Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
AdmiralKirk
New Contributor

Connect legacy network to my FortiGate?

Hi all, first time poster here.  I recently came into this job and am still learning how to speak FortiVerse when I've been speaking SonicWall, Sophos, Extreme, and NetGear for the past 14 years.  I've been struggling with this specific problem for a while and figure I should ask the hive mind that has the most specific experience.
We have a remote site where we inherited a legacy SonicWall-based network.  I migrated nearly all of the devices from said network and onto our network serviced by a FortiGate 80F, but there is a lingering issue with their door controls and cameras. Without spending a bunch of time describing the legacy security network, my intent is to dedicate one of my FGT ports to serve that network as-is and let the FGT do the work for me.

On to the technical details.

My FGT is using LAN4 for Department 4 (192.168.104.0/24), LAN3 for Department 3 (192.168.103.0/24), and WAN1 to the ISP.  No VLANs, just different networks with routing rules, all in all a fairly simple setup.  

The legacy SonicWall is configured to use VLAN202 (192.168.202.0/24) as the security network, with basic rules allowing traffic out, along with a rule allowing inbound traffic from the old user network to the door controller appliance to reach said controller.  My network already has a 192.168.202.0 subnet so I cannot just connect it directly, otherwise the whole thing would have been done 3 months ago.

Picture, 1,000 words, and all that:

Drawing2.png

 

 

So my dilemma is that I don't know how to make it so the facilities manager on LAN4 can access LAN2, which VLAN-tagged on that network's switches.  I've heard that I need to create VLAN 202 on FGT LAN4 (which didn't make sense to me), or that I need to set up 1:1 NAT on LAN2, or that I can do a simple static route along with 1:1 NAT, or combinations hereof.  What I don't have yet is a solid solution.  

Anyone have insight on the concept as well as technical details for how I can solve this puzzle?

5 REPLIES 5
gfleming
Staff
Staff

I'm not 100% clear on your configuration and issues but let me try:

 

- Where is the 192.168.202.0/24 network that you already have? I don't see it on the diagram. Regardless, can you re-IP this network so that the legacy security devices network can be connected directly?

- Does LAN2 on the FGT connect to the SonicWall directly? You probably don't need to do any VLANs or tagging on the FGT then. If the connection to the Security Network on LAN2 truly is using 802.1q tags then you can definitely create a VLAN interface for VLAN 202 on the FGT under port LAN2

- And yes, if you already have 192.168.202.0/24 somewhere in your network and want to also connect the legacy security devices network using 192.168.202.0/24 the only way around this is to use NAT.

 

Before doing all of that though, perhaps the best solution is fixing what is already broken. Is that possible? What I mean by that is:

1. Can you fix the security devices so that you no longer need the SonicWall in play?

2. Is there truly no way around having two 192.168.202.0/24 networks in existence?

3. Do you need NGFW segmentation between all of your networks? You could alternatively leverage a trunk port on the FGT going to a downstream core switch and have the core switch handle all the inter-VLAN traffic.

Cheers,
Graham
AdmiralKirk

 

Oh dear, I apologize, I neglected some very important details.  The diagram shows the end game, not current state. If a current state diagram would be helpful I'll whip one up.

  • Currently the legacy 202 network is connected to the Sonicwall, which is connected to the ISP beside my FortiGate.  The two firewalls are not connected to each other.
  • The goal is to remove the SonicWall, having all of the networks connected to the FortiGate. 
  • My network is spread across 150 miles with multiple site-to-site VPN connections, and my 202 network is at another site. 
  • As much as I would love to do it, rebuilding the legacy network is not an option at this time.  My intent is to let it ride until we do a replacement project.

I do not need to separate the main network from this legacy one, I am specifically trying to get them connected.  My hurdles are 1) legacy 202 network is VLAN tagged, and 2) IP conflict with 202.

 


@gfleming wrote:

- Does LAN2 on the FGT connect to the SonicWall directly? You probably don't need to do any VLANs or tagging on the FGT then. If the connection to the Security Network on LAN2 truly is using 802.1q tags then you can definitely create a VLAN interface for VLAN 202 on the FGT under port LAN2

- And yes, if you already have 192.168.202.0/24 somewhere in your network and want to also connect the legacy security devices network using 192.168.202.0/24 the only way around this is to use NAT.

This sounds similar to what I had in mind.  I want to connect the 202 network to FGT LAN2 and let traffic flow together with LAN4.  The expertise on how to execute this is what I lack.

