Hello,
About 18 months ago, we upgraded the school network, I insisted that we had Fortinet in to run our web filtering and firewall, but our IT guy (long gone) had to have a microtik router to manage the network and wireless AP, I don't know why, but it was a must have. I agreed as long as it worked with the fortinet and I didn't have to worry about it. Having used Fortinet before I know that it just works well, particularly in school environments
Roll on 12 months, IT guy has exited stage left (can't even begin to list the chaos that was uncovered), new IT guy comes in, and lots of things unravel, the main one being that the fortinet 200E was never set up. It has just sat there unusued for a year or more.
The suppliers have been in trying to make it play nice with the Mikrotik router but so far they have failed, my blood pressure has risen and that is about it.
My understanding at the moment is that we have several VLANS set up in school - students, teachers, admin staff, wifi. The Mikrotik runs all this, including the wifi AP.
The supplier and my IT guy cannot get the Fortigate and the Mikrotik to play nicely together.
My first question is it possible to have the mikrotik running all the network login details etc and the Fortigate just managing the filtering/firewall side of things? That is all I really care about.
If it is possible any suggestions as to how it should be set up? So far everything they have done has blocked traffic on the network.
At one point it looked hopeful as they said it was communicating out the way, but nothing at all was coming back in.
I am not living in the most proactive part of the world when it comes to problem solving, often the solution being it can't be done, rather than losing face and saying we don't know.
Any thoughts would be appreciated so that I can go armed to the next shrugging shoulders meeting later this week.
Hey David,
I share your frustration with that attitude towards problem-solving, but there may not be a lot I can tell you without more of an idea of the logical topology (public IP addresses available, etc -- you mentioned traffic not coming in), or even more importantly how they aren't "playing nice" together. I have no experience with Mikrotik but can't imagine anything not being possible with a FortiGate.
I would also recommend eliminating the Mikrotik and bringing the VLANs up to the FortiGate, either as a goal in and of itself or at least a test scenario to see why things "aren't playing nice" and which device is really at fault.
Other than a routing error (again, not sure what your public IP space is like), I can't see any reason you wouldn't be able to put it in line and start with a basic any/any on all services in both directions and start tightening it up from there.
- Daniel
Thanks for the response,
We have one fixed IP address on a leased line, 100M and a 1Gigabit not fixed IP.
Mikrotik is currently load balancing using these two lines
Ligowave AP throughout the school - 26 or so in total
Topography wise what would need to be known? Physically, we installed a fiber optic backbone through the site, with three nodes off it, it's meant to be a star network.
1xCisco SG250X-24 24-Port Gigabit Smart Switch Gigabit Smart Switch with 10G
Uplinks
9xCisco SG220-26-K9-EU Gigabit Smart Switch 10/100/1000
26xLigoWave NFT 3AC-TH Access Point AC1750 Dual-Band 3x3 MIMO
I have a map somewhere, but it has IP and MAC details on it so would need blurring out.
VLAN below
Thanks in advance if this gives you any further insight.
The suggestion a couple of weeks ago was to create a website black list, I had to check my watch to make sure I hadn't done back in time to 1995.
I still think your best bet is to plan a migration away from the Mikrotik. The FortiGate's SD-WAN capabilities can fully handle the load balancing you mentioned, but with only the one IP address for each Internet connection it sounds like you'd have to change a lot of IP addressing/routing on the Mikrotik or do transparent mode on the FortiGate -- unless you eliminate the Mikrotik. I don't have any experience with transparent mode, but I'm sure there's others on here that might.
If you do the migration, you'll also gain extra visibility into your network (MAC addresses) and be able to log all inter-VLAN routing even if you don't "firewall" any of it. Maybe the Mikrotik is already doing this for you, but it sounds like it's clearly not doing everything you want, so...
I would:
1) Create a transit network between the Microtik and the Fortigate, and place the Fortigate on the outside edge.
2) Create an all-all policy allowing all traffic through the Fortigate. That will get it into the fold.
3) Create another trunk between the Fortigate and the switch inside the Microtik.
4) Duplicate the policies from the Microtik onto the Fortigate one VLAN at a time.
5) When you think you're good, swap the default gateway IP between the two making the FGT the default.
6) Monitor, correct and when happy move onto the next VLAN.
If you don't have that many policies, that part shouldn't take long. Getting the filtering correct will bring along some headaches, but once done, you'll be happy.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1771 | |
1116 | |
766 | |
447 | |
242 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.