Skip to main content
XxKevinxX
XxKevinxX
New Member
August 11, 2021
Question

Creating a new subnet.

  • August 11, 2021
  • 1 reply
  • 7291 views
Hey all, I’m new to fortigate products and I’m trying to get a second subnet created. My first subnet is set up on lan hardware switch to port 1 which I have enabled some security policies that block all access to the internet and only allows me to configure my firewall. So my question is is how should I set up the second subnet? Incoming traffic from wan to the port I’m using and then create security policies for that subnet? Any help is appreciated. Thanks in advance Kevin

    1 reply

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    August 11, 2021

    What model of FGT? Sounds like a small one like 40F since you said "lan" for the hard-switch. Are you realizing "lan" includes all internal ports? Then, did you separated the lan1(port1) port from the hard-switch?

    Also as any FW appliances, by default, nothing is allowed unless you configure something with policies.

    Then you wan to set up a lan network/subnet to allow out(internet)-to-in access? Unless you have a web-server, FTP server, or whatever other internet service servers, that shouldn't be configured. That generally require VIPs to make holes on the wall to let them come inside.

    If you want to make the lan1 as your management port, you just needed to separate the interface from the lan hard-switch then the rest of lan ports stay in "lan" hard-switch so that you can use it as regular user ports. So that you can set in-to-out internet access policy. That should be already there by default for those smaller models.

    XxKevinxX
    XxKevinxXAuthor
    New Member
    August 11, 2021
    Hello and thanks for your reply. I do have a smaller model..30E and yes, all the ports are in there by default like you said. What I have tried is to remove lan2, give it and address and set up policies. Which incoming interface to use lan hard switch, port2 or wan? Then which out going port2 or wan? I’ve set up some default policies but my machine can’t reach the dhcp server. I appreciate your help. Thank you.
    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    August 11, 2021

    The 30E should have one wan and four lan ports. If you have just removed lan2 from lan hard-switch (didn't mess up any dhcp server and lan interface config), the default lan IP 192.168.1.99/24 should be on the lan interface and DHCP server 1 is configured with that subnet. So when you hook up your devices on lan1, 3 or 4, they should be able to pull one of those IPs (I think the range was like .110-.210). If not, and your set up seems to be simple, I would rather factory-reset it again and start-over.

    But this time, you should test the regular user path first to make sure it works with the default policy. Only after that, You can take lan2 out of lan then assign a separate subnet, say 192.168.200.1/24 for example, then either user static IP on the device side or add a DHCP server 2 to existing one to that subnet.

    Terms & ConditionsAccessibility statement