Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
dmux
New Contributor

Created on ‎01-13-2015 10:54 AM

Giving a wired device a static IP in the Wireless range

Hello,

 

I have two networks setup: 10.1.10.0/24 (lan) and 10.2.10.0/24 (Wireless).  I have DHCP enabled for both ranges, but for the Wireless network I have the DHCP range setup for 1 -- 99. I have a wired device that needs to be on the same network as the wireless devices, and I'd also like it to have a static IP. However, when I assign it an IP address (either inside or outside the DHCP range), I am unable to ping it. Is there a way I can setup my Fortigate device so as to allow wired and wireless devices to use the same IP pool?

 

Thanks.

5529
0 Kudos
6 REPLIES 6
rwpatterson
Valued Contributor III

Created on ‎01-13-2015 11:00 AM

Depending on the model, you may be able to create a virtual switch and add those interfaces into that switch. Doing this, bot wired and wireless devices will share the same IP pool and DHCP settings. Since this a software switch though, throughput will be degraded. How much depends on the model and the amount of  traffic.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
2651
0 Kudos
Dave_Hall
Honored Contributor

Created on ‎01-13-2015 11:20 AM

Ideally, you will want to set up a software switch; simplest steps (depending on your fgt model and firmware) is to create a wifi interface then create a software switch using the lan interface ports + wifi ports.

 

If you already have set up the firewall policies for the lan interfaces, you could edit the config via a text editor to change the lan interface(s) names in the firewall policies to the name you plan to call the software switch, then create a soft switch similar to something like:

config system switch-interface
    edit "internal_net"
        set vdom "root"
        set member "port1" "port2" "port3" "port4" "wifi"
    next
end

 

Just curious to know why this pc needs to be on the wireless network?  Wouldn't be easier to buy a cheapo wifi USB stick for like $15-20 and use that?

 

 

 

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Preview file
84 KB
2651
0 Kudos
dmux
New Contributor

Created on ‎01-13-2015 12:01 PM

Thanks to both of you for the guidance. After looking into setting up a software switch, I found this document which goes into the details of setting one up: http://docs.fortinet.com/d/fortigate-sharing-the-same-subnet-for-wifi-and-wired-clients

 

The device itself isn't a computer, but an Apple Time Capsule. For some reason, Time Capsules need to be on the same subnet as devices that will backup to them. Something with Apple's Bonjour service...

 

Most if not all of our Macs connect to the network via wireless and since the Time Capsule is plugged in via Ethernet (so therefore on a different subnet), the Macs are unable to communicate with it correctly.

 

I can ping it from a Mac if I leave it with a 10.1.10.1/24 address, but lose the full autonomy and smarts that the Time Capsule otherwise provides.

 

Thanks again for pointing me in the right direction. I will continue to look into setting up a software switch.

 

Thanks

2651
0 Kudos
rwpatterson
Valued Contributor III
In response to dmux

Created on ‎01-13-2015 12:05 PM

If your device is incapable of doing that (software switch), alternatively you could create a Virtual IP (VIP) where you masquerade one device behind a virtual IP on the current (or other - read wireless) network.

 

Good luck

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
2652
0 Kudos
Christopher_McMullan
Staff
Staff

Created on ‎01-13-2015 12:10 PM

Knowing it's an Apple device using Bonjour, it may be possible to avoid overlapping subnets, or combining the subnet ranges.

 

In that case, it's likely multicast traffic that is being blocked (and the TTL decremented) by default.

 

To allow multicast forwarding and preserve the original TTL of 1, make the following changes and test again to see if you still can't use the Time Capsule:

 

1. Enable multicast forwarding and preserve original TTLs

config system settings set multicast-forward enable

set multicast-ttl-notchange enable

end

 

2. Create a policy to allow multicast traffic in any direction, from any host (the simplest way)

config firewall multicast-policy

edit 1

set action accept

end

 

You may want to consult the FortiOS 5.0 Handbook, beginning on page 1050, about hardening the policy against non-Bonjour traffic (the guide is available at docs.fortinet.com).

Regards, Chris McMullan Fortinet Ottawa

2652
0 Kudos
emnoc
Esteemed Contributor III

Created on ‎01-13-2015 01:01 PM

Chris is probably right but you don't need a wired client to be in  the same subnet as the TC.  You can  mount to the  TC via afp:x.x.x.x  where x.x.x.x is your TC address. It can be anywhere including over and across the internet. I believe apple is still using  port 548 so double check.

 

Ken

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
2652
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.