Good Day
I am Fairly new to Advanced Fortigate settings.
This is my Idea and how my infrastructure is currently setup, After-which i will explain what i am trying to do.
I have a Fortigate 100E - 5 HPE Switches - 5 UniFi AP's
WAN2 - Wireless Internet
WAN1/SPF1 - Fiber Internet (currently awaiting fiber installation)
Port 1 - Connected to Switch 1 & 2 - PoE switches connecting IP phones to PABX and internet for Times
Port 2 - Connected to Switch 3, 4 & 5 - HPE switches connecting computers and laptops to Network & Internet
Port 3 - Connected to Security Camera System - Gives all cameras internet access for external viewing
(Unifi Ap's Connected to Switch 5 giving laptops and Cellphones internet with same IP range as Computers)
All the Above is Hardware switches configured on the Fortigate 100E
What I am trying to do...
I would like to keep the UniFi's on the same network but want them to be separate addresses to the computers.
Computer-PC with 192.168.0.1
Android 9.1 with 10.0.0.1
After achieving this I can then make rules for cellphones to use low bandwidth and restrict sites (keep people off Facebook and YouTube)
I have thought of making another hardware switch just for the WiFi but there are some laptops and computers that need to connect to the wifi (Faulty RJ45 ports etc)
I know there is a device inventory and would like to make use of it so that only computers connect to 192.168.0.1 and android and iphones connect to 10.0.0.1
Thank you in advanced
If you had FortiAPs you could create separate SSIDs for Computers and Phones. Computer SSID would let bridge the the local network (or tunnel for more policy control) and Phone SSID would tunnel to the Fortigate.
In your case, you can see if you can create separate SSIDs and assign them to different VLANs. You can then layer 2 the VLAN to the Fortigate for policy control.
Thank you for your reply.
The UniFi AP's where from the old building and we needed to cut costs, Im not familiar with Vlans on fortigate and Unifi's but I will do some digging to see what i can do in that regard.
Hi SecurityPlus
Can you give me a bit of enlightenment on how i can seperate my computers on the LAN?
I was thinking of creating two Policies one for Windows Pc's and MAC Pc's and another policy for everything else.
why do you want to seperate them at all?
What we dohere with FGT + HP or Dell Switches + Unify APs is this:
there is one subnet for PC. This has a DHCP Server in it (not on the FGT) that serves the PC.
there is three subnets for the three Wifis we have. Those are on vlan interfaces on the FGT.
there is one subnet for Management. This is a vlan on the FGT too. The Unify AP and the Switches have IPs in this one.
The Unifiy APs are connected to a vlan trunk port on the switch (i.e. tagged in all but the main vlan (vid 1) due to hp reasons). The APs do vlan tagging for the three Wifis.
The FGT does act as DHCP Server in two of the three wifi subnets and as DHCP Forwarder in the third one.
There is Policies on the FGT to allow traffic between all these subnets as we need it.
Works fine so far.
Maybe this gives you some inspiration?
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Thank you for the feedback i'm not clued up on vlans, everyone i have spoken too says its very easy.
I tried to configure vlans once but failed and had to factory reset the switches as whilst doing the setup i was under a lot of pressure to get the site up and running before everyone was settled at their desks.
I am trying to free up one switch so that i can play around with it and do some vlan training on it.
I know what vlans are suppose to do because i need to do this to get a nanobeam to send both lan and telephone network over it.
i have a few different ranges that i have setup on my FGT.
192.168.0.1 - Computers
192.168.1.1 - Telephones
192.168.2.1 - Cameras
these are set using hardware switch function where my telephones are on 2 PoE switches connected to LAN1 and Computers are connected to LAN2 with 3 Switches and LAN3 is connected to a seperate NetworkCabinet with the DVR and its switches
My reason for separation is because i want to block cellphones from youtube and facebook and give them a bandwidth limit so that they don't effect my internet in the office, everyone has an android or an iphone and some have watches and tablets so im sitting at around 60 devices pulling my internet down and my computers running tracking are suffering.
If its just for utm and trafficshaping you don't neccessarily need to have different subnets.
You could ip ranges inside one subnet and make policies for them with utm/Trafficshaping enabled.
You would then just have to mind the order of your policies!
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.