Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
chrisn7599
New Contributor II

Need help with VLAN setup on 40F

Hi All,

 

I am a Fortigate newbie and need some help. I have a 40F unit running FortiOS 6.4.10 and am trying to set up multiple VLANs on an 802.3ad aggregate interface consisting of physical ports 2 and 3. It is for internal use on my home LAN. Here’s what I’ve done so far:

  • Delete the Hardware Switch bonding ports 1-3 together (default configuration from Fortinet).
  • Set up port 1 as a dedicated Admin port on network 192.168.10.1/255.255.255.0 and running a DHCP server doling out IP addresses from x.2 to x.254.
  • Set up an aggregate 802.3ad interface consisting of ports 2 and 3 on network 192.168.5.1/255.255.255.0 and running a DHCP server doling out IP addresses from x.2 to x.254.
  • Set up multiple VLANs on the 802.3ad interface each with its own subnet and DHCP server and device detection enabled for MAC filtering.

 

I am trying to follow the guide on the Forti-OS-6.4.10-Administration.pdf guide starting on page 403 and stopped short of adding firewall addresses or security policies. I thought the DHCP servers should work and hand out IP addresses regardless of whether the firewall and security policies were set up. I tried to test this with both a PC and a Macbook using a physical RJ45 connection on port 2, but can’t get any IP addresses from the Fortigate. I have tried it with and without MAC detection and nothing seems to work.

 

Ultimately what I want to do is assign a reserved IP for each device on my network (by MAC address) grouping each type of device into its own VLAN (entertainment, PCs, servers, security, etc.) and controlling traffic so that the IOT type devices are on VLANs that can’t traverse my network and get to the server or other PCs but can only go to the internet.

 

I don’t know why I can’t get the DHCP servers to work. Any help or debug tips would be appreciated.

 

Thanks,

 

Chris

Fortigate Newbie
Fortigate Newbie
33 REPLIES 33
Mohamed_Gaber

I agree with the soft switch solution. I was thinking about it but I don't remember the difference between it and the hardware switch..

Mohamed Gaber
Cell : +201001615878
E-mail : mohamed.gaber@alkancit.com
Mohamed GaberCell : +201001615878E-mail : mohamed.gaber@alkancit.com
Mohamed_Gaber
Contributor

Are you connecting a WiFi access Point to Port-3? Does it support tagged traffic?
Let's split the discussion for WiFi and wired.

For wired on Port-2 you could ide secondary IP.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-FortiGate-can-create-max-32-secondary-IP-a....

 

For the WiFi link, I believe you could do the same. Or use tagged traffic if the AP supports this. You have to configure different SSID and map them to the different VLANs.

Mohamed Gaber
Cell : +201001615878
E-mail : mohamed.gaber@alkancit.com
Mohamed GaberCell : +201001615878E-mail : mohamed.gaber@alkancit.com
Mohamed_Gaber

I got the datasheet for 40F and found that it has built-in WiFi. Is this the case?

Mohamed Gaber
Cell : +201001615878
E-mail : mohamed.gaber@alkancit.com
Mohamed GaberCell : +201001615878E-mail : mohamed.gaber@alkancit.com
Toshi_Esumi
Esteemed Contributor III

The datasheet includes both FortiGate 40F and FortiWiFi 40F. Only FortiWiFi has wifi.

sw2090
Honored Contributor

well you have to keep in mind that the FortiGate threats a vlan as a virtual interface. This means that only traffic with the corresponding vlan tag will hit that interface. So a DHCP server on a vlan interface will only respond to traffic tagged with that vlan because only that one hits the interface. All other traffic will hit the physical interface the vlan interface is "tied" to.

 

So if you had this constellation:

 

Port1,Port2,POrt3 is a virtual switch named "switch1".

Then you create vlan 1 named "printer" and vlan 2 named "wifi" then vlan 1 and 2 are virtual interfaces bound to "physical" interface "switch1". 

Traffic tagged with vlan1 will then hit interface "printer". Traffic tagged with vlan2 will then hit "wifi". Traffic that has neiter one of both vids will hit "switch1".

Since DHCP is UDP traffic the ip routing doesn't matter for it but the vlan id does. So if the traffic is not tagged with 1 or 2 (to stay with my example) it will get a dhcp response from a dhcp server on interface "switch1" (if there is one enabled there).  So you might use that to assign an ip you want based on the mac but to route traffic from/to devices correctly you still need to have your traffic tagged with the corred vid.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
sw2090
Honored Contributor

hence unfortunately only few devices are capable of vlan tagging themselves a managed switch is rather mandatory (at least if the FGT doesn't have enough physical ports or clients are too far away from it (ethernet segment lenght is max. 100m)) if you want to use vlans because managed switch can do vlan tagging/trunking per port so the device connected to it doesn't have to do it itself. 

