One IP of a large-scale subnet	A bridge, not a gateway
Bridge Mode: DHCP Client	Dynamic	Single	One IP of a large-scale subnet	A bridge, not a gateway

Since ISP provides the available IP addresses in different ways for the above Internet connectivity, FortiWAN has equal mechanisms to identify the near WAN areas and define the static route. Before continuing on the topic, let us review what a near WAN is to FortiWAN first. As previous descriptions, FortiWAN defines the area that is between a FortiWAN’s WAN port and the ISP’s modem as a near WAN of the WAN link. Individual IP addresses, segments and subnets deployed within this area are considered the near WAN of a WAN link. Opposite to the WAN area (the Internet), although near WAN is located on the WAN side, it can be considered as a part of your network site, just like the LAN and DMZ areas. Within the network site, FortiWAN delivers packets among the near WAN, DMZ and LAN according to the static routes. Services of load balancing, fail-over, traffic shaping and statistics (Auto Routing, Bandwidth Management and NAT) will not be applied to those packets. Only packets that are destined to somewhere not defined in the routing table (the traffic communicating with hosts out of the site) will be handled by Bandwidth Management, Auto Routing and NAT, and forwarded to the gateway (the Internet). Note that traffic within near WAN and traffic communicating with near WAN will not be counted in outbound and inbound traffic of the WAN link, but they do occupy part of bandwidth of the WAN link. You should be careful about usage of your near WAN. A lot of near WAN traffic impacts on FortiWAN’s WAN load-balancing and traffic shaping.

Configurations of WAN links are mainly about setting the static routing information to FortiWAN for the near WAN

(and DMZ). Comparing with a LAN, setting the static route for near WAN and DMZ of a WAN link is more complex and variable. According to the distinguishing characteristics of different WAN types, FortiWAN identifies the near WAN and DMZ areas of a WAN link in different ways. Configuring a WAN link as a unsuitable type on FortiWAN will result in a mistake for near WAN identification; miscalculation and misjudgment then happen when performing traffic statistics, traffic shaping and load-balancing. The followings are the mechanisms FortiWAN uses for different WAN types:

Routing-mode WAN link	l	It requires at least one IPv4 network being configured for a IPv4-based Internet connectivity, or a pair of IPv4 and IPv6 networks for a dual-stack connectivity.
	l	Any IP address of the network is considered either in near WAN or DMZ (except the IP used by localhost).
	l	The whole IPv4/IPv6 network (indicated by the specified netmask) is considered belonging to your site, either in form of a near WAN or a combination of near WAN and DMZ.
	l	A near WAN is considered an IPv4/IPv6 network and the gateway of the WAN link is counted in the near WAN.
	l	Traffic that matches routing entries of the network will bypass Bandwidth Management and Auto Routing. If a bridge-mode Internet connectivity is incorrectly configured as a routing-mode WAN link on FortiWAN, all the IP addresses of the network (usually a large-scale network such as a class C) will be considered belonging to your site. However, the problem is that most of the IP addresses do not actually belong to your site (they are outside of your site, over the Internet); WAN load-balancing, fail-over and traffic shaping should not be bypassed for those traffic.
Bridge-mode WAN link with multiple static IP	l	It requires exactly specifying the individual IPv4/IPv6 address or IPv4/IPv6 ranges to deploy near WAN and/or DMZ for a IPv4-based or dual-stack WAN link.
	l	Only the specified IPv4/IPv6 addresses are considered belonging to your site (located in near WAN or DMZ). Unspecified IP addresses are considered the outside of your site, belonging to the Internet.
	l	A near WAN is considered a segment of an IPv4/IPv6 network. The gateway of the WAN link will not be count in the near WAN.
	l	Incorrectly configuring a routing-mode Internet connectivity as a bridge-mode WAN link on FortiWAN will result in abnormal behaviors to traffic communicating with the gateway and unspecified IP addresses.
Bridge-mode WAN link with one static IP PPPoE bridge-mode WAN link DHCP bridge-mode WAN link	l l	Near WAN and DMZ are not supported for this WAN type on FortiWAN. Only the IPv6/IPv4 address assigned to localhost of the WAN link is considered belonging to your site. All the other IP addresses (including the gateway) within the same network (indicated by the specified netmask) are considered the outside of your site.
	l	Incorrectly configuring a routing-mode Internet connectivity as a bridge-mode WAN link on FortiWAN will result in abnormal behaviors to traffic communicating with the gateway and unspecified IP addresses.

