Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Žydrūnas
New Contributor III

Created on ‎10-06-2022 11:29 PM Edited on ‎10-06-2022 11:30 PM

Same FortiGate subnets for multiple endpoint users

Hello to all,

 

i have a difficult task to do. I need to create same subnets for multiple endpoint users and isolate those subnets without using multiple routers firewalls.

Can't figure out how to do it and if it is possible at first place.

ydrnas_0-1665123907353.png

 

Thank you.

Labels:
2467
0 Kudos
10 REPLIES 10
jintrah_FTNT
Staff
Staff

Created on ‎10-06-2022 11:34 PM

Hi,

You may think of using 3 vdoms and each subnet on any segment under different/unique vlan ids so that same subnets may overlap with different vlanids connecting to different vdoms.

 

cheers,

Jin

2229
aahmadzada
Staff
Staff

Created on ‎10-07-2022 12:53 AM

I would go for the Private VLANs as a more elegant, easy to deploy solution

 

https://docs.fortinet.com/document/fortiswitch/7.0.1/administration-guide/104079/private-vlans

Ahmad
2223
Žydrūnas
New Contributor III

Created on ‎10-07-2022 08:05 AM Edited on ‎10-07-2022 08:08 AM

Using private VLANS like @aahmadzada suggested looks like truly more elegant solution if it is really possible to fulfill this task using PVLANS. Using VDOMS like @jintrah_FTNT suggested is more complex solution and create more mess since we need to enable VDOMS functionality which is not used and is disable by default.
@aahmadzada can you share some print screen or examples how to implement my task from your test FortiGate device ?

 

Thank you.

2207
0 Kudos
gfleming
Staff
Staff

Created on ‎10-07-2022 08:21 AM Edited on ‎10-07-2022 08:22 AM

What is your actual goal here? You want to block endpoint from communicating to each other regardless of what subnet they are in? Or you want to isolate endpoints only from other endpoints that are in different switches? Or you want to isolate endpoints between different subnets. If it's the latter, you can just use Firewall Policies. If it's one of the two formers we can look at other options.

 

It's an odd set up. I wonder if there's a better way of doing what you're setting out to do. More details you can provide the better!

Cheers,
Graham
2205
0 Kudos
Žydrūnas
New Contributor III
In response to gfleming

Created on ‎10-07-2022 08:31 AM Edited on ‎10-07-2022 08:34 AM

The goal is that our company has a lot technical engineers working as technical support for all kind of network equipment like (IPC's, switches, routers, NVR's, etc..) returned as for warranty service from clients, or returned from shops to reinstall firmware's, etc.
And by default devices comes with default subnets like:

192.168.0.0/24
192.168.1.0/24

192.168.10.0/24
192.168.90.0/24
192.168.64.0/24
192.168.254.0/24

etc..

So each tech. engineer is working with same devices at the time connecting them to same network creates an IP conflict because devices by default have same default IP's like 192.168.0.1, 192.168.1.1, etc..
To avoid this tech. enginees right now use their own routers in eatch workplace to separate same LANS and keep them behind NAT. Imagine 10 or more tech. engineers connecting routers to your LAN crates a big mess with wires, and network configuration. I want to avoid that and searching for more elegant solutions without using router in each workplace.

2204
0 Kudos
gfleming
Staff
Staff
In response to Žydrūnas

Created on ‎10-07-2022 10:59 AM

OK in this case private VLANs  may not work. Since by default the hosts in a secondary PVLAN can still communicate with the primary VLAN. So the FortiGate will see lots of duplicate IP addresses. Might still work for local device access though. I.e. Tech Laptop and IPC are in community VLAN 202, they will not see laptop and IPC in VLAN203 with same IP but FortiGate with Primary VLAN 201 will see them and the IP conflicts.

 

Do the workstations have multiple NICs? Is it possible to have dedicated NIC for connecting to the warranty devices and another NIC (even if its just wi-fi) for all other network connectivity?

 

If so, then you can just set up individual L2 VLANs for each tech. Plug the NIC into one port in the VLAN and plug the devices into the other ports in the VLAN. The tech can manually change their IP address to service the gear on that wired connection to the VLAN (no default gateway). The primary NIC will have default gateway and won't change IP address.

 

If that's not possible then I think best option is to consider PVLANs but might have issue with FGT seeing duplicate IPs. Or you can consider VRF where each technician's VLAN is put into a different VRF ID. VRF allows overlapping IP space.

 

 

Cheers,
Graham
2195
0 Kudos
Žydrūnas
New Contributor III
In response to gfleming

Created on ‎10-10-2022 05:41 AM

Looks like i will be going to choose VDOMS solution, and create separate networks for each engineer. Our FG 61E support 10 VDOMS and we are planning to have 5 different support engineers in one site meaning we will have 5 VDOMS with 5 separate isolated subnets in each VDOM and FG have 7 separate LAN ports (including DMZ) meaning we will still have two spare ports for two extra engineers

2162
0 Kudos
gfleming
Staff
Staff
In response to Žydrūnas

Created on ‎10-10-2022 07:42 AM

You’ll have an easier time just using VRFs. They accomplish the same task as VDOMs with much lower admin overhead for your specific use case. 

Cheers,
Graham
2144
0 Kudos
Žydrūnas
New Contributor III
In response to gfleming

Created on ‎10-10-2022 11:08 PM Edited on ‎10-10-2022 11:27 PM

ok, i tried VRFs.

Enable advanced routing feature

Enabled overlapping subnets

 

 

 

 

 

 

 

set allow-subnet-overlap enable

 

 

 

 

 

 

 

 And managed to created two different VLANS with different VRF's and same primary IP's, it allowed me to do that only after i enabled overlapping subnets.

ydrnas_5-1665468415762.png

 

VLAN1111

VRF ID: 1

Primary subnet: 192.168.10.254/255.255.255.0

Secondary subnet: 192.168.11.254/255.255.255.0

 

ydrnas_2-1665469018744.png

VLAN1112

VRF ID: 2

Primary subnet: 192.168.10.254/255.255.255.0

ydrnas_3-1665469052241.png

But i tried to add a secondary overlapping subnet 192.168.11.254/255.255.255.0 in VLAN112 and it didn't allowed me to do so.

So overlapping subnets only possible for primary VLAN subnet ?

 

ydrnas_0-1665468915200.png

 

My goal was create two VLANS with different VRF's and with same primary and secondary subnets for each engineer.

2134
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.