Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
MeoDub
New Contributor

Created on ‎07-16-2021 09:45 AM

Out of IP's - adding another LAN but running into dns issues

Hi all,

 

I struggle through every step with these routers, very sorry for the noob questions but please be gentle, I don't really know what I'm doing here.

 

So we were quickly exhausting our single class C network and I decided to run another line from the Fortigate 60E (is that a vlan or a subnet, not sure) to a new switch and give myself another 200+ addresses.  Main net is 192.168.1.0, and I made the new lan 192.168.3.0  I have the fortigate set as the DHCP server for this new segment and so far I've fought my way through to a point where clients pull an ip and can communicate internally and externally.

 

I can ping from a 192.168.1 machine to a 192.168.3 machine, but if I try to remote in by machine name, it fails, so I have a dns issue for sure.  I have the new LAN dns set to our DC at 1.10

 

I'm also a little worried about security, as I basically just added policies to open everything up between the two LANs and between the wan and new LAN.

 

I'll attach a few screen shots of the current config...if anyone has any suggestions or critiques on anything I've setup here, they would be greatly appreciated.  I realize it's a lot to ask, we are all very busy, but I thank you for reading.

 

 

4545
0 Kudos
3 Solutions
GusTech
Contributor II

Created on ‎07-16-2021 04:10 PM

Do you split the internal network because you really want different access or do you do it just to get more addresses?

 

If the target is only more internal addresses, you can increase the internal network you already have:

 

Add a /22 network. Then you have 192.168.0.1-192.168.3.254 in the same internal network.

192.168.0.1/255.255.252.0

Fortigate <3

View solution in original post

Fortigate <3
3863
0 Kudos
GusTech
Contributor II
In response to GusTech

Created on ‎07-16-2021 04:14 PM

WAN -> internal delete =)

 

Fortigate <3

View solution in original post

Fortigate <3
3863
0 Kudos
sw2090
SuperUser
SuperUser
In response to MeoDub

Created on ‎07-22-2021 05:51 AM

hm maybe its the easiest to have the FGT be DNS and DHCP Forwarder for 192.168.3.0 to the DC on 1.10. And then have the dhcp on the DC have a pool for both subnets and also it has to have an ip in 192.168.3.0 itself of course.

This DNS thingy will only work with windows dhcp servers afaik.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

View solution in original post

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
3863
0 Kudos
5 REPLIES 5
GusTech
Contributor II

Created on ‎07-16-2021 04:10 PM

Do you split the internal network because you really want different access or do you do it just to get more addresses?

 

If the target is only more internal addresses, you can increase the internal network you already have:

 

Add a /22 network. Then you have 192.168.0.1-192.168.3.254 in the same internal network.

192.168.0.1/255.255.252.0

Fortigate <3

Fortigate <3
3864
0 Kudos
GusTech
Contributor II
In response to GusTech

Created on ‎07-16-2021 04:14 PM

WAN -> internal delete =)

 

Fortigate <3

Fortigate <3
3864
0 Kudos
MeoDub
New Contributor
In response to GusTech

Created on ‎07-19-2021 11:30 AM

Thanks, Gus.

 

More internal addresses is the goal, but changing the mask seemed like the more complicated route.   I don't fully understand the ramifications of that change so I thought better to leave it alone.

 

Edit:  I should also mention I have another building down the road connected via tunnel, which is on 192.168.2.0.  That factored into my avoidance of changing the mask.  I'll probably just leave it as is and fight the dns issue.

3812
0 Kudos
sw2090
SuperUser
SuperUser
In response to MeoDub

Created on ‎07-22-2021 05:51 AM

hm maybe its the easiest to have the FGT be DNS and DHCP Forwarder for 192.168.3.0 to the DC on 1.10. And then have the dhcp on the DC have a pool for both subnets and also it has to have an ip in 192.168.3.0 itself of course.

This DNS thingy will only work with windows dhcp servers afaik.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
3864
0 Kudos
Jonathan_Rennie_FTNT
Staff
Staff
In response to sw2090

Created on ‎12-01-2021 03:34 AM Edited on ‎12-01-2021 03:43 AM

(deleted)

That will be me then!!
3679
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.