You have to figure out the type of your link, so that you can correctly configure it to FortiWAN. The netmask and number of IP addresses indicate whether you have an complete IP subnet (routing mode) or just some IP addresses of a large-scale subnet (bridge mode). If you have ISP links belonging to Routing Mode and Bridge Mode: Multiple Static IP, you will have more than one IP address to use. The localhost of a WAN port will require one IP address, and the rest of the IP addresses are available to hosts connected to the WAN port and a DMZ port. Deploying IP addresses to WAN and DMZ are so that included in configurations of Routing Mode and Bridge Mode: Multiple Static IP. As for links belonging to Bridge Mode: One Static IP, Bridge Mode: PPPoE and Bridge Mode: DHCP Client, the only IP address must be used by the localhost of the WAN port and there will be no more IP addresses available to other hosts in WAN and DMZ.

[WAN Settings] is the major part to deploy FortiWAN in various types of WAN links. If your network has several WAN links, you have to configure one after another. Select any link from [WAN link] and check [Enable] to start a configuration of the WAN connection (See “WAN link and WAN port”). A configuration of WAN link is divided into three parts: Basic Settings, Basic Subnet and Static Routing Subnet. Before starting configuration, here are several important concepts you should know.

Configuration of a WAN link, no matter what the WAN type it is, contains the following parts:

Basic setting

The basic setting will require you to set the maximum upload/download bandwidth of a WAN link, upload/download threshold and the MTU for transmission between FortiWAN and ISP’s network. These settings are necessary for FortiWAN Bandwidth Management (see Bandwidth Management), Auto Routing (see Auto Routing) and Multihoming (Multihoming) refer to process the real WAN traffic that is between FortiWAN and the Internet (traffic between FortiWAN and its near WAN is not included).

For bridge-mode WAN links, the basic setting also contains extra fields:

Bridge Mode: One Static IP

Allocating the only IPv4/IPv6 address to localhost of the WAN port.

Bridge Mode: Multiple Static IP

Allocating the one IPv4/IPv6 address to localhost of the WAN port, and arrange others to network segments in WAN and/or DMZ if necessary. Opposite to routing-mode WAN links, ISP provides you a range of IP addresses of a large-scale network for the bridge-mode WAN link, not a network subnet. These IP addresses can be deployed in WAN and/or DMZ, and the corresponding static roue will be established as well, but it is just not a basic subnet (in routing-mode, IP addresses of a WAN link in WAN and/or DMZ are treated as )

Bridge Mode: PPPoE

The username and password for PPPoE accessing.

IPv4/IPv6 basic subnet & IPv4/IPv6 static routing subnet

As previous description, FortiWAN need the static rout to find path for traffic among LAN, DMZ and near WAN. When you configure a routing-mode WAN link or an IPv4/IPv6 dual stack link, settings of basic subnet and static routing subnet are the route to FortiWAN for IPv4/IPv6 networks connecting to WAN ports and/or DMZ ports.

Routing mode and Bridge mode: multiple static IP

Routing mode and bridge mode (multiple static IP) deploy IP addresses in WAN and DMZ in different ways. The following table lists the difference between the two modes for the WAN link deployments.

	Routing mode	Bridge mode: Multiple static IP
Form of given IPs and netmask	An IP subnet (Number of IP matches scale of the netmask)	A range of IPs (Number of IP is less than scale of the netmask)
	Routing mode	Bridge mode: Multiple static IP
Gateway	Located on customer premises	Located on ISP’s central office
Modem type	Functions as a router (the gateway)	Functions as a bridge
Deployment of near WAN and/or DMZ	Supports	Supports
Static routing subnets in near WAN and/or DMZ	Supports	Not supports
Configuration for near WAN and/or DMZ	In Basic Subnet and Static Routing Subnet	In Basic Setting

Start to configure a WAN link

To deploy a WAN link on FortiWAN, go to System > Network Setting and expand WAN Setting panel on the Web UI. Configurations of all the WAN links start from a common setting block in the panel:

WAN Link

Select the WAN link that you are configuring to FortiWAN from the drop-down menu. Depending on the model, FortiWAN supports up to 25 or 50 WAN links. All the WAN links are numbered from 1 to 25 or 50, such as WAN link 1, WAN link 2, … and WAN link 50. Each number indicates a WAN link. The number is nothing about the WAN port that the WAN link is installed to. For example, you can install WAN link 1 to WAN Port 3, or WAN link 3 to WAN Port 1.

