Hi All,
I am a Fortigate newbie and need some help. I have a 40F unit running FortiOS 6.4.10 and am trying to set up multiple VLANs on an 802.3ad aggregate interface consisting of physical ports 2 and 3. It is for internal use on my home LAN. Here’s what I’ve done so far:
I am trying to follow the guide on the Forti-OS-6.4.10-Administration.pdf guide starting on page 403 and stopped short of adding firewall addresses or security policies. I thought the DHCP servers should work and hand out IP addresses regardless of whether the firewall and security policies were set up. I tried to test this with both a PC and a Macbook using a physical RJ45 connection on port 2, but can’t get any IP addresses from the Fortigate. I have tried it with and without MAC detection and nothing seems to work.
Ultimately what I want to do is assign a reserved IP for each device on my network (by MAC address) grouping each type of device into its own VLAN (entertainment, PCs, servers, security, etc.) and controlling traffic so that the IOT type devices are on VLANs that can’t traverse my network and get to the server or other PCs but can only go to the internet.
I don’t know why I can’t get the DHCP servers to work. Any help or debug tips would be appreciated.
Thanks,
Chris
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I agree with the soft switch solution. I was thinking about it but I don't remember the difference between it and the hardware switch..
Are you connecting a WiFi access Point to Port-3? Does it support tagged traffic?
Let's split the discussion for WiFi and wired.
For wired on Port-2 you could ide secondary IP.
For the WiFi link, I believe you could do the same. Or use tagged traffic if the AP supports this. You have to configure different SSID and map them to the different VLANs.
I got the datasheet for 40F and found that it has built-in WiFi. Is this the case?
The datasheet includes both FortiGate 40F and FortiWiFi 40F. Only FortiWiFi has wifi.
well you have to keep in mind that the FortiGate threats a vlan as a virtual interface. This means that only traffic with the corresponding vlan tag will hit that interface. So a DHCP server on a vlan interface will only respond to traffic tagged with that vlan because only that one hits the interface. All other traffic will hit the physical interface the vlan interface is "tied" to.
So if you had this constellation:
Port1,Port2,POrt3 is a virtual switch named "switch1".
Then you create vlan 1 named "printer" and vlan 2 named "wifi" then vlan 1 and 2 are virtual interfaces bound to "physical" interface "switch1".
Traffic tagged with vlan1 will then hit interface "printer". Traffic tagged with vlan2 will then hit "wifi". Traffic that has neiter one of both vids will hit "switch1".
Since DHCP is UDP traffic the ip routing doesn't matter for it but the vlan id does. So if the traffic is not tagged with 1 or 2 (to stay with my example) it will get a dhcp response from a dhcp server on interface "switch1" (if there is one enabled there). So you might use that to assign an ip you want based on the mac but to route traffic from/to devices correctly you still need to have your traffic tagged with the corred vid.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
hence unfortunately only few devices are capable of vlan tagging themselves a managed switch is rather mandatory (at least if the FGT doesn't have enough physical ports or clients are too far away from it (ethernet segment lenght is max. 100m)) if you want to use vlans because managed switch can do vlan tagging/trunking per port so the device connected to it doesn't have to do it itself.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Hi Toshi, Gaber, and sw2090,
First off, I only have the 40F without the WiFi.
But, things are starting to make more sense now. I do not have anything capable of tagging packets with a particular VLAN ID before the traffic hits the Fortigate unit. The 16-port switch is dumb and the eero WiFi mesh is too. I disabled all of the smarts in the eero and just use it as a radio beacon. Even in smart mode, the eero I have doesn’t support VLAN tagging. The 16-port switch uplink is attached to Port 2 on the Fortigate and the eero WiFi mesh is attached to Port 3 on the Fortigate. I have Port 1 dedicated as an Admin port.
Let me press this further. If I were to have Ports 2 and 3 set up as a Virtual Switch (I think this is the same as a Hardware Switch – default FG configuration) and run a DHCP server on that, I should be able to assign IP addresses by MAC and still at least have like devices grouped into particular address ranges (servers, TVs, PCs, etc.) and dump unknown MACs into a guest IP address range.
If I do that, what is the best way to set up firewall policies for each address range? Is it possible to still set up the VLANs on the Virtual Switch and route traffic from the Virtual Switch to each particular VLAN based on IP range and then set up firewall policies for each VLAN? Or is this completely non-sensical and a bad thing to do?
Thanks,
Chris
Created on 12-30-2022 04:28 PM Edited on 12-30-2022 04:30 PM
As others have already pointed out if you have a "dumb" unmanaged L2 switch there is nothing you can do at this point to segregate your internal network. VLANs will not work. Nor will LAG or aggregate ports, which given your topology and use case you very likely do not need. This is not a FortiGate thing—this is fundamental networking.
You can only have on link connected between your FGT and the Switch or else you will be at risk of switching loops. Since your switch only knows about one broadcast domain it will forward STP everywhere out every connected port—assuming it does STP and I would assume it does at the very least. If not you will definitely get broadcast storms if you try connecting two ports.
This precludes your idea of using port 2 and 3 with different DHCP scopes on them. Because you have no control where the DHCP broadcasts will go. Even if you use L3 interfaces on not switches interfaces to avoid broadcast storms, you still have no control where the switch will send the broadcasts or which port on the FortiGate will receive them. You'll just end up with a random mix of IP allocations.
So you need a switch that supports VLANs to do what you want to do.
We need to discuss several points.
Why do you dedicate one port for management and lose it? On FortiGate, you enable the management services you need on each interface, can specify the administrator IP, and remove the default admin after you create a new one.
Your devices do not support tagging; so, forget the VLAN now.
I see the secondary IP solution is near the case. In this case you should configure the IP provided to each MAC according to the subnet required. There is an issue. They could see each other with the applications that run over layer 2 directly and do not rely on IP.
Hi Mohamed,
Thanks again for your insight and patience. I will forget about the VLAN since I don’t have a switch or WiFi mesh capable of tagging. I will opt for assigning IP addresses by MAC into various ranges depending on the type of device (servers in one range, TVs in another range, etc.). I will also add Port 1 back into the collection with Ports 2 and 3.
I’m not too concerned about layer 2 traffic provided I can set up sensible firewall rules. I think the Fortigate supports firewall rules by both IP and MAC – true?
What would you recommend regarding the network design at this stage?
Thanks,
Chris
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1679 | |
1085 | |
752 | |
446 | |
226 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.