Hello,
I have two networks setup: 10.1.10.0/24 (lan) and 10.2.10.0/24 (Wireless). I have DHCP enabled for both ranges, but for the Wireless network I have the DHCP range setup for 1 -- 99. I have a wired device that needs to be on the same network as the wireless devices, and I'd also like it to have a static IP. However, when I assign it an IP address (either inside or outside the DHCP range), I am unable to ping it. Is there a way I can setup my Fortigate device so as to allow wired and wireless devices to use the same IP pool?
Thanks.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Depending on the model, you may be able to create a virtual switch and add those interfaces into that switch. Doing this, bot wired and wireless devices will share the same IP pool and DHCP settings. Since this a software switch though, throughput will be degraded. How much depends on the model and the amount of traffic.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Ideally, you will want to set up a software switch; simplest steps (depending on your fgt model and firmware) is to create a wifi interface then create a software switch using the lan interface ports + wifi ports.
If you already have set up the firewall policies for the lan interfaces, you could edit the config via a text editor to change the lan interface(s) names in the firewall policies to the name you plan to call the software switch, then create a soft switch similar to something like:
config system switch-interface
edit "internal_net"
set vdom "root"
set member "port1" "port2" "port3" "port4" "wifi"
next
end
Just curious to know why this pc needs to be on the wireless network? Wouldn't be easier to buy a cheapo wifi USB stick for like $15-20 and use that?
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Thanks to both of you for the guidance. After looking into setting up a software switch, I found this document which goes into the details of setting one up: http://docs.fortinet.com/d/fortigate-sharing-the-same-subnet-for-wifi-and-wired-clients
The device itself isn't a computer, but an Apple Time Capsule. For some reason, Time Capsules need to be on the same subnet as devices that will backup to them. Something with Apple's Bonjour service...
Most if not all of our Macs connect to the network via wireless and since the Time Capsule is plugged in via Ethernet (so therefore on a different subnet), the Macs are unable to communicate with it correctly.
I can ping it from a Mac if I leave it with a 10.1.10.1/24 address, but lose the full autonomy and smarts that the Time Capsule otherwise provides.
Thanks again for pointing me in the right direction. I will continue to look into setting up a software switch.
Thanks
If your device is incapable of doing that (software switch), alternatively you could create a Virtual IP (VIP) where you masquerade one device behind a virtual IP on the current (or other - read wireless) network.
Good luck
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Knowing it's an Apple device using Bonjour, it may be possible to avoid overlapping subnets, or combining the subnet ranges.
In that case, it's likely multicast traffic that is being blocked (and the TTL decremented) by default.
To allow multicast forwarding and preserve the original TTL of 1, make the following changes and test again to see if you still can't use the Time Capsule:
1. Enable multicast forwarding and preserve original TTLs
config system settings set multicast-forward enable
set multicast-ttl-notchange enable
end
2. Create a policy to allow multicast traffic in any direction, from any host (the simplest way)
config firewall multicast-policy
edit 1
set action accept
end
You may want to consult the FortiOS 5.0 Handbook, beginning on page 1050, about hardening the policy against non-Bonjour traffic (the guide is available at docs.fortinet.com).
Regards, Chris McMullan Fortinet Ottawa
Chris is probably right but you don't need a wired client to be in the same subnet as the TC. You can mount to the TC via afp:x.x.x.x where x.x.x.x is your TC address. It can be anywhere including over and across the internet. I believe apple is still using port 548 so double check.
Ken
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1531 | |
1028 | |
749 | |
443 | |
209 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.