Hi Toshi, Gaber, and sw2090,
First off, I only have the 40F without the WiFi.
But, things are starting to make more sense now. I do not have anything capable of tagging packets with a particular VLAN ID before the traffic hits the Fortigate unit. The 16-port switch is dumb and the eero WiFi mesh is too. I disabled all of the smarts in the eero and just use it as a radio beacon. Even in smart mode, the eero I have doesn’t support VLAN tagging. The 16-port switch uplink is attached to Port 2 on the Fortigate and the eero WiFi mesh is attached to Port 3 on the Fortigate. I have Port 1 dedicated as an Admin port.
Let me press this further. If I were to have Ports 2 and 3 set up as a Virtual Switch (I think this is the same as a Hardware Switch – default FG configuration) and run a DHCP server on that, I should be able to assign IP addresses by MAC and still at least have like devices grouped into particular address ranges (servers, TVs, PCs, etc.) and dump unknown MACs into a guest IP address range.
If I do that, what is the best way to set up firewall policies for each address range? Is it possible to still set up the VLANs on the Virtual Switch and route traffic from the Virtual Switch to each particular VLAN based on IP range and then set up firewall policies for each VLAN? Or is this completely non-sensical and a bad thing to do?