How to have multiple subnets in 1 lan port?

jcvm · ‎12-20-2021

Hello,

I just bought a Fortigate to migrate our entire Mikrotik network to Forigate and the following question arises:

How can you have 4 Subnets on a single LAN port?

Example:

192.168.1.1/24
172.16.50.1/24
192.168.1.1/24

Debbie_FTNT · ‎12-21-2021

Hey Toshi, jcvm,

multiple IPs can be set in GUI if the interface role is specified as "LAN" :)

Hope this helps.

@jcvm - If you are just looking to set secondary IPs, the above will provide what you need. If you want to include different VLANs for the different subnets, you need to create VLAN interfaces under Network > Interfaces, bind them to the correct physical interface (which will act as trunk port) and set the appropriate VLAN IDs.

Cheers!

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++

View solution in original post

Toshi_Esumi · ‎12-20-2021

I didn't know this until now but at least with 6.4 looks like you can enable Secondary-IP only via CLI. Then you can add those IPs in GUI.

config sys int

edit xxx

set secondary-IP enable

Debbie_FTNT · ‎12-21-2021

Hey Toshi, jcvm,

multiple IPs can be set in GUI if the interface role is specified as "LAN" :)

Hope this helps.

@jcvm - If you are just looking to set secondary IPs, the above will provide what you need. If you want to include different VLANs for the different subnets, you need to create VLAN interfaces under Network > Interfaces, bind them to the correct physical interface (which will act as trunk port) and set the appropriate VLAN IDs.

Cheers!

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++

jcvm · ‎12-21-2021

@Debbie_FTNT Thank you very much, I have another question.

Can you create rules and outputs for different WANS to each subnet (secondary IP)?

Debbie_FTNT · ‎12-21-2021

You can create different rules for each subnet on the interface, yes - if you create policies and always mention the specific source or destination subnet.
You would have four policies from your lan interface to whatever destination, and for each rule you would have a different source subnet defined, for example.
The key would be to never use a generic source/destination (like 'all') that more than one subnet on that interface would match, unless explicitly intended.

To be honest, I am not entirely sure how FortiGate would handle traffic from one subnet to another one on the same interface, if it would allow that without policy or not, you might need to test if you can ping from one subnet to the other without a rule in place.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++

Toshi_Esumi · ‎12-21-2021

I would recommend VLANs instead if you want to do more on each subnet, then control the tagging at your switch. Using different subnets on the same interface hinder your ability to debug and manipulate flow of packets down on the road.

jcvm · ‎12-21-2021

Hello,

@Debbie_FTNT I'm going to run these tests to see how the equipment performs.

@Toshi_Esumi I cannot apply Vlans since the network distribution (Physical structure and ports) do not allow me to separate correctly to apply Vlans.

The Subnets are divided as follows:

1- Administrative Teams
2 - IP Phones
3- Cameras
4 - IT team

The ideal would be to use Vlans but the use of it is complicated by the aforementioned.

All I have left are the rules for separating and blocking traffic.

If you have another suggestion, it is accepted.