Skip to main content
uByte
uByte
New Member
February 7, 2022
Question

Extending the subnet

  • February 7, 2022
  • 1 reply
  • 7477 views

I have a FortiGate and I am running out of IP addresses in the subnet. I have set the DHCP lease for an hour to allow for the leases to expire more quickly but I still need more. 

 

The way I have it setup now is the network is on a 10.20.1.x network. There are no VLANs on the network (even though there are layer 2 switches). I would like to just create networks for each VLAN but it requires me to set up the VLANs on all the switches (which I would have to reset the config on the cisco switches with a known password (not my network)).

I got to thinking wouldn't it be easier to just change the FortiGate interface to add another subnet? Couldn't I just add a secondary IP say 10.20.2.x and add that 10.20.2.2-10.20.2.254 to the pool? When 1 pool is out does it just pick up the next pool in the subnet?

Another thought that I had was can I just change the pool subnet network to be a 255.255.0.0 and then set the pool to be 10.20.1.20-10.20.2.254? Would that give me more IP addresses and still allow me to filter everything out of the same policy?


If that fixes it then I could go in setup the VLANs afterwards and really segment the network out (which I am going to do). There is a definite need for IP addresses that I am trying to address first.

 

Any thoughts would be appreciated.

1 reply

akristof
Staff
akristof
Staff
February 8, 2022

Hello,

 

Thank you for your question. Expand subnet mask should be enough.

And it requires minimum changes on the interface. Just change subnet mask on LAN interface on FortiGate, change mask in DHCP. If you using lan subnet somewhere in firewall policies, you would need to change it also. This is the best option I believe as it will not even affect current clients that have still from DHCP with old subnet mask.

 

Of course, other option to add secondary subnet and secondary DHCP is also an option. But the address assignment from DHCP might be random, sometimes from one pool, other time from other pool. So I would recommend just to extend subnet mask as it is much easier and quicker. 

uByte
uByteAuthor
New Member
February 10, 2022

@akristof Thank you for your response.

 

I believe I am going to expand the subnet. If the scheme is 10.20.1.x with a subnet of 255.255.255.0 and I change the subnet (of the interface and scope) to 255.255.0.0 and set the scope to be something like 10.20.1.2-10.20.2.250 would I have to change the policy or should it work without? I believe everything else will work fine. I know that I will have to reboot switches and devices to make sure everything comes back up with the new DHCP address. Am I missing anything?

akristof
Staff
akristof
Staff
February 10, 2022

Hi,

 

Firewall policies will work fine, probably only thing you will need to change in relation to policies is network address if you are using it in fw policy. If you are using any/any then it will be fine without any change.

Terms & ConditionsAccessibility statement