I might be overthinking this just a little.
I support a client with a Fortigate cluster in their main office and a Fortigate cluster in their data centre.
All of their server infrastructure is in their data centre and is all accessed over a fiber point-to-point link. Said link is connected to both firewall clusters as an ethernet connection, with a different IP at each end.
Routing between their head office and data centre and back is done using the point-to-point interfaces at each end. DHCP for their head office users is all handled through the head office firewall cluster. All different types of connections at their headoffice and data centre locations are on different untagged VLANs.
Recently we've built a new environment on their server infrastructure on a net new VLAN/subnet (the environment will eventually be moved to a different location), and I've been asked to allow access from headoffice to the new environment for the purpose of workstation building/testing for users that will eventually be at the new location.
My coworker has suggested using a switch on the same VLAN as their current wired workstations and putting an IP Helper on the switch to point them to the other network across the point-to-point link. I have reservations in doing this as I don't want to mess with their current wired setup and cause the users any grief.
I've suggested just creating a net new VLAN and putting the users on that VLAN and use IPHelpers to get across that way and configure the firewalls accordingly.
Part of me thinks, there's probably an easier way to do this/less risky.
Thoughts? Anything I may have overlooked?
You already have proper routes to the new subnet from the head office and policies to allow the access at both FGT clusters. When you move the subnet to other location, you just need to change the routes and policies toward the new circuit/VPN. I'm not sure what your concern is.
We don't have the routes, per se, in place, but it's easy enough for me to add them.
My concern is the DHCP requests more than anything and making sure the IP Helper doesn't redirect traffic meant for their headoffice.
This is why I was thinking of another VLAN.
But then, sometimes I overthink, and maybe I can just put a static route in and do the IPHelper off the single switch.
Without routing, HQ FGT won't forward the access to the new subnet toward datacenter FGT (I'm assuming 0/0 route is going toward different circuit). FGT wouldn't forward boradcast frames to the other interface under normal configuration unless it's within hard-swtich(soft-switch as well??) or with other special conditions like transparent mode, VXLAN, etc.
I would think the VLAN is the way to go. The subnet residing on the VLAN can be moved with minimal impact to the existing infrastructure and you will have the ability to do whatever you need to get the clients up and running.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
 
					
				
				
			
		
| User | Count | 
|---|---|
| 2677 | |
| 1412 | |
| 810 | |
| 703 | |
| 455 | 
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.