Need help with VLAN setup on 40F

If you aggregated two interfaces together, the other ends need to be terminated at a switch, or stacked switches, in the same form and break out vlans to different ports. Your PCs can be connected to those ports that the non-tagged (or VLAN1 for many switches) traffic is mapped to.

Toshi

When you configure link aggregation you have to connect the ports either to one switch or stacked switches(or supporting alike protocol). If you configure VLANs on this aggregated link, you will have tagged traffic for the VLANs and untagged traffic also on the interface. You have to do a similar configuration on the switch.  Configure link aggregation with trunk configuration. Check if the link aggregation is established. Test the configuration first without link aggregation to test the concept then change to link aggregation. You could test also first by conecting only one of the aggregated ports.

The IEEE802.3ad is a link aggregation protocol to make multiple physical links into one link to provide redundancy and increasing bandwidth on the link.

https://techbast.com/2021/03/fortigate-how-to-configure-802-3ad-aggregate-feature-on-firewall-fortigate.html

One side of link is like the FortiGate, and the other side is generally a switch.

But your intended setup is more like for FortiGate's hard-switch, bridging/binding two ports together at L2 level and have all VLANs on both ports. 

Why going back to "lan" hard-switch interface and removing only port1 from the interface and leaving port2 and port3 as memebers wouln't work?

Toshi

config system interface
edit "port1"
set ip 192.168.10.1 255.255.255.0
set allowaccess ping https ssh snmp
next
edit "port2"
set ip 192.168.5.1 255.255.255.0
next
end
config system dhcp server
edit 1
set dns-service default
set default-gateway 192.168.10.1
set netmask 255.255.255.0
set interface "port1"
config ip-range
edit 1
set start-ip 192.168.10.2
set end-ip 192.168.10.254
next
end
next
end

In previous solution the 16-Port Switch should be L3 switch supporting routing and you may need to run DHCP on it for various VLANs.

This solution is better.

You configure the trunk port between FortiGate and the 16-Port switch. If on VLAN, then just give an IP to port-2 and connect it to the switch. 

That's the best way to do it with aggregation. You wrote you wanted to have some ports that are alle the same and it doesn't matter to which of them you connect.

Indeed you can do that with a virtual switch on your FGT.  This is even the FGT factory default.

You could have kept that switch there and just add vlan interfaces to it.

However in this case you either have to have a manged swtich behind the FGT or the devices you connect to the port(s) have to tag to correct vlan. That is because only tagged traffic will hit the correct vlan interface on the FGT and any other traffic might hit the physical interface instead.

Thanks all. If it is correct that the traffic must be tagged BEFORE it hits the Fortigate ports in order for the Fortigate to route it appropriately, then I misunderstood how the Fortigate would handle VLANs. I thought I could have non-tagged traffic coming into the Fortigate ports and then using device detection, get the sender’s MAC and assign an IP address to it based on that MAC, whose IP would be in a VLAN of my choosing. For example… I have two printers, one plugged into the switch and the other on the WiFi. Based on their MACs I wanted to be able to assign them via IP Reservation, an IP address that is in the Printer VLAN and assign firewall policies accordingly.

Unfortunately, my switch is cheap, unintelligent, and unmanaged (unmanageable).

Here is my exact use case that I’m trying to solve, given the diagram I posted earlier. I have multiple devices in various categories (servers, PCs, printers, security devices, TVs, etc.) some of which are physically attached to the 16-port switch and others that come in over the WiFi mesh. With the exception of the occasional guest devices, I want to know every node/device on my network, its MAC (which I do already know), and make sure the IOT devices (security devices, TVs, etc.) can’t traverse my network and get to the server or the printers. I also want to be able to log traffic and watch for intrusions coming in from the WAN side.

If it is a guest whose MAC I do not recognize, I want to dump them into a Guest VLAN that can only reach the internet, not the LAN.

What is the best way to set up this network? I thought it would be too painful setting up rules for every single device. Instead, I thought that grouping them into VLANs would make setting up firewall policies more straightforward, i.e. just a few groups as opposed to a rule for each of the many devices. Can the Fortigate identify the MAC of any device connected to the Hardware Switch or Aggregate interface (ports 2 and 3), assign an IP that belongs to a particular VLAN, and then route traffic accordingly? If not, what are my other options?

Thanks again for your patience. I’m a complete Fortigate newbie!

Chris

Are you connecting a WiFi access Point to Port-3? Does it support tagged traffic?
Let's split the discussion for WiFi and wired.

For wired on Port-2 you could ide secondary IP.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-FortiGate-can-create-max-32-secondary-IP-address/ta-p/230121#:~:text=the%20cloud%20environment.-,A%20maximum%20of%2032%20secondary%20IP,be%20created%20for%20each%20interface.

For the WiFi link, I believe you could do the same. Or use tagged traffic if the AP supports this. You have to configure different SSID and map them to the different VLANs.

well you have to keep in mind that the FortiGate threats a vlan as a virtual interface. This means that only traffic with the corresponding vlan tag will hit that interface. So a DHCP server on a vlan interface will only respond to traffic tagged with that vlan because only that one hits the interface. All other traffic will hit the physical interface the vlan interface is "tied" to.

So if you had this constellation:

Port1,Port2,POrt3 is a virtual switch named "switch1".

Then you create vlan 1 named "printer" and vlan 2 named "wifi" then vlan 1 and 2 are virtual interfaces bound to "physical" interface "switch1". 

Traffic tagged with vlan1 will then hit interface "printer". Traffic tagged with vlan2 will then hit "wifi". Traffic that has neiter one of both vids will hit "switch1".

Since DHCP is UDP traffic the ip routing doesn't matter for it but the vlan id does. So if the traffic is not tagged with 1 or 2 (to stay with my example) it will get a dhcp response from a dhcp server on interface "switch1" (if there is one enabled there).  So you might use that to assign an ip you want based on the mac but to route traffic from/to devices correctly you still need to have your traffic tagged with the corred vid.

hence unfortunately only few devices are capable of vlan tagging themselves a managed switch is rather mandatory (at least if the FGT doesn't have enough physical ports or clients are too far away from it (ethernet segment lenght is max. 100m)) if you want to use vlans because managed switch can do vlan tagging/trunking per port so the device connected to it doesn't have to do it itself.