firewall : ippool, ippool6
 
ippool, ippool6
Use the firewall ippool command to configure IPv4 IP address pools.
Use the firewall ippool6 command to configure IPv6 IP address pools.
Use IP pools to add NAT policies that translate source addresses to addresses randomly selected from the IP pool, rather than the IP address assigned to that FortiOS™ unit interface. In Transparent mode, IP pools are available only from the FortiGate CLI.
An IP pool defines a single IP address or a range of IP addresses. A single IP address in an IP pool becomes a range of one IP address. For example, if you enter an IP pool as 1.1.1.1 the IP pool is actually the address range 1.1.1.1 to 1.1.1.1.
If a FortiGate interface IP address overlaps with one or more IP pool address ranges, the interface responds to ARP requests for all of the IP addresses in the overlapping IP pools.
For example, consider a FortiGate unit with the following IP addresses for the port1 and port2 interfaces:
port1 IP address: 1.1.1.1/255.255.255.0 (range is 1.1.1.0-1.1.1.255)
port2 IP address: 2.2.2.2/255.255.255.0 (range is 2.2.2.0-2.2.2.255)
And the following IP pools:
IP_pool_1: 1.1.1.10-1.1.1.20
IP_pool_2: 2.2.2.10-2.2.2.20
IP_pool_3: 2.2.2.30-2.2.2.40
The port1 interface overlap IP range with IP_pool_1 is:
(1.1.1.0-1.1.1.255) and (1.1.1.10-1.1.1.20) = 1.1.1.10-1.1.1.20
The port2 interface overlap IP range with IP_pool_2 is:
(2.2.2.0-2.2.2.255) & (2.2.2.10-2.2.2.20) = 2.2.2.10-2.2.2.20
The port2 interface overlap IP range with IP_pool_3 is:
(2.2.2.0-2.2.2.255) & (2.2.2.30-2.2.2.40) = 2.2.2.30-2.2.2.40
And the result is:
The port1 interface answers ARP requests for 1.1.1.10-1.1.1.20
The port2 interface answers ARP requests for 2.2.2.10-2.2.2.20 and for 2.2.2.30-2.2.2.40
Select NAT in a firewall policy and then select Dynamic IP Pool and select an IP pool.
With dynamic PAT configuration, the FortiGate unit leaves the source port unchanged at first. If another device has already used that port, the FortiGate unit selects the source port randomly from the pool.
Syntax
config firewall ippool
edit <ippool_name_str>
set arp-intf <interface_name>
set arp-reply {enable | disable}
set block-size <size_int>
set endip <address_ipv4>
set num-blocks-per-user <int>
set startip <address_ipv4>
set source-endip <address_ipv4>
set source-startip <address_ipv4>
set type {one-to-one | overload | fixed‑port‑range | port‑block‑allocation}
end
 
Variable
Description
Default
<ippool_name_str>
Enter a name for this IP pool.
No default.
arp-intf <interface_name>
Send ARP replies only to the specified interface. Leave unset to send replies to all interfaces. arp-reply must be enabled.
Null
arp-reply {enable | disable}
Enable or disable ARP replies.
enable
block-size <size_int>
Set the size of the port block. Available when type is port-block‑allocation. Range 64 to 4096
128
endip <address_ipv4>
The end IP of the address range. The end IP must be higher than the start IP. The end IP does not have to be on the same subnet as the IP address of the interface for which you are adding the IP pool.
0.0.0.0
num-blocks-per-user <int>
Set the number of ports per user when when type is port-block‑allocation. Range: 1 to 128.
8
source-startip <address_ipv4>
Enter start IP for the range when type is fixed-port-range.
0.0.0.0
source-endip <address_ipv4>
Enter end IP for the range when type is fixed-port-range.
0.0.0.0
startip <address_ipv4>
The start IP of the address range. The start IP does not have to be on the same subnet as the IP address of the interface for which you are adding the IP pool.
0.0.0.0
type {one-to-one | overload | fixed‑port‑range | port‑block‑allocation}
Select the type of IP pool:
one-to-one — one-to-one mapping
overload — clients can share pool IP addresses
fixed‑port‑range — fixed mapping of source‑startip / source‑endip range to startip / endip range.
port-block‑allocation — allocate a block of ports for IP pool users
overload