Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
chrisn7599
New Contributor II

Need help with VLAN setup on 40F

Hi All,

 

I am a Fortigate newbie and need some help. I have a 40F unit running FortiOS 6.4.10 and am trying to set up multiple VLANs on an 802.3ad aggregate interface consisting of physical ports 2 and 3. It is for internal use on my home LAN. Here’s what I’ve done so far:

  • Delete the Hardware Switch bonding ports 1-3 together (default configuration from Fortinet).
  • Set up port 1 as a dedicated Admin port on network 192.168.10.1/255.255.255.0 and running a DHCP server doling out IP addresses from x.2 to x.254.
  • Set up an aggregate 802.3ad interface consisting of ports 2 and 3 on network 192.168.5.1/255.255.255.0 and running a DHCP server doling out IP addresses from x.2 to x.254.
  • Set up multiple VLANs on the 802.3ad interface each with its own subnet and DHCP server and device detection enabled for MAC filtering.

 

I am trying to follow the guide on the Forti-OS-6.4.10-Administration.pdf guide starting on page 403 and stopped short of adding firewall addresses or security policies. I thought the DHCP servers should work and hand out IP addresses regardless of whether the firewall and security policies were set up. I tried to test this with both a PC and a Macbook using a physical RJ45 connection on port 2, but can’t get any IP addresses from the Fortigate. I have tried it with and without MAC detection and nothing seems to work.

 

Ultimately what I want to do is assign a reserved IP for each device on my network (by MAC address) grouping each type of device into its own VLAN (entertainment, PCs, servers, security, etc.) and controlling traffic so that the IOT type devices are on VLANs that can’t traverse my network and get to the server or other PCs but can only go to the internet.

 

I don’t know why I can’t get the DHCP servers to work. Any help or debug tips would be appreciated.

 

Thanks,

 

Chris

Fortigate Newbie
Fortigate Newbie
33 REPLIES 33
Toshi_Esumi
Esteemed Contributor III

If you aggregated two interfaces together, the other ends need to be terminated at a switch, or stacked switches, in the same form and break out vlans to different ports. Your PCs can be connected to those ports that the non-tagged (or VLAN1 for many switches) traffic is mapped to.

 

Toshi

Mohamed_Gaber
Contributor

When you configure link aggregation you have to connect the ports either to one switch or stacked switches(or supporting alike protocol). If you configure VLANs on this aggregated link, you will have tagged traffic for the VLANs and untagged traffic also on the interface. You have to do a similar configuration on the switch.  Configure link aggregation with trunk configuration. Check if the link aggregation is established. Test the configuration first without link aggregation to test the concept then change to link aggregation. You could test also first by conecting only one of the aggregated ports.

Mohamed Gaber
Cell : +201001615878
E-mail : mohamed.gaber@alkancit.com
Mohamed GaberCell : +201001615878E-mail : mohamed.gaber@alkancit.com
chrisn7599

Hi Toshi and Mohamed,

 

Thank you for your response. However, I’m not following what you are saying.

 

Today I tried deleting all of the VLANs from the Port-2-3 Aggregate interface, then I tried to see if I could create a Hardware Switch which would sit on the aggregate interface. This was the only thing I could relate to the comment saying “When you configure link aggregation you have to connect the ports either to one switch or stacked switches”. However, the only physical interface it would let me add to the Hardware Switch was the WAN port. Besides, I thought the 802.3ad Aggregate interface and the Hardware Switch were mutually exclusive interfaces.

 

I only have the one Fortigate 40F unit, so I’m not sure what you mean by connecting (terminating) to one switch or stacked switches. Do you mean a switch external to the 40F or something internal? Internally, the only physical ports I have are Port 1 (already dedicated as an Admin interface), Ports 2-3 (want to bind together so that it doesn’t matter which one I plug into, I can access multiple VLANs on the aggregate), Port A, and the WAN Port.

 

I thought I “should” be able to set up Ports 2-3 as an 802.3ad Aggregate interface, then set up multiple VLAN subnets on that interface. Even a tech I talked to in Fortigate support said that should work and even guided me toward using the 802.3ad interface as he said you can’t set up VLANs on a Hardware Switch.

 

I've attached a basic network layout of my LAN below.

 

Can you provide any more guidance?

 

Thanks,

 

Chrisnetwork_layout.png

Fortigate Newbie
Fortigate Newbie
Mohamed_Gaber

Very good explanation. If you send the FortiGate configuration it is better for me. The solution is more simple and there is no need for Link Aggregation. Just configure IP addresses on the interfaces. Don't put the WAN with the LAN ports. They should be separated. If you need WiFi (Ero) to be in a different IP subnet configure an IP on Port-3. If the 16-Port Gigabit Switch is managed and you could configure VLANs and VLAN interfaces on it. Do the setup as this.

