Hello to all,
i have a difficult task to do. I need to create same subnets for multiple endpoint users and isolate those subnets without using multiple routers firewalls.
Can't figure out how to do it and if it is possible at first place.
Thank you.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi,
You may think of using 3 vdoms and each subnet on any segment under different/unique vlan ids so that same subnets may overlap with different vlanids connecting to different vdoms.
cheers,
Jin
I would go for the Private VLANs as a more elegant, easy to deploy solution
https://docs.fortinet.com/document/fortiswitch/7.0.1/administration-guide/104079/private-vlans
Using private VLANS like @aahmadzada suggested looks like truly more elegant solution if it is really possible to fulfill this task using PVLANS. Using VDOMS like @jintrah_FTNT suggested is more complex solution and create more mess since we need to enable VDOMS functionality which is not used and is disable by default.
@aahmadzada can you share some print screen or examples how to implement my task from your test FortiGate device ?
Thank you.
What is your actual goal here? You want to block endpoint from communicating to each other regardless of what subnet they are in? Or you want to isolate endpoints only from other endpoints that are in different switches? Or you want to isolate endpoints between different subnets. If it's the latter, you can just use Firewall Policies. If it's one of the two formers we can look at other options.
It's an odd set up. I wonder if there's a better way of doing what you're setting out to do. More details you can provide the better!
Created on 10-07-2022 08:31 AM Edited on 10-07-2022 08:34 AM
The goal is that our company has a lot technical engineers working as technical support for all kind of network equipment like (IPC's, switches, routers, NVR's, etc..) returned as for warranty service from clients, or returned from shops to reinstall firmware's, etc.
And by default devices comes with default subnets like:
192.168.0.0/24
192.168.1.0/24
192.168.10.0/24
192.168.90.0/24
192.168.64.0/24
192.168.254.0/24
etc..
So each tech. engineer is working with same devices at the time connecting them to same network creates an IP conflict because devices by default have same default IP's like 192.168.0.1, 192.168.1.1, etc..
To avoid this tech. enginees right now use their own routers in eatch workplace to separate same LANS and keep them behind NAT. Imagine 10 or more tech. engineers connecting routers to your LAN crates a big mess with wires, and network configuration. I want to avoid that and searching for more elegant solutions without using router in each workplace.
OK in this case private VLANs may not work. Since by default the hosts in a secondary PVLAN can still communicate with the primary VLAN. So the FortiGate will see lots of duplicate IP addresses. Might still work for local device access though. I.e. Tech Laptop and IPC are in community VLAN 202, they will not see laptop and IPC in VLAN203 with same IP but FortiGate with Primary VLAN 201 will see them and the IP conflicts.
Do the workstations have multiple NICs? Is it possible to have dedicated NIC for connecting to the warranty devices and another NIC (even if its just wi-fi) for all other network connectivity?
If so, then you can just set up individual L2 VLANs for each tech. Plug the NIC into one port in the VLAN and plug the devices into the other ports in the VLAN. The tech can manually change their IP address to service the gear on that wired connection to the VLAN (no default gateway). The primary NIC will have default gateway and won't change IP address.
If that's not possible then I think best option is to consider PVLANs but might have issue with FGT seeing duplicate IPs. Or you can consider VRF where each technician's VLAN is put into a different VRF ID. VRF allows overlapping IP space.
Looks like i will be going to choose VDOMS solution, and create separate networks for each engineer. Our FG 61E support 10 VDOMS and we are planning to have 5 different support engineers in one site meaning we will have 5 VDOMS with 5 separate isolated subnets in each VDOM and FG have 7 separate LAN ports (including DMZ) meaning we will still have two spare ports for two extra engineers
You’ll have an easier time just using VRFs. They accomplish the same task as VDOMs with much lower admin overhead for your specific use case.
Created on 10-10-2022 11:08 PM Edited on 10-10-2022 11:27 PM
ok, i tried VRFs.
Enable advanced routing feature
Enabled overlapping subnets
set allow-subnet-overlap enable
And managed to created two different VLANS with different VRF's and same primary IP's, it allowed me to do that only after i enabled overlapping subnets.
VLAN1111
VRF ID: 1
Primary subnet: 192.168.10.254/255.255.255.0
Secondary subnet: 192.168.11.254/255.255.255.0
VLAN1112
VRF ID: 2
Primary subnet: 192.168.10.254/255.255.255.0
But i tried to add a secondary overlapping subnet 192.168.11.254/255.255.255.0 in VLAN112 and it didn't allowed me to do so.
So overlapping subnets only possible for primary VLAN subnet ?
My goal was create two VLANS with different VRF's and with same primary and secondary subnets for each engineer.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1547 | |
1031 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.