Number of WAN links that a FortiWAN supports is always more than its physical network port. For example, FortiWAN 200B supports 25 WAN links, but 5 physical network ports are provided only. You will need to create VLAN ports on FortiWAN’s ports to install more than 4 WAN links.

In configurations of most of FortiWAN’s services, such as Auto Routing, Multihoming , Bandwidth Management, Virtual Server, NAT and etc., these WAN links appear as options for associating policies and rules to a WAN link. They are also the options used to switch among WAN links for statistics.

Enable

Check/uncheck to enable/disable the WAN link. Enabling/disabling of a WAN link does not represent the connectivity status of the WAN link. Connectivity statuses of the enabled WAN links will be listed in in WAN Link State panel on Web UI page System > Summary.

Note

Text descriptions for the WAN link. You can see the notes of the enabled WAN link in WAN Link State panel on Web UI page System > Summary.

WAN Type

The first step to start a WAN link configuration is deciding the WAN type (See “WAN types: Routing mode and Bridge mode”). Configuration varies on [WAN Type] in [Basic Settings]. The [WAN Type] could be one of:

l Routing Mode (See “Configurations for a WAN link in Routing Mode”) l Bridge Mode: One Static IP (See “Configurations for a WAN link in Bridge Mode: One Static IP”) l Bridge Mode: Multiple Static IP (See “Configurations for a WAN link in Bridge Mode: Multiple Static IP”) l Bridge Mode: PPPoE (See “Configurations for a WAN link in Brideg Mode: PPPoE”) l Bridge Mode: DHCP Client (See “Configurations for a WAN link in Bridge Mode: DHCP”)

FortiWAN Aggregated, Redundant, VLAN Ports and Port Mapping

2 Replies

Aggregated, Redundant, VLAN Ports and Port Mapping

Go to System > Network Setting from the Web UI, click the label VLAN and Port Mapping in the upper-right corner to expand the configuration panel. This is a configuration that you can create logical network ports and define the port mapping to the physical and logical ports. The VLAN and Port Mapping panel consists of four tables, VLAN and Port Mapping, Redundant LAN Port, Redundant DMZ Port and Aggregated Port, which are described as followings:

VLAN and Port Mapping

As the previous description, FortiWAN’s physical network ports can be further programed as an aggregated port, a redundant port or several VLAN ports, which are generally called logical ports (see Network interfaces and port mapping). A network ports must function as a WAN, LAN or DMZ port and be connected with a corresponding network (a WAN, LAN or DMZ network), so that the FortiWAN can work correctly for the connected network. Although each of FortiWAN’s physical ports is mapped to a port type by default, the default mapping can be changed (even logical ports can be created) according to how you deploy your network site. For example, a FortiWAN 200B’s Port 1 could be programed as a LAN port, Port 2 could be programed as a DMZ port, and Port 3 ~ Port 5 could be programed as WAN ports, while Port 1 ~ Port 3 are WAN ports, Port 4 is a LAN port and Port 5 is a DMZ port by default. VLAN and Port Mapping is the configuration table for defining the port mapping and creating VLAN IDs on the ports. It consists of three elements; Port, VLAN Tag and Mapping:

Port

In the VLAN and Port Mapping table, each of the FortiWAN’s physical ports is listed in the Port column (indicated as Port1, Port2, Port3 …, corresponding to the numbers presented on the front panel of the FortiWAN device), so that port mapping can be programed and VLAN tags can be created on it. Moreover, the created aggregated ports (an logical port that is created by aggregating two physical ports, see Aggregated Port below for

more details) will also be listed here for defining mappings and VLAN tags to them. As for a FortiWAN-VM appliance, the ports listed in Port column are indicated as vNIC2, vNIC3, vNIC4 …, mapping of the ports and the vNICs is as bellow (vNIC 1 is used for HA port and can not be changed):

Ports	Port 1	Port 2	Port 3	Port 4	Port 5	Port 6	Port 7	Port 8	Port 9
vNICs	vNIC 2	vNIC 3	vNIC 4	vNIC 5	vNIC 6	vNIC 7	vNIC 8	vNIC 9	vNIC 10

Mapping

For the ports listed in the table, there are four options available for mapping them to a function (click the pulldown menus of Mapping column):

WAN		Specify a physical port or a VLAN port as a WAN port. This option is not available for an aggregated port.
LAN		Specify a physical port, a VLAN port or an aggregated port as a LAN port.
DNZ		Specify a physical port, a VLAN port or an aggregated port as a DMZ port.
None		Specify any port for non-purpose. To aggregate two physical ports, it requires to map the two ports to None first (see Aggregated Port below).