 

 


@gfleming wrote:

Do you need NGFW segmentation between all of your networks? You could alternatively leverage a trunk port on the FGT going to a downstream core switch and have the core switch handle all the inter-VLAN traffic.


I do have a FortiSwitch 248E right there.  I am completely open to leveraging it if that would make the process easier.

 

gfleming

OK if you want to remove the SonicWall and get the VLAN 202 connected to LAN2 you have to use NAT to get around the address conflict.

 

There is one possible exception to this: what devices/networks need to communicate with those in VLAN 202? If it's only one device or user (Facilities Manager?) then it would likely be simpler to consider using a VRF or VDOM to separate out VLAN 202 and avoid the conflicts. A VRF creates a new routing table that is separated from the main routing table. A VDOM creates an entirely new virtual firewall inside the FortiGate (basically taking over the role of the SonicWall). Can the facilities manager, assuming it's a single user and/or device, have a dedicated network that is only used to communicate with the devices in VLAN 202? I'm picturing a dedicated NIC or VLAN on the device that communicates with the devices in VLAN 202 and the main NIC used to communicate with the rest of the network. The only downside is this device would not be able to reach the other 192.168.202.0/24  network until they disconnected the other NIC/VLAN.

 

If you can't do that, then you're doing NAT. You need to do destination NAT for all of the communication that is from a device outside VLAN202 going into that network. And you need to do source NAT for all of the communication that is coming from VLAN202 towards other networks in your environment.

 

Most likely you would just want to configure an IPv4 VIP with a external IP range mapping to the VLAN202 subnet. i.e. you could use 172.16.202.1-172.16.202.254 as your external IP range and 192.168.202.1-192.168.202.254 as your mapped range. This means when someone requests access to 172.16.202.10 they will be sent to 192.168.202.10.

 

Now for the reverse flow initiated from within VLAN202, you would need to do either SNAT with port translation (i.e. all packets from 192.168.202.0/24 would be mapped to a single IP such as 172.16.202.254—similar to how you mask your private subnets when going out to the internet). Or you could do the same as your DNAT above and configure a one-to-one IP Pool and specify that in your NAT options.

 

Here's config info for DNAT: https://docs.fortinet.com/document/fortigate/6.4.10/administration-guide/510402/static-virtual-ips

 

Here's config info for SNAT: https://docs.fortinet.com/document/fortigate/6.4.10/administration-guide/29961/dynamic-snat

 

Some info on VRFs: https://docs.fortinet.com/document/fortigate/6.4.10/administration-guide/752950/implementing-vrf

 

And some more on VDOMs: https://docs.fortinet.com/document/fortigate/6.4.10/administration-guide/109991/virtual-domains

 

Also as for the VLAN tagging. You might be overthinking it. I assume there is a switch where all of these devices plug into? And they are all in VLAN 202? That's fine! It doesn't mean you need to tag or have a VLAN202 interface on the Firewall. Just make the port that connects to the FortiGate a VLAN202 port that is untagged. This means untagged traffic will be put into VLAN202 automatically. You most likely do not need to create a VLAN202 interface on the FortiGate.

Cheers,
Graham
AdmiralKirk

 

Thank you for the info Graham.  I had a couple of vacation days and am just getting back here.

I follow the VIP/DNAT/SNAT idea and it sounds good, I believe I can figure that out.  

 

I am still a little unclear on the VLAN tagging.  There is indeed a single switch doing VLAN202 from which all the other 202 switches connect, but it is not a switch I can manage (see above regarding archaic Flash-based switches).  Without being able to connect to it I can't replicate those settings onto a new/different switch.   

 

I just had an idea:  I know I can connect to at least one of the 202 downstream switches (just not the first one).  I can grab any old managed switch I have laying around and set it up to replace the first switch, then I can manage the VLAN settings to my heart's content.

 

It will be a couple of weeks before I can get back to that site and test this out, and I'll make an update when I do.

gfleming

Ah sorry must have missed the part about the archaic managed switches. But yes if you have to connect your Fortigate to a switchport that is actively tagging traffic for VLAN202 then you just create the appropriate VLAN interface attached the physical port on the FortiGate. Here's info on that: https://docs.fortinet.com/document/fortigate/7.2.1/administration-guide/402940/vlan

Cheers,
Graham
Labels
Top Kudoed Authors