Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
SmokeyMountian_Tech
New Contributor

Internal routing

100D's in HA:

 

The internal network is set for 10.4.1.x/24

We also have other internal networks from 10.1.1.x to 10.8.1.x that can all talk to our primary 10.4.1.x subnet

Our other networks are each on their own VLAN which is all handled by our core switch.

 

Currently, our Aruba 5406 does all the routing from the other subnets.

ip default-gateway 10.4.1.9 (FortiGate) ip route 0.0.0.0 0.0.0.0 10.4.1.9

 

In order for the firewall to be able to communicate to the other local subnet for AP discovery with FortiManager:

[ol]
  • Should we just change the subnet on the internal interface from /24 to /12 : 10.0.0.1 - 10.15.255.254
  • Or would it be better to create some kind of loopback interface?[/ol]

    We just received two new 600E's that we'll be upgrading to soon as well.

     

    TIA

  • 2 Solutions
    lobstercreed
    Valued Contributor

    I can't speak to the problem you're trying to solve (I use no FortiAP) but I can tell you that changing the subnet on the internal interface will absolutely not work.  The FortiGate will suddenly think all the devices in that range are directly connected and stop routing to the Aruba 5406 to get to them - instead it will ARP fruitlessly.

     

    Instead I would recommend bring those VLANs up to the firewall and letting the FortiGate do all the inter-VLAN routing.  You'll gain visibility from the FortiGate and be able to put in better security controls.  Make sure you use zones to make your life easier.  :) 

    View solution in original post

    Yurisk

    If all you are trying to achieve is register APs to Fortigate over Layer 3 device, you can specify in APs config IP address of the Fortigate explicitly and it will register over the Aruba just as well:

    Say Fortigate has IP of 10.4.1.254, on AP CLI set:

    cfg -a AC_IPADDR_1=10.4.1.254

    cfg -c 

     

     

    Yuri https://yurisk.info/  blog: All things Fortinet, no ads.

    View solution in original post

    Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
    5 REPLIES 5
    lobstercreed
    Valued Contributor

    I can't speak to the problem you're trying to solve (I use no FortiAP) but I can tell you that changing the subnet on the internal interface will absolutely not work.  The FortiGate will suddenly think all the devices in that range are directly connected and stop routing to the Aruba 5406 to get to them - instead it will ARP fruitlessly.

     

    Instead I would recommend bring those VLANs up to the firewall and letting the FortiGate do all the inter-VLAN routing.  You'll gain visibility from the FortiGate and be able to put in better security controls.  Make sure you use zones to make your life easier.  :) 

    Yurisk

    If all you are trying to achieve is register APs to Fortigate over Layer 3 device, you can specify in APs config IP address of the Fortigate explicitly and it will register over the Aruba just as well:

    Say Fortigate has IP of 10.4.1.254, on AP CLI set:

    cfg -a AC_IPADDR_1=10.4.1.254

    cfg -c 

     

     

    Yuri https://yurisk.info/  blog: All things Fortinet, no ads.
    Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
    SmokeyMountian_Tech

    I thought I've read or heard that it was better to do your routing on the core switch instead of the firewall?

    I'm thinking this was due to resource limits on the firewall.

    I don't think this will be an issue once we replace our 100D's with the 600E's that we just got in through.

     

    Currently, we have about 200-300 users locally and another 200-300 at remote sites. (Most of the remote sites have private fiber connection back to our network and the firewall handles routing for those)

     

    Thoughts?

    Yurisk

    In general routers are better at routing than firewalls, of course, but it all depends on the goals. If backbone/core router does routing between branches/network segments then firewall becomes pure perimeter firewall, guarding Internet access for those segments but doing nothing to protect each one of them from another.  

     

    600E is a beast, nothing to compare with 100D but a lot depends on how you are gonna use it - services he is going to run vs traffic volume passing through it.  Give each branch fiber of 100/100, enable URL filtering with SSL inspection, proxy mode, identity based rules, VPNs etc. and even 600e may strain. Look at the existing patterns and extrapolate to the new 600E capabilities.  If 600E is gonna do the same load 100D does today + routing, then it will eat it without sweating.

     

    Yuri https://yurisk.info/  blog: All things Fortinet, no ads.
    Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
    SmokeyMountian_Tech

    Currently, the firewall handles all the routing for the remote offices, and we're not doing any interoffice security/filtering currently. It would probably kill the 100D's.

     

    I do like the ability to add additional security/visibility for the remote sites, but we also just purchased a FortiAnalyzer and will send all logs from the remote sites to the Analyzers.

     

    Most of our remote sites are 50/50 with some being 100/100

     

    on avg we use between 50-100Mb of our 1gb Internet pipe.

     

    We have about 15 SSL VPN users, and 13 active IPSec tunnels with a bunch of 4g failover tunnels.

     

    We'll probably start off on the 600's without filtering the remote offices and focus on the internet filtering first, and then enable filtering for interoffice comms.

     

    Also, setting the AC_IPADDR manually fixed being able to manage the FortiAP from the FortiGate.

     

    thank you.

    Announcements

    Select Forum Responses to become Knowledge Articles!

    Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

    Labels
    Top Kudoed Authors