Whether a physical port or a logical port (aggregated, redundant or VLAN port) is, it must be programed as one of the port types (WAN, LAN and DMZ) first to be used by other services. A port that is programmed as a WAN, LAN or DMZ port will become an option to setting items of some configurations:

Port that is programed as a WAN port will be listed in the pull-down menus:
[WAN Port] of WAN Setting for configuring and deploying a WAN subnet to the ports (see Configuring your WAN).
[WAN Port] of WAN/DMZ Private Subnet for configuring and deploying a private WAN subnet to the ports (see WAN/DMZ Private Subnet).
[Input Port] of Auto Routing‘s IPv4/IPv6 Filters for creating a filter rule to evaluate packets by the port receiving the packets (see Outbound Load Balancing and Failover).
[Input Port] of Bandwidth Management‘s IPv4/IPv6 Filters of Outbound BM for creating a filter rule to evaluate packets by the port receiving the packets (see Bandwidth Management). l Port that is programed as a DMZ port will be listed in the pull-down menus:
[DMZ Port] of WAN Setting for configuring and deploying a DMZ subnet to the ports (see Configuring your WAN). l [DMZ Port] of WAN/DMZ Private Subnet for configuring and deploying a private DMZ subnet to the ports (see WAN/DMZ Private Subnet). l [Input Port] of Auto Routing‘s IPv4/IPv6 Filters for creating a filter rule to evaluate packets by the port receiving the packets (see Outbound Load Balancing and Failover).
[Input Port] of Bandwidth Management‘s IPv4/IPv6 Filters of Outbound BM for creating a filter rule to evaluate packets by the port receiving the packets (see Bandwidth Management).
Port that is programed as a LAN port will be listed in the pull-down menus:
[LAN Port] of LAN Private Subnet for configuring and deploying a LAN subnet to the ports (see Configuring your WAN). l [Input Port] of Auto Routing‘s IPv4/IPv6 Filters for creating a filter rule to evaluate packets by the port receiving the packets (see Outbound Load Balancing and Failover).
[Input Port] of Bandwidth Management‘s IPv4/IPv6 Filters of Outbound BM for creating a filter rule to evaluate packets by the port receiving the packets (see Bandwidth Management).

Changes to port mappings here will be updated immediately to the corresponding pull-down menus. If a port has been configured and deployed with a network, or been associated with a filter rule, a change to mapping of the port will fail the original deployments and settings. Please remember to reconfigure relative settings if a port mapping is changed.

VLAN Tag

FortiWAN supports IEEE 802.1Q, which is also known as VLAN Tagging (Cisco’s ISL is not supported). A FortiWAN’s physical port can be mapped to several VLAN ports. In a large-scale network that is segmented into smaller groups of subnets by a VLAN switch, FortiWAN allows data being exchanged between these subnets. Moreover, the VLAN switch ports can be programmed as DMZ, WAN or LAN ports. To introduce a VLAN Switch into the network working with FortiWAN, here is a example:

FortiWAN’s Port 1 is connected with the VLAN switch, and appropriate VLAN settings have been configured on the VLAN switch. Now, it requires to have VLAN tagging configured on FortiWAN to get the VLAN deployment workable. The steps are:

In the VLAN and Port Mapping table, click the Add button in the VLAN Tag field of Port 1 to create a new VLAN tag. A VLAN tag input will then available to replace the original string “no VLAN Tag”.
Enter the VLAN tag into the input field to define a VLAN to Port1.
This VLAN tage can be edited, deleted, moved up/down by buttons aside it.
Map the VLAN tag to WAN, LAN or DMZ in Mapping column.
Define the next VLAN to Port1 by the same processes.