 

Mohamed_Gaber_0-1672081272597.png

 

Mohamed Gaber
Cell : +201001615878
E-mail : mohamed.gaber@alkancit.com
Mohamed GaberCell : +201001615878E-mail : mohamed.gaber@alkancit.com
Toshi_Esumi
Esteemed Contributor III

The IEEE802.3ad is a link aggregation protocol to make multiple physical links into one link to provide redundancy and increasing bandwidth on the link.

https://techbast.com/2021/03/fortigate-how-to-configure-802-3ad-aggregate-feature-on-firewall-fortig...

One side of link is like the FortiGate, and the other side is generally a switch.

But your intended setup is more like for FortiGate's hard-switch, bridging/binding two ports together at L2 level and have all VLANs on both ports. 

Why going back to "lan" hard-switch interface and removing only port1 from the interface and leaving port2 and port3 as memebers wouln't work?

 

Toshi

 

Mohamed_Gaber
Contributor

config system interface
edit "port1"
set ip 192.168.10.1 255.255.255.0
set allowaccess ping https ssh snmp
next
edit "port2"
set ip 192.168.5.1 255.255.255.0
next
end
config system dhcp server
edit 1
set dns-service default
set default-gateway 192.168.10.1
set netmask 255.255.255.0
set interface "port1"
config ip-range
edit 1
set start-ip 192.168.10.2
set end-ip 192.168.10.254
next
end
next
end

Mohamed Gaber
Cell : +201001615878
E-mail : mohamed.gaber@alkancit.com
Mohamed GaberCell : +201001615878E-mail : mohamed.gaber@alkancit.com
Mohamed_Gaber
Contributor

In previous solution the 16-Port Switch should be L3 switch supporting routing and you may need to run DHCP on it for various VLANs.

 

This solution is better.

 

Mohamed_Gaber_0-1672125058773.png

 

 

You configure the trunk port between FortiGate and the 16-Port switch. If on VLAN, then just give an IP to port-2 and connect it to the switch. 

Mohamed Gaber
Cell : +201001615878
E-mail : mohamed.gaber@alkancit.com
Mohamed GaberCell : +201001615878E-mail : mohamed.gaber@alkancit.com
sw2090
Honored Contributor

That's the best way to do it with aggregation. You wrote you wanted to have some ports that are alle the same and it doesn't matter to which of them you connect.

Indeed you can do that with a virtual switch on your FGT.  This is even the FGT factory default.

You could have kept that switch there and just add vlan interfaces to it.

However in this case you either have to have a manged swtich behind the FGT or the devices you connect to the port(s) have to tag to correct vlan. That is because only tagged traffic will hit the correct vlan interface on the FGT and any other traffic might hit the physical interface instead.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
chrisn7599
New Contributor II

Thanks all. If it is correct that the traffic must be tagged BEFORE it hits the Fortigate ports in order for the Fortigate to route it appropriately, then I misunderstood how the Fortigate would handle VLANs. I thought I could have non-tagged traffic coming into the Fortigate ports and then using device detection, get the sender’s MAC and assign an IP address to it based on that MAC, whose IP would be in a VLAN of my choosing. For example… I have two printers, one plugged into the switch and the other on the WiFi. Based on their MACs I wanted to be able to assign them via IP Reservation, an IP address that is in the Printer VLAN and assign firewall policies accordingly.

 

Unfortunately, my switch is cheap, unintelligent, and unmanaged (unmanageable).

 

Here is my exact use case that I’m trying to solve, given the diagram I posted earlier. I have multiple devices in various categories (servers, PCs, printers, security devices, TVs, etc.) some of which are physically attached to the 16-port switch and others that come in over the WiFi mesh. With the exception of the occasional guest devices, I want to know every node/device on my network, its MAC (which I do already know), and make sure the IOT devices (security devices, TVs, etc.) can’t traverse my network and get to the server or the printers. I also want to be able to log traffic and watch for intrusions coming in from the WAN side.

 

If it is a guest whose MAC I do not recognize, I want to dump them into a Guest VLAN that can only reach the internet, not the LAN.

 

What is the best way to set up this network? I thought it would be too painful setting up rules for every single device. Instead, I thought that grouping them into VLANs would make setting up firewall policies more straightforward, i.e. just a few groups as opposed to a rule for each of the many devices. Can the Fortigate identify the MAC of any device connected to the Hardware Switch or Aggregate interface (ports 2 and 3), assign an IP that belongs to a particular VLAN, and then route traffic accordingly? If not, what are my other options?

 

Thanks again for your patience. I’m a complete Fortigate newbie!

 

Chris

Fortigate Newbie
Fortigate Newbie
Labels
Top Kudoed Authors