I am a Fortigate newbie and need some help. I have a 40F unit running FortiOS 6.4.10 and am trying to set up multiple VLANs on an 802.3ad aggregate interface consisting of physical ports 2 and 3. It is for internal use on my home LAN. Here’s what I’ve done so far:
Delete the Hardware Switch bonding ports 1-3 together (default configuration from Fortinet).
Set up port 1 as a dedicated Admin port on network 192.168.10.1/255.255.255.0 and running a DHCP server doling out IP addresses from x.2 to x.254.
Set up an aggregate 802.3ad interface consisting of ports 2 and 3 on network 192.168.5.1/255.255.255.0 and running a DHCP server doling out IP addresses from x.2 to x.254.
Set up multiple VLANs on the 802.3ad interface each with its own subnet and DHCP server and device detection enabled for MAC filtering.
I am trying to follow the guide on the Forti-OS-6.4.10-Administration.pdf guide starting on page 403 and stopped short of adding firewall addresses or security policies. I thought the DHCP servers should work and hand out IP addresses regardless of whether the firewall and security policies were set up. I tried to test this with both a PC and a Macbook using a physical RJ45 connection on port 2, but can’t get any IP addresses from the Fortigate. I have tried it with and without MAC detection and nothing seems to work.
Ultimately what I want to do is assign a reserved IP for each device on my network (by MAC address) grouping each type of device into its own VLAN (entertainment, PCs, servers, security, etc.) and controlling traffic so that the IOT type devices are on VLANs that can’t traverse my network and get to the server or other PCs but can only go to the internet.
I don’t know why I can’t get the DHCP servers to work. Any help or debug tips would be appreciated.
If you aggregated two interfaces together, the other ends need to be terminated at a switch, or stacked switches, in the same form and break out vlans to different ports. Your PCs can be connected to those ports that the non-tagged (or VLAN1 for many switches) traffic is mapped to.
When you configure link aggregation you have to connect the ports either to one switch or stacked switches(or supporting alike protocol). If you configure VLANs on this aggregated link, you will have tagged traffic for the VLANs and untagged traffic also on the interface. You have to do a similar configuration on the switch. Configure link aggregation with trunk configuration. Check if the link aggregation is established. Test the configuration first without link aggregation to test the concept then change to link aggregation. You could test also first by conecting only one of the aggregated ports.
Thank you for your response. However, I’m not following what you are saying.
Today I tried deleting all of the VLANs from the Port-2-3 Aggregate interface, then I tried to see if I could create a Hardware Switch which would sit on the aggregate interface. This was the only thing I could relate to the comment saying “When you configure link aggregation you have to connect the ports either to one switch or stacked switches”. However, the only physical interface it would let me add to the Hardware Switch was the WAN port. Besides, I thought the 802.3ad Aggregate interface and the Hardware Switch were mutually exclusive interfaces.
I only have the one Fortigate 40F unit, so I’m not sure what you mean by connecting (terminating) to one switch or stacked switches. Do you mean a switch external to the 40F or something internal? Internally, the only physical ports I have are Port 1 (already dedicated as an Admin interface), Ports 2-3 (want to bind together so that it doesn’t matter which one I plug into, I can access multiple VLANs on the aggregate), Port A, and the WAN Port.
I thought I “should” be able to set up Ports 2-3 as an 802.3ad Aggregate interface, then set up multiple VLAN subnets on that interface. Even a tech I talked to in Fortigate support said that should work and even guided me toward using the 802.3ad interface as he said you can’t set up VLANs on a Hardware Switch.
I've attached a basic network layout of my LAN below.
Very good explanation. If you send the FortiGate configuration it is better for me. The solution is more simple and there is no need for Link Aggregation. Just configure IP addresses on the interfaces. Don't put the WAN with the LAN ports. They should be separated. If you need WiFi (Ero) to be in a different IP subnet configure an IP on Port-3. If the 16-Port Gigabit Switch is managed and you could configure VLANs and VLAN interfaces on it. Do the setup as this.
config system interface edit "port1" set ip 192.168.10.1 255.255.255.0 set allowaccess ping https ssh snmp next edit "port2" set ip 192.168.5.1 255.255.255.0 next end config system dhcp server edit 1 set dns-service default set default-gateway 192.168.10.1 set netmask 255.255.255.0 set interface "port1" config ip-range edit 1 set start-ip 192.168.10.2 set end-ip 192.168.10.254 next end next end
That's the best way to do it with aggregation. You wrote you wanted to have some ports that are alle the same and it doesn't matter to which of them you connect.
Indeed you can do that with a virtual switch on your FGT. This is even the FGT factory default.
You could have kept that switch there and just add vlan interfaces to it.
However in this case you either have to have a manged swtich behind the FGT or the devices you connect to the port(s) have to tag to correct vlan. That is because only tagged traffic will hit the correct vlan interface on the FGT and any other traffic might hit the physical interface instead.
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Thanks all. If it is correct that the traffic must be tagged BEFORE it hits the Fortigate ports in order for the Fortigate to route it appropriately, then I misunderstood how the Fortigate would handle VLANs. I thought I could have non-tagged traffic coming into the Fortigate ports and then using device detection, get the sender’s MAC and assign an IP address to it based on that MAC, whose IP would be in a VLAN of my choosing. For example… I have two printers, one plugged into the switch and the other on the WiFi. Based on their MACs I wanted to be able to assign them via IP Reservation, an IP address that is in the Printer VLAN and assign firewall policies accordingly.
Unfortunately, my switch is cheap, unintelligent, and unmanaged (unmanageable).
Here is my exact use case that I’m trying to solve, given the diagram I posted earlier. I have multiple devices in various categories (servers, PCs, printers, security devices, TVs, etc.) some of which are physically attached to the 16-port switch and others that come in over the WiFi mesh. With the exception of the occasional guest devices, I want to know every node/device on my network, its MAC (which I do already know), and make sure the IOT devices (security devices, TVs, etc.) can’t traverse my network and get to the server or the printers. I also want to be able to log traffic and watch for intrusions coming in from the WAN side.
If it is a guest whose MAC I do not recognize, I want to dump them into a Guest VLAN that can only reach the internet, not the LAN.
What is the best way to set up this network? I thought it would be too painful setting up rules for every single device. Instead, I thought that grouping them into VLANs would make setting up firewall policies more straightforward, i.e. just a few groups as opposed to a rule for each of the many devices. Can the Fortigate identify the MAC of any device connected to the Hardware Switch or Aggregate interface (ports 2 and 3), assign an IP that belongs to a particular VLAN, and then route traffic accordingly? If not, what are my other options?
Thanks again for your patience. I’m a complete Fortigate newbie!
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.