Port	VLAN Tag	Mapping
Port 1	101	WAN
	102	WAN
	103	LAN
	104	DMZ

After the configuration is applied, FortiWAN’s port 1 will no longer accept untagged VLAN packets. Through the VLAN switch, both Port 1.101 and port 1.102 are connected with a WAN link (Port 1.101 and Port 1.102 will be listed in the WAN Port pull-down menu for WAN Setting), while port 1.103 is connected the LAN subnet (Port 1.103 will be listed in the LAN Port pull-down menu for Private LAN Subnet setting) and port

1.104 is connected with the DMZ subnet (Port 1.104 will be listed in the DMZ Port pull-down menu for DMZ Setting). You can also define VLAN tags to an aggregated port from the table (it requires to create an aggregated port first for defining VLAN tags to it).

Note: This field (VRID) is only available when VRRP mode is enabled in LAN Private Subnet settings. The VRID indicates the virtual router identifier for every VR.

Redundant LAN/DMZ Port

A logical redundant port pairs an active and a standby physical network port. It means a logical redundant LAN port consists of two physical LAN ports, and a logical redundant DMZ port consists of two physical DMZ port. Under normal usage, the active port passes traffic and the standby port is just backup. Once the active port goes down (or unavailable), the standby port takes over the active role and starts passing traffic. Why a redundant LAN port and a redundant DMZ port are necessary? Because without the redundant ports, even if FortiWAN is working in HA mode, single point failure can still occur over connectivities between LAN/DMZ subnets and FortiWAN’s LAN/DMZ ports. Redundant ports increase the reliability of connectivity of FortiWAN’s LAN and DMZ. FortiWAN’s redundant port supports the Spanning Tree algorithm and sets the highest 0xffff as bridge priority. The configurations thus manage to avoid network failure caused by the possible packet looping.

Label

Name of the logical redundant LAN/DMZ port. Only the ASCII characters “09 a-z A-Z” are acceptable for a label and the first character must be nonnumeric. After applying the settings, the specified label, in the format Bridge: label name, will become one of the port options in corresponding pull-down menus used for configurations of LAN setting (see LAN Private

Subnet), DMZ setting (see Configuring your WAN), Auto Routing and

Bandwidth Management (FortiWAN’s Auto Routing and Bandwidth Management support managing outbound traffic by input ports where the traffic received on, see Auto Routing and Bandwidth Management). All the configurations refer to the logical redundant port instead of its member physical ports.

Mapping

There are two menus in the Mapping field for selecting the two memberports under a LAN/DMZ redundant port. All the physical ports and VLAN tags mapped to LAN/DMZ in the VLAN and Port Mapping table are listed here for options. It requires at least two are mapped to LAN/DMZ in VLAN and Port Mapping first for creating a LAN/DMZ redundant port, or there will be no items here for options.

Select a LAN/DMZ port from each of the two pull-down menus to add the member-ports to the redundant port. By default, the first configured member-port becomes the active one for the redundant port, while the second one is in hot standby state.

Note that the physical member ports that are redundant to each other must be equal in port speed and duplex (See “Port Speed/Duplex Settings”).

Notices to create a redundant port

Before creating a redundant port, you need to know:

The two member-ports of a redundant port can be two physical network ports, two VLAN tages, or a pair of one physical port and a VLAN tag.
It requires to exactly map two member-ports to LAN or DMZ in VLAN and Port Mapping table before pairing the two ports to a logical LAN/DMZ redundant port. l VLAN tags can not be defined to an redundant port.

Creating an redundant LAN/DMZ port

To configure an redundant LAN port or redundant DMZ port, perform the following steps:

Step 1 Map two ports (two physical port, two VLAN ports, or a pair of one physical port and one VLAN port) to LAN or DMZ in VLAN and Port Mapping table.

Step 2 Create a new redundant port configuration by clicking the add button on Redundant LAN Port or Redundant DMZ Port table.

Step 3 Assign the redundant port a name by entering it in Label filed.

Step 4 Select a member-port from each of the two pull-down menus in Mapping field (the ports mapped to LAN or DMZ in VLAN and Port Mapping table are listed here for options).

Step 5 Apply the settings by clicking Apply.

