Thanks for the advice and encouragement. I have deleted the Aggregate 802.3ad interface I had set up and went back to using a Hardware Switch. Currently it only has Ports 2 and 3 in it but I will eventually add Port 1 back into it. I don’t just want to hang the server off of Port 3 because I also have a backup server and printer I want to isolate as well. I also have a printer that hangs off of the WiFi mesh I want to protect. That means, I need to be able to not care which physical port on the FG something is plugged into. I would rather simply control them using firewall rules by IP address range.
As such, I had planned to assign IP addresses based on MAC detection. I tried that using my laptop and it works great. For example, I reserved 192.168.2.69 to my laptop’s MAC, and when I plugged the laptop into Port 3 and requested an IP address, the FG’s DHCP server handed me 192.168.2.69. Therefore, I should be able to follow suite with my servers, other PCs, TVs, printers, etc. assigning each one an IP address within the desired range by type.
However, I don’t know how to set up a guest IP address range to dump unknown MACs into. The implicit rule is to assign an IP to unknown MACs but I don’t see a way to restrict the range inside of the 192.168.2.x network. I am concerned that the DHCP server will just dole out the next available IP address instead of restricting it to, let’s say 192.168.2.200 to 192.168.2.250. For example, let’s say I have two servers, but want to reserve 192.168.2.10 to .20 leaving room for future servers. What keeps the DHCP server from giving the next unknown device the address of 192.168.2.17 instead of something in a predefined guest range?
Any ideas on how to do this?