Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
MeoDub
New Contributor

Out of IP's - adding another LAN but running into dns issues

Hi all,

 

I struggle through every step with these routers, very sorry for the noob questions but please be gentle, I don't really know what I'm doing here.

 

So we were quickly exhausting our single class C network and I decided to run another line from the Fortigate 60E (is that a vlan or a subnet, not sure) to a new switch and give myself another 200+ addresses.  Main net is 192.168.1.0, and I made the new lan 192.168.3.0  I have the fortigate set as the DHCP server for this new segment and so far I've fought my way through to a point where clients pull an ip and can communicate internally and externally.

 

I can ping from a 192.168.1 machine to a 192.168.3 machine, but if I try to remote in by machine name, it fails, so I have a dns issue for sure.  I have the new LAN dns set to our DC at 1.10

 

I'm also a little worried about security, as I basically just added policies to open everything up between the two LANs and between the wan and new LAN.

 

I'll attach a few screen shots of the current config...if anyone has any suggestions or critiques on anything I've setup here, they would be greatly appreciated.  I realize it's a lot to ask, we are all very busy, but I thank you for reading.

 

 

3 Solutions
GusTech
Contributor II

Do you split the internal network because you really want different access or do you do it just to get more addresses?

 

If the target is only more internal addresses, you can increase the internal network you already have:

 

Add a /22 network. Then you have 192.168.0.1-192.168.3.254 in the same internal network.

192.168.0.1/255.255.252.0

Fortigate <3

View solution in original post

GusTech

WAN -> internal delete =)

 

Fortigate <3

View solution in original post

sw2090
Honored Contributor

hm maybe its the easiest to have the FGT be DNS and DHCP Forwarder for 192.168.3.0 to the DC on 1.10. And then have the dhcp on the DC have a pool for both subnets and also it has to have an ip in 192.168.3.0 itself of course.

This DNS thingy will only work with windows dhcp servers afaik.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

View solution in original post

5 REPLIES 5
GusTech
Contributor II

Do you split the internal network because you really want different access or do you do it just to get more addresses?

 

If the target is only more internal addresses, you can increase the internal network you already have:

 

Add a /22 network. Then you have 192.168.0.1-192.168.3.254 in the same internal network.

192.168.0.1/255.255.252.0

Fortigate <3

View solution in original post

GusTech

WAN -> internal delete =)

 

Fortigate <3

View solution in original post

MeoDub
New Contributor

Thanks, Gus.

 

More internal addresses is the goal, but changing the mask seemed like the more complicated route.   I don't fully understand the ramifications of that change so I thought better to leave it alone.

 

Edit:  I should also mention I have another building down the road connected via tunnel, which is on 192.168.2.0.  That factored into my avoidance of changing the mask.  I'll probably just leave it as is and fight the dns issue.

sw2090
Honored Contributor

hm maybe its the easiest to have the FGT be DNS and DHCP Forwarder for 192.168.3.0 to the DC on 1.10. And then have the dhcp on the DC have a pool for both subnets and also it has to have an ip in 192.168.3.0 itself of course.

This DNS thingy will only work with windows dhcp servers afaik.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

View solution in original post

Jonathan_Rennie_FTNT

(deleted)

That will be me then!!