- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiBridge
- FortiAuthenticator
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDDoS
- FortiDAST
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiGate Cloud
- FortiExtender
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecorder
- FortiRecon
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- FortiWebCloud
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Manage many internal subnets
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Manage many internal subnets
Hi,
We just purchased a new FortiGate 100E for HQ and FortiGate 60E for Branch, logs will be sent to a new Analyzer 200F also at HQ. The current network has no Firewalls and routing/subnets is handled by MikroTik isp Router. Dhcp is handled by another MikroTik router that is behind the ISP router. There is also an ipsec vpn site to site link between two MikroTiks. All subnets and vlans share the same switches.
I want to manage everything from the FortiGates except Voice.
We have quite a number of different subnets at HQ that I want to know which is the best way to configure this on the FortiGate.
10.1.0.x/24, This is the native Lan at HQ which consists of all the staff devices and servers and is limit on IP's available. I configured a physical interface for this. All devices will receive dhcp ip and will be reserved with mac reservations and address groups.
10.2.0.x/24 This is the native Lan at Branch site and falls under another MikroTik Router linked with ipSec vpn between sites. I will set this up on the 60E as the main interface and link to HQ with ipsec vpn between 100E and 60E gates.
10.3.0.x/24 This is another subnet at HQ which only contains 3 VMware Hosts and a Vcenter server. No Vlan (I am planning on moving them into the 10.1.0.x/24 range)
10.4.0.x/24 This subnet contains all our access points at HQ which is statically configured and no vlan.(What do I do with this on this fortigate? I want only admin source IP's to access and manage these from range 10.1.0.x/24)
10.5.0.x/24 This is for the staff wireless network and on vlan 50. I configured a vlan under physical interface 10.1.0.x on the 100E. I want devices on here to be able to communicate with range 10.1.0.x/24. How will I go about doing this in the best way? Devices on here will be reserved with mac reservations and dhcp is on.
10.6.0.x/24 This range contains all our switches, 22 of them all static interfaces.
10.7.0.x/24 This is the Guest wireless vlan 60 range. Dhcp is on and I will configure this to be isolated. Created vlan under 10.1.0.x/24 interface.
10.8.0.x/24 This contains all our printers and CCTV cameras, all static. I want to move the printers perhaps to another range and keep CCTV on this range, I want to use untagged PVID access ports on the Cisco switches to completely seperate this network from the rest of the networks and will use another interface on the 100E Gate. Also remote access will be set up to this interface to access CCTV.
10.10.0.x/24 This is the 3CX Voice vlan 5. I want to create another vlan under 10.1.0.x/24 interface with dhcp for the phones. I do not want to manage the breakout and the ISP will MikroTik will still handle that. I want to also manage the phones from range 10.1.0.x/24.
So what I am confused with is what is the best way to manage all the other devices on different subnets by using the fortigate 100E. Will I just add a secondary ip address within those ranges so I can access the devices on there? Do I create policy routes? But which interface do I use then? Or must I create physical interfaces for all of them. I hope someone can clear up this confusion for me. Thank you
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would focus on physical paths to get to each group of devices you listed. Then let the switches do switching and cable management as much as possible. Since an 100E has enough ports, you could separate all to individual ports if you want, but I prefer combining them into fewer ports with vlans and connect them to switches then break them up using access ports before going out. Vlans are logical interfaces in a FGT so you can apply policy independently just like a physical port.
What I wouldn't do is secondary ips, which would mix up broadcast domains and create problems with DHCP servers and other issues.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dear Toshi,
Thank you for your response and advise, I will certainly run the CCTV on it's own physical interface with access ports as I know cctv can put strain on the other networks. One more thing that I would like to clarify, if I have subnet 10.1.0.x/24 with a vlan 10.3.0.x/24 and I configure these with a policy route to see each other, will their dhcp servers hand out IP's to all clients or only clients on the matching subnet. Thank you for the assistance.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First, you don't need any additional routes to route between directly connected subnets. You just need a policy. Not a policy route.
DHCP server works on each broadcast domain. Vlans separate them.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just to show you - this is how I do this here.
I run Fortigates (also 100Es mainly) here at HQ and in our shops all over germany. Each shop has several subnets for different purposes (cash desks, wlan, ...) just like at your side.
I always have one main net that is used for clients and for some servers that need to be in the same subnet (like DCs e.g.) and the rest are just vlans on the port where the main net is.
Since vlans are logical interfaces they behave like any other port on a FGT.
I then just do policies to let them have internet over the WLLB or access something in some other subnet. Also I run redundant IPSec Tunnels fro HQ to the shops to be able to transfer data and do maintenance.
In this case all routes I need is at shop side: a default route for internet and a route to the HQ SUbnet(s) that goes over the IPSec. The rest on this side does have interfaces (Logical or physical) and with that autmagically does have a net route the FGT knows. So for these no route need to be set up manually.
HQ then needs routes to the shop subnets that go over the ipsec and a default route for internet.
Additionally you of course need a bunch of policies on both side to rule who should get where :)
With that all subets a physically divided and cannot basically not affect each other (but they can affect the internet lines ;) ). The disadvantage of this is that you need vlan capable switches to be able to tag a vlan to a specific client or you would have to have the client do the tagging (which not every client is able to).
Maybe this helps you making you decision :)
cheers
Sebastian
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
--
"It is a mistake to think you can solve any major problems just with
potatoes." - Douglas Adams
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- Fixing IP overlap using virtual IPs 24 Views
- FortiSwitch F148 Standalone mode VLAN Managment... 91 Views
- How to route traffic to virtual... 359 Views
- Internet over IPsec tunnel - FGT... 298 Views
- How to create 1 Wan with... 742 Views
Labels
-
FortiGate
7,164 -
FortiClient
1,415 -
5.2
801 -
5.4
639 -
FortiManager
620 -
FortiAnalyzer
456 -
6.0
416 -
FortiAP
376 -
FortiSwitch
374 -
5.6
362 -
FortiClient EMS
291 -
FortiMail
281 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
175 -
FortiNAC
128 -
6.4
128 -
FortiGuard
115 -
IPsec
108 -
SSL-VPN
104 -
FortiGateCloud
97 -
FortiSIEM
93 -
FortiCloud Products
89 -
FortiToken
77 -
Customer Service
71 -
Wireless Controller
65 -
4.0MR3
64 -
FortiProxy
49 -
SD-WAN
49 -
FortiADC
45 -
FortiEDR
44 -
Fortivoice
44 -
FortiDNS
39 -
FortiExtender
35 -
FortiGate v5.4
35 -
FortiAuthenticator
35 -
FortiSandbox
34 -
Firewall policy
33 -
FortiSwitch v6.4
32 -
VLAN
31 -
High Availability
31 -
DNS
24 -
FortiWAN
24 -
FortiConnect
24 -
ZTNA
23 -
BGP
21 -
FortiConverter
21 -
Certificate
20 -
SAML
19 -
FortiGate v5.2
19 -
LDAP
19 -
FortiPortal
18 -
Interface
18 -
FortiSwitch v6.2
17 -
Routing
17 -
VDOM
17 -
FortiMonitor
15 -
Authentication
15 -
FortiGate v5.0
14 -
FortiLink
14 -
Fortigate Cloud
14 -
FortiDDoS
14 -
Logging
14 -
NAT
13 -
RADIUS
12 -
FortiCASB
12 -
Application control
11 -
Web profile
11 -
Traffic shaping
10 -
Virtual IP
10 -
SSO
10 -
SSL SSH inspection
10 -
FortiRecorder
10 -
SSID
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
WAN optimization
9 -
4.0MR2
9 -
IP address management - IPAM
8 -
FortiBridge
8 -
SNMP
8 -
FortiGate v4.0 MR3
8 -
OSPF
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
FortiAP profile
7 -
4.0
7 -
Admin
7 -
Web application firewall profile
7 -
Static route
6 -
Security profile
6 -
Proxy policy
6 -
Traffic shaping policy
6 -
Automation
6 -
IPS signature
5 -
Packet capture
5 -
DNS Filter
5 -
FortiCache
5 -
FortiManager v4.0
5 -
trunk
5 -
FortiDeceptor
4 -
FortiDirector
4 -
Web rating
4 -
Intrusion prevention
4 -
Port policy
4 -
Antivirus profile
4 -
FortiPAM
4 -
FortiCarrier
4 -
FortiTester
4 -
3.6
4 -
DLP sensor
4 -
FortiScan
4 -
Fabric connector
3 -
NAC policy
3 -
Multicast routing
3 -
System settings
3 -
FortiToken Cloud
3 -
Traffic shaping profile
3 -
Fortinet Engage Partner Program
3 -
DLP Dictionary
3 -
DLP profile
3 -
FortiDB
3 -
DoS policy
3 -
Email filter profile
3 -
FortiInsight
2 -
Netflow
2 -
Users
2 -
Protocol option
2 -
FortiAI
2 -
Application signature
2 -
FortiHypervisor
2 -
VoIP profile
2 -
Internet Service Database
2 -
Explicit proxy
2 -
4.0MR1
1 -
Multicast policy
1 -
Zone
1 -
FortiCWP
1 -
Kerberos
1 -
Subscription Renewal Policy
1 -
FortiNDR
1 -
TACACS
1 -
Replacement messages
1 -
Schedule
1 -
SDN connector
1 -
FortiManager-VM
1 -
Authentication rule and scheme
1 -
Service
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1063 | |
| 889 | |
| 527 | |
| 441 | |
| 152 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.