Aggregated Port

FortiWAM’s port aggregation is implementation of IEEE 802.3ad active mode, which bundles two physical ports into a single logical aggregated port to provide the aggregated bandwidth of the two physical links. If single point failure occurs on connectivity of one of the physical member ports under an aggregated port, traffic will be carried within the remaining port channel. The related parameters of IEEE 802.3ad active mode are sat as follows:

Parameter	Value		Note
ad_select	stable		as default
all_slave_active	0		as default
downdelay	0		as default
lacp_rate	slow		as default
max_bonds	1		as default
miimon	100		as recommended
min_links	0		as default
updelay	0		as default
use_carrier	1		as default
xmit_hash_policy	layer2		as default
Label		Name of the logical aggregated port. Only the ASCII characters “0-9 a-z A-Z” are acceptable for a label and the first character must be non-numeric. After entering a label here, this label will be listed in VLAN and Port Mapping table at the same time so that the logical aggregated port can be mapped to LAN or DMZ, or have VLAN tags defined on it. After applying the settings, the specified label will become one of the port options in corresponding pulldown menus, in the format Bonding: label name, used for configurations of LAN setting (see LAN Private Subnet), DMZ setting (see Configuring your WAN), Auto Routing and Bandwidth Management (FortiWAN’s Auto Routing and Bandwidth Management support managing outbound traffic by input ports where the traffic received on, see Auto Routing and Bandwidth Management). All the configurations refer to the logical aggregated port instead of its member physical ports.
Mapping		There are two menus in the Mapping field for selecting the two memberports under a aggregated port. All the physical ports and VLAN tags mapped to None in the VLAN and Port Mapping table are listed here for options. It requires at least two are mapped to None in VLAN and Port Mapping first for creating an aggregated port, or there will be no items here for options. Select a port from each of the two pull-down menus to add the member-ports to the aggregated port. After this, you need to enable the aggregated port by mapping it to LAN/DMZ or defining VLAN tags on it from VLAN and Port Mapping table, or the aggregated port is mapped to None by default. Note that the physical member ports that are aggregated must be equal in port speed and duplex (See “Port Speed/Duplex Settings”).

Notices to create a redundant port

Before creating a redundant port, you need to know:

The two member-ports of an aggregated port can be two physical network ports, two VLAN tages, or a pair of one physical port and a VLAN tag.
A logical aggregated port requires two purposeless member-ports (both are mapped to None in VLAN and Port Mapping table).
An aggregated port can only be mapped to a DMZ or LAN port. l VLAN tags can be defined to an aggregated port.

Creating an aggregated port

To configure an aggregated port, perform the following steps:

Step 1 Disable two ports (two physical port, two VLAN ports, or a pair of one physical port and one VLAN port) by mapping them to None in VLAN and Port Mapping table.

Step 2 Create a new port aggregation configuration by clicking the add button on Aggregated Port table.

Step 3 Assign the aggregated port a name by entering it in Label filed.

Step 4 Select a member-port from each of the two pull-down menus in Mapping field (the disabled ports in VLAN and Port Mapping table are listed here for options).

Step 5 The label name of the aggregated port will be listed in VLAN and Port Mapping table. Map the logical aggregated port to LAN or DMZ by selecting it from the pull-down menu in Mapping field. You can also define VLAN tags to the aggregated port in VLAN Tag field and Mapping field.

Step 6 Apply the settings by clicking Apply.

Scenarios

As illustrated in the topology below, FortiWAN port1 are mapped to WAN port. Port2 and port3 are paired to a logical redundant LAN port which is connected to Switch1, port4 and port5 are paired to a logical aggregated DMZ port which is connected to Switch2.

Step 1 To configure the settings for the deployment, you need to map Port1, Port2, Port3, Port4 and Port5 to WAN, LAN, LAN, None and None respectively in VLAN and Port Mapping table.

Port	VLAN Tag	Mapping
Port1	no VLAN Tag	WAN
Port2	no VLAN Tag	LAN
Port3	no VLAN Tag	LAN
Port4	no VLAN Tag	None
Port	VLAN Tag		Mapping
Port5	no VLAN Tag		None

Step 2 Create a new redundant LAN port labeled lan23 and mapped it to Port2 and Port3 in Redundant LAN Port table.

Label	Mapping
lan23	Port 2
lan23	Port 3

Step 3 Create a new aggregated port labeled dmz45 and mapped it to Port4 and Port5 in Aggregated Port table.

Label	Mapping
dmz45	Port 4
dmz45	Port 5

Step 4 Map the created logical aggregated port dmz45 to DMZ in VLAN and Port Mapping table.

