Need help with VLAN setup on 40F

We need to discuss several points.

Why do you dedicate one port for management and lose it? On FortiGate, you enable the management services you need on each interface, can specify the administrator IP, and remove the default admin after you create a new one.

Your devices do not support tagging; so, forget the VLAN now.

I see the secondary IP solution is near the case. In this case you should configure the IP provided to each MAC according to the subnet required. There is an issue. They could see each other with the applications that run over layer 2 directly and do not rely on IP. 

If the WiFi could be connected to the 16-port switch, do that.

Deal each port as a separate subnet.

Let DHCP assign your device IP according to the MAC. Configure a dynamic DHCP range for guests. You could secondary IP to separate them also. FortiGate should be given IP in each subnet; either interface IP or secondary IP.

The layer 2 traffic on the switch does not go through FortiGate. To secure the servers connect them to a separate port.

The firewall policy is so much easy.

Configure address objects for each device and subnet. You could create address groups and add objects (in the same subnet) with similar permissions to it. Dealing with groups is easier as it could be modified (add or remove objects) later.

Next, create a policy from the incoming interface, and the outgoing interface; then select the allowed group as the source. You could restrict the destination if it is required.

I am waiting for the happy news.

I see that you start. When you are in touch, you will see with your eyes and recognize with your mind.

Go and do it trusting your knowledge and your power.

Good luck.

Hi Mohamed,

Thanks for the advice and encouragement. I have deleted the Aggregate 802.3ad interface I had set up and went back to using a Hardware Switch. Currently it only has Ports 2 and 3 in it but I will eventually add Port 1 back into it. I don’t just want to hang the server off of Port 3 because I also have a backup server and printer I want to isolate as well. I also have a printer that hangs off of the WiFi mesh I want to protect. That means, I need to be able to not care which physical port on the FG something is plugged into. I would rather simply control them using firewall rules by IP address range.

As such, I had planned to assign IP addresses based on MAC detection. I tried that using my laptop and it works great. For example, I reserved 192.168.2.69 to my laptop’s MAC, and when I plugged the laptop into Port 3 and requested an IP address, the FG’s DHCP server handed me 192.168.2.69. Therefore, I should be able to follow suite with my servers, other PCs, TVs, printers, etc. assigning each one an IP address within the desired range by type.

However, I don’t know how to set up a guest IP address range to dump unknown MACs into. The implicit rule is to assign an IP to unknown MACs but I don’t see a way to restrict the range inside of the 192.168.2.x network. I am concerned that the DHCP server will just dole out the next available IP address instead of restricting it to, let’s say 192.168.2.200 to 192.168.2.250. For example, let’s say I have two servers, but want to reserve 192.168.2.10 to .20 leaving room for future servers. What keeps the DHCP server from giving the next unknown device the address of 192.168.2.17 instead of something in a predefined guest range?

Any ideas on how to do this?

Thanks,

Chris

Congratulations. I am happy that you went forward steps with success. You are the one in the site and you have the most vision for the needs.

First, you have to use end-point protection software to protect your devices.

Take a backup daily to be safe.

If your devices are fixed, give them IP manually. In this case you will limit the DHCP range to not include their IP addresses.

"I am concerned that the DHCP server will just dole out the next available IP address instead of restricting it"; I have the same doubt (I don't have enough experience to know. I hope you do the test and let's know.

If you have the IP addresses of your devices and the range of the guest DHCP, then you could an address object for each and configure a separate firewall policy for each group.

config system dhcp server
edit 3
set default-gateway 192.168.2.1
set netmask 255.255.255.0
set interface "Workstation"
config ip-range
edit 1
set start-ip 192.168.2.200
set end-ip 192.168.2.250
next
end
set dns-server1 8.8.8.8
next
end

FortiGate includes a license for FortiClient. You could use it also.

https://www.fortinet.com/products/endpoint-security/forticlient

Hi All,

Thanks for all of the input. I have learned a tremendous amount from all of you and you have cleared up many misconceptions I had about what the Fortigate is capable of and how it works.

At this point, I’m going to take a step back and search for an inexpensive managed switch that can do VLAN tagging to replace the dumb switch I currently have. I plan to set up a VLAN on each physical port of the new switch and multiple VLANs on one of the ports that I will plug the eero WiFi mesh into. I have already checked and I can ping and ARP devices hanging off of the WiFi mesh such that I can see each one’s MAC, so I know the frame is not being stripped of the MAC.

I have scoured the web and found an example of someone doing the very thing I am trying to do. See here: https://www.reddit.com/r/PFSENSE/comments/mzhfnp/good_mesh_wifi_solution_for_pfsense_which/

He is using a Netgear GS308T, an 8-port managed switch that does the VLAN tagging. Netgear also has similar managed switches with more ports that I will be looking into. Here is the 24-port version’s user manual: https://www.downloads.netgear.com/files/GDC/GS324T/GS324T_GS324TP_GS348T_UM.pdf?_ga=2.228157013.978222611.1672511917-848963566.1672511917

On page 131 of the guide, they explicitly show you how to configure the ports for MAC based VLAN tagging.

With respect to the guest network, I plan to disable it on my eero WiFi mesh and enable it directly on the AT&T router which will exist on the WAN side of the Fortigate. This moves the guest network outside of my LAN and allows me to dedicate the eero mesh to only those devices whose MAC I know and authorize.

Does this look like a workable plan? Do you have recommendations or experience with Netgear, TP-Link, and other managed switches? The ones I’m looking at are ~$300 on Amazon, and I don’t want to spend more than that.

Thanks,

Chris

I am very happy for what you reached.

My advice is to keep login into the support forum and have a look at what people ask about. Once you learn and the other you reply and you enhance yourself.

Good luck