Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
chrisn7599
New Contributor II

Need help with VLAN setup on 40F

Hi All,

 

I am a Fortigate newbie and need some help. I have a 40F unit running FortiOS 6.4.10 and am trying to set up multiple VLANs on an 802.3ad aggregate interface consisting of physical ports 2 and 3. It is for internal use on my home LAN. Here’s what I’ve done so far:

  • Delete the Hardware Switch bonding ports 1-3 together (default configuration from Fortinet).
  • Set up port 1 as a dedicated Admin port on network 192.168.10.1/255.255.255.0 and running a DHCP server doling out IP addresses from x.2 to x.254.
  • Set up an aggregate 802.3ad interface consisting of ports 2 and 3 on network 192.168.5.1/255.255.255.0 and running a DHCP server doling out IP addresses from x.2 to x.254.
  • Set up multiple VLANs on the 802.3ad interface each with its own subnet and DHCP server and device detection enabled for MAC filtering.

 

I am trying to follow the guide on the Forti-OS-6.4.10-Administration.pdf guide starting on page 403 and stopped short of adding firewall addresses or security policies. I thought the DHCP servers should work and hand out IP addresses regardless of whether the firewall and security policies were set up. I tried to test this with both a PC and a Macbook using a physical RJ45 connection on port 2, but can’t get any IP addresses from the Fortigate. I have tried it with and without MAC detection and nothing seems to work.

 

Ultimately what I want to do is assign a reserved IP for each device on my network (by MAC address) grouping each type of device into its own VLAN (entertainment, PCs, servers, security, etc.) and controlling traffic so that the IOT type devices are on VLANs that can’t traverse my network and get to the server or other PCs but can only go to the internet.

 

I don’t know why I can’t get the DHCP servers to work. Any help or debug tips would be appreciated.

 

Thanks,

 

Chris

Fortigate Newbie
Fortigate Newbie
33 REPLIES 33
Toshi_Esumi

Read my previous comments. LAG/802.3ad is not an option if your switch doesn't support it. And in your setup it has no use either.

Mohamed_Gaber
Contributor

Mohamed_Gaber_0-1672425535491.png

 

If the WiFi could be connected to the 16-port switch, do that.

Deal each port as a separate subnet.

Let DHCP assign your device IP according to the MAC. Configure a dynamic DHCP range for guests. You could secondary IP to separate them also. FortiGate should be given IP in each subnet; either interface IP or secondary IP.

The layer 2 traffic on the switch does not go through FortiGate. To secure the servers connect them to a separate port.

The firewall policy is so much easy.

Configure address objects for each device and subnet. You could create address groups and add objects (in the same subnet) with similar permissions to it. Dealing with groups is easier as it could be modified (add or remove objects) later.

Next, create a policy from the incoming interface, and the outgoing interface; then select the allowed group as the source. You could restrict the destination if it is required.

Mohamed Gaber
Cell : +201001615878
E-mail : mohamed.gaber@alkancit.com
Mohamed GaberCell : +201001615878E-mail : mohamed.gaber@alkancit.com
Mohamed_Gaber
Contributor

I am waiting for the happy news.

I see that you start. When you are in touch, you will see with your eyes and recognize with your mind.

Go and do it trusting your knowledge and your power.

Good luck.

Mohamed Gaber
Cell : +201001615878
E-mail : mohamed.gaber@alkancit.com
Mohamed GaberCell : +201001615878E-mail : mohamed.gaber@alkancit.com
chrisn7599
New Contributor II

Hi Mohamed,

 

Thanks for the advice and encouragement. I have deleted the Aggregate 802.3ad interface I had set up and went back to using a Hardware Switch. Currently it only has Ports 2 and 3 in it but I will eventually add Port 1 back into it. I don’t just want to hang the server off of Port 3 because I also have a backup server and printer I want to isolate as well. I also have a printer that hangs off of the WiFi mesh I want to protect. That means, I need to be able to not care which physical port on the FG something is plugged into. I would rather simply control them using firewall rules by IP address range.

