Skip to main content
peon2t
peon2t
Explorer
January 7, 2023
Question

VLAN separation, does this setup what it should?

  • January 7, 2023
  • 4 replies
  • 3043 views

Hello

 

We have this FortiGate 40F that has been set up in a certain way buy we're not entirely sure if it actually does what we expect it to do.

 

We have a small office with a main tenant and a subtenant. Their networks should be separated.

Also there is a guest network that should of course also be separated from the other two.

 

Main tenant operates on 192.168.54.0, subtenant on 192.168.41.0 and guest network is 192.168.31.0

 

I attached some screenshots from the FortiGate UI. Is it possible to tell from those screenshots if those three "areas" are separated from each other so that for example a device in 192.168.41.0 can't connect to anything in the 192.168.54.0 area?

 

Switch is some UniFi product that has the ports that are used in the subtenant's part of the office set up with the corresponding VLAN ID. The guest WiFi does the same.

On first sight it seems to do as it should, meaning the subtenants receive IPs from the 192.168.41.0 range if they plug in and the devices on the guest WiFi receive IPs from the 192.168.31.0 range.

 

However I've read that VLANs aren't actually separated "by default" and that devices from the different VLANs can interact with each other. If this is true, the setup would only be "cosmetically" fine (different areas have different IP ranges) but the intended security aspect wouldn't be met.

 

Can anyone help?

 

Policies:

2023-01-07_13-40.png

Interfaces:

2023-01-07_13-39.png

4 replies

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
January 7, 2023

If it's just a L3 router, those VLAN interfaces can talk each others. That's the purpose of routers to connect networks.

The FortiGate is a firewall with L3 router features. Without policies like lan<->XXXerdhcp, lan<->guestdhcp, etc. they cannot talk each others. That's the purpose of firewall to restrict/control traffic between connected networks.

 

Yes, looks fine to me.

 

Toshi

    seshuganesh
    Staff
    seshuganesh
    Staff
    January 8, 2023

    Hi Team,

     

    Since there are already sepeated with different VLAN ID, only if you create firewall policy in the firewall between VLAN interface to normal interface traffic will be accepted.

    Else, traffic will get denied when reaching from one interface to another interface

      peon2t
      peon2tAuthor
      Explorer
      January 8, 2023

      Very well, thank you.

      I guess what I read was referring to a situation where the Switch had some routing capabilities but this probably isn't the case here.

       

      I have an additional question (which was the reason why we started looking at the firewall in the first place):

      The subtenant wants to start using the network printer that is in the main tenants network. Is this achieveable without big impacts to the separation of the VLANs?

      Toshi_Esumi
      SuperUser
      Toshi_Esumi
      SuperUser
      January 8, 2023

      That's the situation what I meant in "Without policies like lan<->XXXerdhcp..." above. You just need to add a policy to allow XXXerdhcp->lan to the printer's address. One direction should be suffice since printer access is generally one way.

       

      Toshi

      Terms & ConditionsAccessibility statement