Port	VLAN Tag	Mapping
Port1	no VLAN Tag	WAN
Port2	no VLAN Tag	LAN
Port3	no VLAN Tag	LAN
Port4	no VLAN Tag	None
Port5	no VLAN Tag	None
dmz45	no VLAN Tag	DMZ

After the configurations are applied, labels “Bridge: lan23” and “Bonding: dmz45” will be listed respectively in LAN Port and DMZ Port pull-down menus of LAN and DMZ subnets settings (see LAN Private Subnet and Configuring your WAN) for options. Moreover, the two labels will be also listed in Input Port pull-down menu of Auto Routing and Bandwidth Management (see Auto Routing and Bandwidth Management) for your options.

You can also have the deployment configured in an advanced way. First, if you need the LAN ports being defined with several VLAN tags and also having them in redundant pairs; second, if you need the aggregated port being mapped to one LAN and one DMZ by defining it with VLAN tags, the configurations will be the following steps:

Step 1 To configure the settings for the deployment, you need to define Port2 and Port3 with VLAN tags and map all of them to LAN in VLAN and Port Mapping table. Leaving Port4 and Port5 being mapped to None as previous.

Port	VLAN Tag	Mapping
Port1	no VLAN Tag	WAN
Port2 Port3	01	LAN
	02	LAN
	01	LAN
	02	LAN
Port4	no VLAN Tag	None
Port5	no VLAN Tag	None

Step 2 Create a new redundant LAN port labeled lan23tag01 and mapped it to Port2.01 and Port3.01 in Redundant LAN Port table.

Label	Mapping
lan23tag01	Port 2.01
lan23tag01	Port 3.01

Step 3 Create another new redundant LAN port labeled lan23tag02 and mapped it to Port2.02 and Port3.02 in Redundant LAN Port table.

Label	Mapping
lan23tag02	Port 2.02
lan23tag02	Port 3.02

Step 4 Create a new aggregated port labeled agg45 and mapped it to Port4 and Port5 in Aggregated Port table.

Label	Mapping
agg45	Port 4
agg45	Port 5

Step 5 In VLAN and Port Mapping table, map the created logical aggregated port agg45 to a LAN and a DMZ by defining it with VLAN tags.

Port	VLAN Tag	Mapping
Port1	no VLAN Tag	WAN
Port2 Port3	01	LAN
	02	LAN
	01	LAN
	02	LAN
Port4	no VLAN Tag	None
Port5	no VLAN Tag	None
agg45	01	LAN
agg45	02	DMZ

WAN/DMZ Private Subnet

[Basic Subnet]: Subnet in WAN

[Basic Subnet]: Subnet in DMZ

[Basic Subnet]: Subnet in WAN and DMZ

[Basic Subnet]: Subnet on Localhost

LAN Private Subnet

Basic Subnet

Static Routing Subnet

RIP

OSPF

VRRP

See also

Configurations for a WAN link in Brideg Mode: PPPoE

Basic Setting

See also

Bridge-mode (one static IP) WAN link

Basic Setting

See also

Basic Setting

Static routing information

[IPv6 Basic Subnet]: Subnet in DMZ

[IPv6 Static Routing Subnet]: Subnet in DMZ

See also

Basic Setting

Static routing information

IPv4/IPv6 Basic Subnet

[IPv4/IPv6 Basic Subnet]: Subnet in WAN

[IPv4/IPv6 Basic Subnet]: Subnet in DMZ

[IPv4/IPv6 Basic Subnet]: Subnet in WAN and DMZ

[IPv4/IPv6 Basic Subnet]: Subnet on Localhost

IPv4/IPv6 Static Routing Subnets

[IPv4/IPv6 Static Routing Subnet]: Subnet in WAN

[IPv4/IPv6 Static Routing Subnet]: Subnet in DMZ

See also

Configuring networks to FortiWAN

Static route: basic subnets & static routing subnets

IPv4/IPv6 dual stack

Auto addressing

Configuring your WAN and DMZ

Basic setting

Bridge Mode: Multiple Static IP

Bridge Mode: PPPoE

IPv4/IPv6 basic subnet & IPv4/IPv6 static routing subnet

Routing mode and Bridge mode: multiple static IP

Start to configure a WAN link

WAN Type

See also

Aggregated, Redundant, VLAN Ports and Port Mapping

VLAN and Port Mapping

Port

Mapping

VLAN Tag

Redundant LAN/DMZ Port

Notices to create a redundant port

Creating an redundant LAN/DMZ port

Aggregated Port

Notices to create a redundant port

Creating an aggregated port

Scenarios