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
chrisn7599
New Contributor II

Hi Toshi, Gaber, and sw2090,

 

First off, I only have the 40F without the WiFi.

 

But, things are starting to make more sense now. I do not have anything capable of tagging packets with a particular VLAN ID before the traffic hits the Fortigate unit. The 16-port switch is dumb and the eero WiFi mesh is too. I disabled all of the smarts in the eero and just use it as a radio beacon. Even in smart mode, the eero I have doesn’t support VLAN tagging. The 16-port switch uplink is attached to Port 2 on the Fortigate and the eero WiFi mesh is attached to Port 3 on the Fortigate. I have Port 1 dedicated as an Admin port.

 

Let me press this further. If I were to have Ports 2 and 3 set up as a Virtual Switch (I think this is the same as a Hardware Switch – default FG configuration) and run a DHCP server on that, I should be able to assign IP addresses by MAC and still at least have like devices grouped into particular address ranges (servers, TVs, PCs, etc.) and dump unknown MACs into a guest IP address range.

 

If I do that, what is the best way to set up firewall policies for each address range? Is it possible to still set up the VLANs on the Virtual Switch and route traffic from the Virtual Switch to each particular VLAN based on IP range and then set up firewall policies for each VLAN? Or is this completely non-sensical and a bad thing to do?

 

Thanks,

 

Chris

Fortigate Newbie
Fortigate Newbie
gfleming

As others have already pointed out if you have a "dumb" unmanaged L2 switch there is nothing you can do at this point to segregate your internal network. VLANs will not work. Nor will LAG or aggregate ports, which given your topology and use case you very likely do not need. This is not a FortiGate thing—this is fundamental networking.

 

You can only have on link connected between your FGT and the Switch or else you will be at risk of switching loops. Since your switch only knows about one broadcast domain it will forward STP everywhere out every connected port—assuming it does STP and I would assume it does at the very least. If not you will definitely get broadcast storms if you try connecting two ports. 

 

This precludes your idea of using port 2 and 3 with different DHCP scopes on them. Because you have no control where the DHCP broadcasts will go. Even if you use L3 interfaces on not switches interfaces to avoid broadcast storms, you still have no control where the switch will send the broadcasts or which port on the FortiGate will receive them. You'll just end up with a random mix of IP allocations.

 

So you need a switch that supports VLANs to do what you want to do.

Cheers,
Graham
Mohamed_Gaber
Contributor

We need to discuss several points.

Why do you dedicate one port for management and lose it? On FortiGate, you enable the management services you need on each interface, can specify the administrator IP, and remove the default admin after you create a new one.

Your devices do not support tagging; so, forget the VLAN now.

I see the secondary IP solution is near the case. In this case you should configure the IP provided to each MAC according to the subnet required. There is an issue. They could see each other with the applications that run over layer 2 directly and do not rely on IP. 

Mohamed Gaber
Cell : +201001615878
E-mail : mohamed.gaber@alkancit.com
Mohamed GaberCell : +201001615878E-mail : mohamed.gaber@alkancit.com
chrisn7599

Hi Mohamed,

 

Thanks again for your insight and patience. I will forget about the VLAN since I don’t have a switch or WiFi mesh capable of tagging. I will opt for assigning IP addresses by MAC into various ranges depending on the type of device (servers in one range, TVs in another range, etc.). I will also add Port 1 back into the collection with Ports 2 and 3.

 

I’m not too concerned about layer 2 traffic provided I can set up sensible firewall rules. I think the Fortigate supports firewall rules by both IP and MAC – true?

 

What would you recommend regarding the network design at this stage?

  • Should I group Ports 1 through 3 into a Hardware Switch or an 802.3ad Aggregate interface?
  • What is the best way to set up the firewall rules to only allow certain devices access to the server and printers? Should this be done my IP address range or by individual MAC?
  • If I set up firewall rules by IP range, should I be concerned about attacks on layer 2 reaching my server or printers?
  • If I assign IP addresses by MAC via DHCP reservation, can I dump unknown MACs into a guest IP address range so that they can only access the internet and not my server or printers?

 

Thanks,

 

Chris

Fortigate Newbie
Fortigate Newbie
Labels
Top Kudoed Authors