FortiWAN WAN/DMZ Private Subnet

Leave a reply

WAN/DMZ Private Subnet

After having gone through public subnet configurations, let’s move to private subnet settings. This section lists a few typical topology structures for private subnet. Similarly, FortiWAN supports two different types of private subnet according to the deployment, direct or indirect connecting to FortiWAN.The two settings are configured from [Basic Subnet] and [Static Routing Subnet]. FortiWAN supports both IPv4 and IPv6 for the two private subnet types.

On its UI, [IPv4 Basic Subnet] and [IPv6 Basic Subnet] could be one of:

  • Subnet in WAN l Subnet in DMZ l Subnet in WAN and DMZ
  • Subnet on Localhost (Not support in [IPv6 Basci Subnet])

And [IPv4 Static Routing Subnet] and [IPv6 Static Routing Subnet] could be one of:

  • Subnet in WAN l Subnet in DMZ

[Basic Subnet]: Subnet in WAN

This topology is frequently found where cluster hosts in the IPv4 private subnet are located on the WAN. In this example, FortiWAN port2 has been mapped to WAN port, with IP 192.168.3.1. Select [Subnet in WAN] from [Subnet Type] in [Basic Subnet]. Then enter 192.168.3.1 in [IP(s) on Localhost] and the netmask offered by ISP in [Netmask].

Note: FortiWAN assumes that IP addresses that are unlisted in [IP(s) on Localhost] are all in WAN.

[Basic Subnet]: Subnet in DMZ

This topology is frequently found where cluster hosts in IPv4 private subnet are located on the DMZ. In this example, FortiWAN port5 has been mapped to DMZ port, with private IP 192.168.4.254. And subnet 192.168.4.X is located on the DMZ as a whole. From UI, select [Subnet in DMZ] from [Subnet Type] in [Basic Subnet].

Check [Enable DHCP] if hosts in the subnet in DMZ require DHCP service. And enter the starting and ending address in [DHCP Range]. If any host in the subnet uses static IP address, then in [Static Mapping], enter its IP and MAC address. Note: FortiWAN assumes IP addresses that are unlisted in [IP(s) on Localhost] are all in DMZ. Thus there is no need to configure them.

[Basic Subnet]: Subnet in WAN and DMZ

This topology is found where cluster hosts in IPv4 private subnet are located in both WAN and DMZ. FortiWAN hereby assumes IP addresses that are unlisted in [IP(s) on Localhost] and [IP(s) in WAN] are all in the DMZ. Port2 and port5 are connected in dotted line, indicating the subnet spreads across WAN (port2) and DMZ (port5). FortiWAN employs Proxy ARP to connet the whole subnet togther. In this example, more than one IP addresses are needed for FortiWAN in bridging. These IP addresses therefore have to be on the same network segment.

Enter 192.168.5.20-192.168.5.30 in [IP(s) on Localhost], and 192.168.5.10-192.168.5.19 in [IP(s) in WAN].

[Basic Subnet]: Subnet on Localhost

This topology is found where a whole IPv4 private subnet is designated on FortiWAN. And the IP addresses in this subnet can be utilized by Virtual Server. An IPv6 private subnet is not supported for this subnet type.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in Administration Guides, FortiWAN and tagged on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.