Skip to main content
R1Pilot
R1Pilot
New Member
March 18, 2021
Question

Firewall between 2 computers on the same subnet on different LAN ports - Fortigate 30E

  • March 18, 2021
  • 2 replies
  • 6905 views

Hi all,

 

I`m new to the fortinet products and I`ve just had a fortigate 30E dropped on my lap to configure for what I would have thought is a very basic function. Basically I want to block traffic between 2 computers on the same subnet. I`m not using the WAN port at all and it has just been started up from factory. I have the default switch which has 4 ports and a management address using 192.168.1.1. I have 1 computer plugged into port 1 example ip address 192.168.1.5 and another computer connected into port 2 using address 192.168.1.10.

 

I`ve setup a IPV4 policy of src address range 192.168.1.5-192.168.1.5 all interfaces to dst address range 192.168.1.10-192.168.1.10 all interfaces protocols ALL and DENY and I`ve also done the opposite so they are blocked both ways but I can still communicate between the 2. They are the first 2 policies in the list.

 

    2 replies

    R1Pilot
    R1PilotAuthor
    New Member
    March 18, 2021

    I found a way to do it. I`m not sure if it`s the best way. I changed to transparent mode then created a second switch with 1 lan port in it so I had a PC in each switch then did the same rules and everything worked as I would have expected. I`m still surprised  IP filtering between ports on the same switch in NAT mode didn't work so I`d love to know if it should and how to configure it..

    sw2090
    SuperUser
    sw2090
    SuperUser
    March 18, 2021

    which way did you cofigure the ports on the FGT? The only way to have two ports in one subnet is basically a switch or trunk. Trunk would net be useful here as you still need two ports for two pcs :)

    The only other way would be subnetting.

    e.g.

    Use SUbnet 192.168.1.0/29

    Port1 has 192.168.1.1/29

    PC1 then has to have an ip between 192.168.1.2 and 192.168.1.6 (including those two ips).

    Subnetmask would be 255.255.255.248

    PC1 has to have the FGT as Gateway (IP of Port1)

     

    Use next Subnet 192.168.1.8/29

    Port2 has 192.168.1.9/29

    PC2 has to have 192.168.1.10-14

    Subnetmask would be 255..255.255.248

    PC2 has to have the FGT as Gateway (IP of Port2)

     

    then you could create a Policy to deny traffic from Port1 to Port2 from 192.168.1.0/29 to 192.168.1.8/29 

    and vice versa.

     

    The other ways will sop working once PC1 or/and PC2 are not connected directly to ports of the FGT but to a switch behind it. Then this will be network internal traffic and that will not hit the default gw.

    If you use different subnets like the above example it still will.

     

    Annother way would be (if PC1 and PC2 do not do dhcp) to create an address object for each pc and have the polilcy match the addrress objects. Then both PCs could even be connected to one POrt (with a swithc behind).

     

     

    Terms & ConditionsAccessibility statement