Hi all,
I struggle through every step with these routers, very sorry for the noob questions but please be gentle, I don't really know what I'm doing here.
So we were quickly exhausting our single class C network and I decided to run another line from the Fortigate 60E (is that a vlan or a subnet, not sure) to a new switch and give myself another 200+ addresses. Main net is 192.168.1.0, and I made the new lan 192.168.3.0 I have the fortigate set as the DHCP server for this new segment and so far I've fought my way through to a point where clients pull an ip and can communicate internally and externally.
I can ping from a 192.168.1 machine to a 192.168.3 machine, but if I try to remote in by machine name, it fails, so I have a dns issue for sure. I have the new LAN dns set to our DC at 1.10
I'm also a little worried about security, as I basically just added policies to open everything up between the two LANs and between the wan and new LAN.
I'll attach a few screen shots of the current config...if anyone has any suggestions or critiques on anything I've setup here, they would be greatly appreciated. I realize it's a lot to ask, we are all very busy, but I thank you for reading.
Solved! Go to Solution.
Do you split the internal network because you really want different access or do you do it just to get more addresses?
If the target is only more internal addresses, you can increase the internal network you already have:
Add a /22 network. Then you have 192.168.0.1-192.168.3.254 in the same internal network.
192.168.0.1/255.255.252.0
Fortigate <3
hm maybe its the easiest to have the FGT be DNS and DHCP Forwarder for 192.168.3.0 to the DC on 1.10. And then have the dhcp on the DC have a pool for both subnets and also it has to have an ip in 192.168.3.0 itself of course.
This DNS thingy will only work with windows dhcp servers afaik.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Do you split the internal network because you really want different access or do you do it just to get more addresses?
If the target is only more internal addresses, you can increase the internal network you already have:
Add a /22 network. Then you have 192.168.0.1-192.168.3.254 in the same internal network.
192.168.0.1/255.255.252.0
Fortigate <3
WAN -> internal delete =)
Fortigate <3
Thanks, Gus.
More internal addresses is the goal, but changing the mask seemed like the more complicated route. I don't fully understand the ramifications of that change so I thought better to leave it alone.
Edit: I should also mention I have another building down the road connected via tunnel, which is on 192.168.2.0. That factored into my avoidance of changing the mask. I'll probably just leave it as is and fight the dns issue.
hm maybe its the easiest to have the FGT be DNS and DHCP Forwarder for 192.168.3.0 to the DC on 1.10. And then have the dhcp on the DC have a pool for both subnets and also it has to have an ip in 192.168.3.0 itself of course.
This DNS thingy will only work with windows dhcp servers afaik.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Created on 12-01-2021 03:34 AM Edited on 12-01-2021 03:43 AM
(deleted)
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.