Skip to main content
jcvm
jcvm
New Member
December 21, 2021
Solved

How to have multiple subnets in 1 lan port?

  • December 21, 2021
  • 3 replies
  • 9727 views

Hello,

 

I just bought a Fortigate to migrate our entire Mikrotik network to Forigate and the following question arises:

How can you have 4 Subnets on a single LAN port?

Example:

192.168.1.1/24
172.16.50.1/24
192.168.1.1/24

Best answer by Debbie_FTNT

Hey Toshi, jcvm,

 

multiple IPs can be set in GUI if the interface role is specified as "LAN" :)multiple-ip.PNG

Hope this helps.

 

@jcvm  - If you are just looking to set secondary IPs, the above will provide what you need. If you want to include different VLANs for the different subnets, you need to create VLAN interfaces under Network > Interfaces, bind them to the correct physical interface (which will act as trunk port) and set the appropriate VLAN IDs.

Cheers!

3 replies

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
December 21, 2021

I didn't know this until now but at least with 6.4 looks like you can enable Secondary-IP only via CLI. Then you can add those IPs in GUI.

 config sys int

   edit xxx

     set secondary-IP enable

   next

 end

Debbie_FTNT
Staff & Editor
Debbie_FTNTAnswer
Staff & Editor
December 21, 2021

Hey Toshi, jcvm,

 

multiple IPs can be set in GUI if the interface role is specified as "LAN" :)multiple-ip.PNG

Hope this helps.

 

@jcvm  - If you are just looking to set secondary IPs, the above will provide what you need. If you want to include different VLANs for the different subnets, you need to create VLAN interfaces under Network > Interfaces, bind them to the correct physical interface (which will act as trunk port) and set the appropriate VLAN IDs.

Cheers!

jcvm
jcvmAuthor
New Member
December 21, 2021

@Debbie_FTNT  Thank you very much, I have another question.

Can you create rules and outputs for different WANS to each subnet (secondary IP)?

Debbie_FTNT
Staff & Editor
Debbie_FTNT
Staff & Editor
December 21, 2021

You can create different rules for each subnet on the interface, yes - if you create policies and always mention the specific source or destination subnet.
You would have four policies from your lan interface to whatever destination, and for each rule you would have a different source subnet defined, for example.
The key would be to never use a generic source/destination (like 'all') that more than one subnet on that interface would match, unless explicitly intended.

To be honest, I am not entirely sure how FortiGate would handle traffic from one subnet to another one on the same interface, if it would allow that without policy or not, you might need to test if you can ping from one subnet to the other without a rule in place.

jcvm
jcvmAuthor
New Member
December 21, 2021

Hello,

 

@Debbie_FTNT I'm going to run these tests to see how the equipment performs.

 

@Toshi_Esumi I cannot apply Vlans since the network distribution (Physical structure and ports) do not allow me to separate correctly to apply Vlans.

The Subnets are divided as follows:

1- Administrative Teams
2 - IP Phones
3- Cameras
4 - IT team

The ideal would be to use Vlans but the use of it is complicated by the aforementioned.

All I have left are the rules for separating and blocking traffic.

 

If you have another suggestion, it is accepted.

Terms & ConditionsAccessibility statement