 

As such, I had planned to assign IP addresses based on MAC detection. I tried that using my laptop and it works great. For example, I reserved 192.168.2.69 to my laptop’s MAC, and when I plugged the laptop into Port 3 and requested an IP address, the FG’s DHCP server handed me 192.168.2.69. Therefore, I should be able to follow suite with my servers, other PCs, TVs, printers, etc. assigning each one an IP address within the desired range by type.

 

However, I don’t know how to set up a guest IP address range to dump unknown MACs into. The implicit rule is to assign an IP to unknown MACs but I don’t see a way to restrict the range inside of the 192.168.2.x network. I am concerned that the DHCP server will just dole out the next available IP address instead of restricting it to, let’s say 192.168.2.200 to 192.168.2.250. For example, let’s say I have two servers, but want to reserve 192.168.2.10 to .20 leaving room for future servers. What keeps the DHCP server from giving the next unknown device the address of 192.168.2.17 instead of something in a predefined guest range?

 

Any ideas on how to do this?

 

Thanks,

 

Chris

 

Fortigate Newbie
Fortigate Newbie
gfleming

Hey Chris, please review my response here: https://community.fortinet.com/t5/Support-Forum/Need-help-with-VLAN-setup-on-40F/m-p/241552/highligh...

 

You cannot do anything you want to accomplish if you only have a L2 unmanaged "dumb" switch. 

 

A DHCP server only works in one broadcast domain. Your switch is one giant broadcast domain. There is no way to have a DHCP server in one broadcast domain issue different IP addresses in different subnets or ranges to different devices. You can reserve IP addresses based on MAC address but these IP addresses will all be in the same subnet.

 

As such there is also no way to have your FortiGate block or inspect traffic between your devices. 

Cheers,
Graham
Mohamed_Gaber
Contributor

Congratulations. I am happy that you went forward steps with success. You are the one in the site and you have the most vision for the needs.

 

First, you have to use end-point protection software to protect your devices.

Take a backup daily to be safe.

If your devices are fixed, give them IP manually. In this case you will limit the DHCP range to not include their IP addresses.

"I am concerned that the DHCP server will just dole out the next available IP address instead of restricting it"; I have the same doubt (I don't have enough experience to know. I hope you do the test and let's know.

If you have the IP addresses of your devices and the range of the guest DHCP, then you could an address object for each and configure a separate firewall policy for each group.

config system dhcp server
edit 3
set default-gateway 192.168.2.1
set netmask 255.255.255.0
set interface "Workstation"
config ip-range
edit 1
set start-ip 192.168.2.200
set end-ip 192.168.2.250
next
end
set dns-server1 8.8.8.8
next
end

 

Mohamed Gaber
Cell : +201001615878
E-mail : mohamed.gaber@alkancit.com
Mohamed GaberCell : +201001615878E-mail : mohamed.gaber@alkancit.com
gfleming

It will not work without a VLAN-capable switch.

Cheers,
Graham
Mohamed_Gaber
Contributor

FortiGate includes a license for FortiClient. You could use it also.

https://www.fortinet.com/products/endpoint-security/forticlient

Mohamed Gaber
Cell : +201001615878
E-mail : mohamed.gaber@alkancit.com
Mohamed GaberCell : +201001615878E-mail : mohamed.gaber@alkancit.com
gfleming

FortiGate does not include a license for FortiClient. You can use free FortiClient VPN software with ForitGate but this is unlicense software for VPN connectivity only.

 

FortiClient EMS which provides endpoint protection is a paid software.

Cheers,
Graham
Mohamed_Gaber

FortiGate 30 series and higher models include a FortiClient free trial license for ten connected FortiClient endpoints. For additionally connected endpoints, a FortiClient license subscription must be purchased.

 

 

https://community.fortinet.com/t5/FortiClient/Technical-Tip-FortiClient-licensing-and-support/ta-p/1....

Mohamed Gaber
Cell : +201001615878
E-mail : mohamed.gaber@alkancit.com
Mohamed GaberCell : +201001615878E-mail : mohamed.gaber@alkancit.com
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors