Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
luisalonsoramos
New Contributor

Created on ‎12-27-2022 08:16 AM Edited on ‎12-27-2022 08:17 AM

Single-device subnets from DHCP

Hello,

 

I have a Fortigate unit where I have multiple VLANs (infrastructure, staff, guest, voice, servers...) and policies set up between them.

 

All user devices (either wired or wireless) go to the Staff VLAN, and they get a DHCP assigned address. What I want to do is to give them an IP and a limited subnet address so that they won't see other devices on the same VLAN/DHCP pool. I've seen this in public WiFis (such as hotels).

 

I tried looking in forums and Google, but I don't even know how this is called. Does anyone here know how to do this?

Thanks and happy holidays!

Luis


--
Luis Alonso Ramos
TDC Servicios, S. A. de C. V.
Chihuahua, Mexico
www.tdcservicios.com
--Luis Alonso RamosTDC Servicios, S. A. de C. V.Chihuahua, Mexicowww.tdcservicios.com
Labels:
2096
0 Kudos
1 Solution
ebilcari
Staff
Staff
In response to luisalonsoramos

Created on ‎12-28-2022 12:12 AM

This type of filtering you are asking it will be done on Layer2 level, so users are in the same Broadcast domain/subnet and they don't need a Layer3 device (FGT) to communicate to each other, switch make this possible by default configuration.
If you have a FortiSW managed by FortiGate yes you can apply it access/private VLAN and it will change the default behavior of the Switch.

In your setup FGT + 3rd party switch you have to make changes on the switch only because as explained early the communication is done without including the Gateway.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

View solution in original post

2078
0 Kudos
8 REPLIES 8
ebilcari
Staff
Staff

Created on ‎12-27-2022 08:49 AM Edited on ‎12-27-2022 08:52 AM

Depending on your deployment,
If it includes FortiSW, the feature is called "switch-controller access VLANs": https://docs.fortinet.com/document/fortiswitch/6.4.2/devices-managed-by-fortios/985221/fortiswitch-f....

or you can find it as Private VLAN: https://docs.fortinet.com/document/fortiswitch/7.2.3/administration-guide/104079/private-vlans

For SSID there is the option: Block intra-SSID traffic

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
2089
0 Kudos
luisalonsoramos
New Contributor
In response to ebilcari

Created on ‎12-27-2022 10:12 AM

Thanks for your reply. So "Private VLAN" is how they are called.

I have a Fortigate 60F with a Cisco SG350 switch. I am reading that private VLANs are a switch feature more than a router feature, so is this something I should be looking for in the switch?

 

Thanks,

 

Luis


--
Luis Alonso Ramos
TDC Servicios, S. A. de C. V.
Chihuahua, Mexico
www.tdcservicios.com
--Luis Alonso RamosTDC Servicios, S. A. de C. V.Chihuahua, Mexicowww.tdcservicios.com
2084
0 Kudos
ebilcari
Staff
Staff
In response to luisalonsoramos

Created on ‎12-28-2022 12:12 AM

This type of filtering you are asking it will be done on Layer2 level, so users are in the same Broadcast domain/subnet and they don't need a Layer3 device (FGT) to communicate to each other, switch make this possible by default configuration.
If you have a FortiSW managed by FortiGate yes you can apply it access/private VLAN and it will change the default behavior of the Switch.

In your setup FGT + 3rd party switch you have to make changes on the switch only because as explained early the communication is done without including the Gateway.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
2079
0 Kudos
luisalonsoramos
New Contributor
In response to ebilcari

Created on ‎12-29-2022 08:20 AM

Perfect, thank you very much. This definitely helps.

 

Thanks and happy new year!

 

Luis


--
Luis Alonso Ramos
TDC Servicios, S. A. de C. V.
Chihuahua, Mexico
www.tdcservicios.com
--Luis Alonso RamosTDC Servicios, S. A. de C. V.Chihuahua, Mexicowww.tdcservicios.com
2054
0 Kudos
ebilcari
Staff
Staff
In response to luisalonsoramos

Created on ‎12-29-2022 08:46 AM

You're welcome, Happy new year to you too!

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
2051
0 Kudos
abarushka
Staff
Staff

Created on ‎12-28-2022 01:15 AM

Hello Luis,

 

You may consider to use private VLANs. Please find the details by following the link below:

https://docs.fortinet.com/document/fortiswitch/7.2.3/administration-guide/104079/private-vlans

FortiGate
2072
0 Kudos
npariyar
Staff
Staff

Created on ‎12-29-2022 03:38 AM Edited on ‎12-29-2022 03:38 AM

Hi Luis,

 

I understand that you want to configure /32 subnets on Ethernet via DHCP.

 

I have tested the configuration on my Fortigate Lab and it is currently not supported.

 

Here are the screenshots attached with the error I get at GUI and CLI.

dhcp-32.png

 

Screenshot from FortiGate CLI:

dhcp-32-2.png

Niroj Pariyar
2061
0 Kudos
luisalonsoramos
New Contributor
In response to npariyar

Created on ‎12-29-2022 08:22 AM

It's not exactly a /32 or /31 subnet. Well, it is but it should be different for each device. The Private VLAN comment above is what I was looking for. I just need to find out how to do it on my switch.

 

Thanks,

 

Luis


--
Luis Alonso Ramos
TDC Servicios, S. A. de C. V.
Chihuahua, Mexico
www.tdcservicios.com
--Luis Alonso RamosTDC Servicios, S. A. de C. V.Chihuahua, Mexicowww.tdcservicios.com
2053
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.