Hi there,
we need some advice here.
we have project to connect 2 LANs. hope I can give clear detail for this:
- LAN_home(we will call 'L-HOME') use diffrent subnet with LAN_guest (we will call 'L-GUEST').
assume L-HOME use 1.1.1.X and L-GUEST use 1.1.2.X
- L-GUEST use Mikrotik for their router, then will attach to L-HOME.
- every traffic data from/to L-GUEST will be screening / scan by fortigate.
- L-GUEST will need to access data from L-HOME: RDP, SMB, FTP, SQL DATABASE
What is the best method for this?
1. L-GUEST connect to one of interface on fortigate, then create communication between that interface to L-HOME (LAN) interface;or
2. create vpn tunnel between L-GUEST and L-HOME
thanks in advance
How about the internet? Do both have a separate internet circuit on each side (Mikrotik and FGT)? Or do they need to share one internet circuit on which side? I would never use a VPN to just connect two subnets with some policies to limit access. It wouldn't add any security or additional benefit other than overhead.
if those are on different sides which would you do it then Toshi?
I want the traffic between sides to devinitely be encrypted so I use IPSec and policies.
If its same site you could use a sperate port and policies.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
for now, they have separate internet connection.
future, internet will share, and internet circuit on the mikrotik side.
if I use separate port, then configure the policy. is it do-able, for every traffic data from/to L-GUEST will be screening / scan by fortigate?
It's completely up to you how to connect because many ways are possible everybody has own preferences. But I would set an interconnect /30 subnet on a set of interfaces on both sides between FGT and Mikrotik and set routes to the interface for the opposite side and control traffic from HOME to the GUEST(to the interface) by policies at least on the FGT side. When you merge internet, you just need to change the default GW toward the interface and move the default NAT policy onto it.
I'm not familiar with Mikrotik but should be simple to set a route to HOME toward the /30 interface.
I prefer this way because it would be much simpler when some demands come in and need to separate them again or changing the arrangement further.
But again it's just a matter of preference to me and you can do in many different ways.
Hi Toshi,
thank you. yes it might up to us. but still, I need some advice, moreover for who has experience this case.
however, my concern is security. which one is most secure for data traffic, especially securing L-HOME.
if I connect L-GUEST to interface on FGT (let say, INT-2), then L-HOME connected to INT-1.
then I create policy INT-2 -> INT-1, activate antivirus and so on.
- will all data traffic will be scanned by FGT?
if yes, within this method, do I still need disable NAT?
thank you.
You need to remember policies work in the direction of traffic initiation. If only GUEST accesses HOME, INT2->INT1 is enough. But if HOME need to reach GUEST, you need have a policy INT1->INT2, which I thought you mentioned in the original post. If you want to hide GUEST IPs when they access HOME, you can SNAT in that direction. But that doesn't add security protecting HOME from GUEST that you seem to be concerning. You could of course DNAT(VIP) not to let GUEST know the real IPs in HOME and let them know another set of IPs to map from. But it would be for a different purpose from security, like the server destinations change time to time, and so on.
When you apply security profiles to a policy it does what you specified to do when traffic comes through. If you don't have any other policies for the direction, the security profiles apply to all traffic. Any FWs should work that way not only FGT.
Hi Toshi,
thank you for your advice.
will consider for VIP, whether necessary or not. but that really good advice.
thanks all.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.