- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Multiple Lan Subnet Help!
Hi everyone,
I have a Fortigate 80E that is connected to a single LAN Subnet of 192.168.1.0/24 (Interface 1 GW 192.168.0.1). Every user on the internal LAN is part of this subnet and it works perfectly.
We are going to sublease part of the building to another company and I need to add them to the Fortigate using LAN Subnet 192.168.10.0/24. (Interface 11 GW 192.168.10.1). They provided their own switch and connected I've connected them to (interface 11) on the Fortigate. DHCP for them will be provided by their own server on the same subnet.
I have a couple of questions.
I need to provide them with Internet access using our existing WAN and was wondering if someone could post a cookbook (if available) on how to achieve this? if not, could someone me with some help on how to set this up.
Next, I need to provide access to the security door system that resides in 192.168.1.0 but I do not want to provide access to everything. For example. Doory System @ 192.168.1.200. Provide access to this IP from subnet 192.168.10.0 & vice versa.
Is this possible?
Thanks
Paul
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If i where you, i would:
Enable VDOM
create one VDOM for the the other company
create on Aggregate VDOM where the internet line will be , plus if any VPN requirements
Leave current vdom whith running configuration (but move the required physical interfaces to the other VDOMs accordingly)
PS: Best practice to create another VDOM and assign the "management VDOM profile", so your current vdom (normally roor) which handles this rule now, wont be any more.
--------------------------------------------
If all else fails, use the force !
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
what jklapas wrote is one way you could do it.
The probably most easy one would be:
- create address object for their subnet
- put their subnet on an own physical port of your FGT
- create a policy that allows traffic from their subnet to the internet over your wan with nat (and if neccessary traffic shapers and filters)
- create address object for your door system
- create a policy that allows traffic from their subnet to your subnet (dst interface) and destination door system
- if traffic needs to go (INITIATED) from door system to their subnet create a vice versa policy (you don't need one for the backwards traffic created by traffic initiated from a client in their system).
then they can access the internet and the door system and nothing else.
they must make sure that their dhcp server will distribute your FGT (ip of the interface their subnet is on) as default gw to their clients.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If this other company is a sub or partner company, I may choose the same/similar approach as Sebastian's. I would only divide up the 80E into different VDOMs if the 80E has the resources to handle the traffic from both companies. Things to consider is having a plan of action in the event of failures, service level agreements and/or requests (e.g. other company may want static IP, run servers, etc.) - I would also try to mitigate as much of the administrative overhead and legal obligations. e.g. deploy a second fgt or have a standby fgt, perhaps have the other company connect their network equipment to the ISP gateway device directly (or through a shared switch) and they would be responsible for their side.
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C