Skip to main content
BWiebe
BWiebe
New Member
May 23, 2018
Question

Routing/Design Question

  • May 23, 2018
  • 1 reply
  • 3738 views

I might be overthinking this just a little.

 

I support a client with a Fortigate cluster in their main office and a Fortigate cluster in their data centre.

 

All of their server infrastructure is in their data centre and is all accessed over a fiber point-to-point link.  Said link is connected to both firewall clusters as an ethernet connection, with a different IP at each end.

 

Routing between their head office and data centre and back is done using the point-to-point interfaces at each end.  DHCP for their head office users is all handled through the head office firewall cluster.  All different types of connections at their headoffice and data centre locations are on different untagged VLANs.

 

Recently we've built a new environment on their server infrastructure on a net new VLAN/subnet (the environment will eventually be moved to a different location), and I've been asked to allow access from headoffice to the new environment for the purpose of workstation building/testing for users that will eventually be at the new location.

 

My coworker has suggested using a switch on the same VLAN as their current wired workstations and putting an IP Helper on the switch to point them to the other network across the point-to-point link.  I have reservations in doing this as I don't want to mess with their current wired setup and cause the users any grief.

 

I've suggested just creating a net new VLAN and putting the users on that VLAN and use IPHelpers to get across that way and configure the firewalls accordingly.

 

Part of me thinks, there's probably an easier way to do this/less risky.

 

Thoughts?  Anything I may have overlooked?

    1 reply

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    May 23, 2018

    You already have proper routes to the new subnet from the head office and policies to allow the access at both FGT clusters. When you move the subnet to other location, you just need to change the routes and policies toward the new circuit/VPN. I'm not sure what your concern is.

    BWiebe
    BWiebeAuthor
    New Member
    May 23, 2018

    We don't have the routes, per se, in place, but it's easy enough for me to add them.

     

    My concern is the DHCP requests more than anything and making sure the IP Helper doesn't redirect traffic meant for their headoffice.

     

    This is why I was thinking of another VLAN.

     

    But then, sometimes I overthink, and maybe I can just put a static route in and do the IPHelper off the single switch.

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    May 23, 2018

    Without routing, HQ FGT won't forward the access to the new subnet toward datacenter FGT (I'm assuming 0/0 route is going toward different circuit). FGT wouldn't forward boradcast frames to the other interface under normal configuration unless it's within hard-swtich(soft-switch as well??) or with other special conditions like transparent mode, VXLAN, etc.

     

    Terms & ConditionsAccessibility statement