I am a Fortigate newbie and need some help. I have a 40F unit running FortiOS 6.4.10 and am trying to set up multiple VLANs on an 802.3ad aggregate interface consisting of physical ports 2 and 3. It is for internal use on my home LAN. Here’s what I’ve done so far:
Delete the Hardware Switch bonding ports 1-3 together (default configuration from Fortinet).
Set up port 1 as a dedicated Admin port on network 192.168.10.1/255.255.255.0 and running a DHCP server doling out IP addresses from x.2 to x.254.
Set up an aggregate 802.3ad interface consisting of ports 2 and 3 on network 192.168.5.1/255.255.255.0 and running a DHCP server doling out IP addresses from x.2 to x.254.
Set up multiple VLANs on the 802.3ad interface each with its own subnet and DHCP server and device detection enabled for MAC filtering.
I am trying to follow the guide on the Forti-OS-6.4.10-Administration.pdf guide starting on page 403 and stopped short of adding firewall addresses or security policies. I thought the DHCP servers should work and hand out IP addresses regardless of whether the firewall and security policies were set up. I tried to test this with both a PC and a Macbook using a physical RJ45 connection on port 2, but can’t get any IP addresses from the Fortigate. I have tried it with and without MAC detection and nothing seems to work.
Ultimately what I want to do is assign a reserved IP for each device on my network (by MAC address) grouping each type of device into its own VLAN (entertainment, PCs, servers, security, etc.) and controlling traffic so that the IOT type devices are on VLANs that can’t traverse my network and get to the server or other PCs but can only go to the internet.
I don’t know why I can’t get the DHCP servers to work. Any help or debug tips would be appreciated.
Thanks for all of the input. I have learned a tremendous amount from all of you and you have cleared up many misconceptions I had about what the Fortigate is capable of and how it works.
At this point, I’m going to take a step back and search for an inexpensive managed switch that can do VLAN tagging to replace the dumb switch I currently have. I plan to set up a VLAN on each physical port of the new switch and multiple VLANs on one of the ports that I will plug the eero WiFi mesh into. I have already checked and I can ping and ARP devices hanging off of the WiFi mesh such that I can see each one’s MAC, so I know the frame is not being stripped of the MAC.
On page 131 of the guide, they explicitly show you how to configure the ports for MAC based VLAN tagging.
With respect to the guest network, I plan to disable it on my eero WiFi mesh and enable it directly on the AT&T router which will exist on the WAN side of the Fortigate. This moves the guest network outside of my LAN and allows me to dedicate the eero mesh to only those devices whose MAC I know and authorize.
Does this look like a workable plan? Do you have recommendations or experience with Netgear, TP-Link, and other managed switches? The ones I’m looking at are ~$300 on Amazon, and I don’t want to spend more than that.
1. Not sure why you think you need a MAC-based VLAN in your environment? Once you have a VLAN-capable switch you just assign VLANs to ports and that should be all you need to do.
2. Be careful using yourAT&T router's guest WiFi as now you are going to have two distinct and competing wi-fi signals that are not communicating with each other. You risk interference issues and other concerns. It would be best to just have one AP broadcasting all of your SSIDs. The Guest network would just be another VLAN that is tagged on the switch and terminated at the FortiGate.
I understand what you are saying when it comes to the devices plugged directly into various ports on the managed switch using RJ45 cables. The problem I’m trying to solve is the mixture of devices coming in over the eero mesh which would be plugged into a single physical port on the new switch.
Some of the devices coming in on the eero have no easy way of setting their IP address statically, like the Ring camera, the Rainbird water sprinkler controller, the refrigerator, etc. I need to be able to put those types of IOT devices in a separate VLAN to restrict their access and assign an appropriate IP address to them via DHCP. Other things coming in over the eero, such as my wife’s PC, her iPad, our iPhones, and her printer need to be able to traverse the LAN. I can assign a static IP to the PC and the printer, but I don’t know that this is possible with the phones or iPad. Since I know the MAC address of everything on my network, I thought a MAC-based VLAN would be the best approach with DHCP servers running on each subnet/VLAN.
Then there is the matter of the guest network. While the eero has two SSIDs (privileged and guest), I don’t know how the switch would know whether a device was connected as privileged or as a guest. When I have friends over that want to jump on the WiFi, I don’t know their MAC addresses and need an easy way to restrict their traffic. Here are my use cases:
I need to be able to have trusted devices on the LAN that come in through hard wired connections to the switch and others that come in over the eero WiFi mesh.
I need to be able to restrict untrusted IOT type devices that come in over the eero WiFi mesh.
I need a separate guest network where devices come in over the eero WiFi mesh.
I am open to suggestions at this point with respect to the design. What is the best way to configure the network given the above use cases given the Fortigate, smart managed switch, and simple wireless access point attached to the switch?
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.