Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
papapuff
New Contributor II

Need Advice - Connect to another LAN

Hi there,

we need some advice here.

 

we have project to connect 2 LANs. hope I can give clear detail for this:

- LAN_home(we will call 'L-HOME') use diffrent subnet with LAN_guest (we will call 'L-GUEST').

assume L-HOME use 1.1.1.X and L-GUEST use 1.1.2.X

- L-GUEST use Mikrotik for their router, then will attach to L-HOME.

- every traffic data from/to L-GUEST will be screening / scan by fortigate.

- L-GUEST will need to access data from L-HOME: RDP, SMB, FTP, SQL DATABASE

 

What is the best method for this?

1. L-GUEST connect to one of interface on fortigate, then create communication between that interface to L-HOME (LAN) interface;or

2. create vpn tunnel between L-GUEST and L-HOME

 

thanks in advance

7 REPLIES 7
Toshi_Esumi
SuperUser
SuperUser

How about the internet? Do both have a separate internet circuit on each side (Mikrotik and FGT)? Or do they need to share one internet circuit on which side?  I would never use a VPN to just connect two subnets with some policies to limit access. It wouldn't add any security or additional benefit other than overhead.

sw2090

if those are on different sides which would you do it then Toshi? 

I want the traffic between sides to devinitely be encrypted so I use IPSec and policies.

If its same site you could use a sperate port and policies.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
papapuff
New Contributor II

for now, they have separate internet connection.

 

future, internet will share, and internet circuit on the mikrotik side.

 

if I use separate port, then configure the policy. is it do-able, for every traffic data from/to L-GUEST will be screening / scan by fortigate?

Toshi_Esumi

It's completely up to you how to connect because many ways are possible everybody has own preferences. But I would set an interconnect /30 subnet on a set of interfaces on both sides between FGT and Mikrotik and set routes to the interface for the opposite side and control traffic from HOME to the GUEST(to the interface) by policies at least on the FGT side. When you merge internet, you just need to change the default GW toward the interface and move the default NAT policy onto it.

I'm not familiar with Mikrotik but should be simple to set a route to HOME toward the /30 interface.

 

I prefer this way because it would be much simpler when some demands come in and need to separate them again or changing the arrangement further.

 

But again it's just a matter of preference to me and you can do in many different ways.

papapuff

Hi Toshi,

 

thank you. yes it might up to us.  but still, I need some advice, moreover for who has experience this case.

however, my concern is security. which one is most secure for data traffic, especially securing L-HOME.

 

if I connect L-GUEST to interface on FGT (let say, INT-2), then L-HOME connected to INT-1.

then I create policy INT-2 -> INT-1, activate antivirus and so on.

- will all data traffic will be scanned by FGT?

 

if yes, within this method, do I still need disable NAT?

thank you.

Toshi_Esumi

You need to remember policies work in the direction of traffic initiation. If only GUEST accesses HOME, INT2->INT1 is enough. But if HOME need to reach GUEST, you need have a policy INT1->INT2, which I thought you mentioned in the original post. If you want to hide GUEST IPs when they access HOME, you can SNAT in that direction. But that doesn't add security protecting HOME from GUEST that you seem to be concerning. You could of course DNAT(VIP) not to let GUEST know the real IPs in HOME and let them know another set of IPs to map from. But it would be for a different purpose from security, like the server destinations change time to time, and so on.

 

When you apply security profiles to a policy it does what you specified to do when traffic comes through. If you don't have any other policies for the direction, the security profiles apply to all traffic. Any FWs should work that way not only FGT.

papapuff

Hi Toshi,

 

thank you for your advice.

will consider for VIP, whether necessary or not. but that really good advice.

 

thanks all.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors