Currently we have 2 sites that we connect through a Site to site VPN, this is already up and running. All of our servers are on Site1. We would like to have our printers and access controllers on Site2 get an ip address (and communicate with) from the server on Site1 without adress translation or a static route. Is this possible? And what should I do for this and/or what am I doing wrong because it is not working.
My apologies if this is a stupid question, if anyone feels like taking a look at this dummy problem with us, we are immensely grateful....
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I think there is a logical problem in your diagram.
You could do DHCP if you enabled a DHCP relay on the vlan 60 and also on vlan 204 interface on the FGT on Site2 and have it relay DNS Requests to the corresponding server on site1. That will work because DHCP is basically UDP broadcasting.
However you will not be able to route traffic because you have the same subnets on both sides at least in VLAN 204.
This works between switches but not over a vpn.
So I would recommend to have the DHCP Servers on SIte1 to have a pool for SIte2 that has a different subnet (Vlan 60 seems to be class B anyways already, 204 on Site1 might need a secondary IP on the vlan interface on site1 FGT) and also configure it to hand the FGT on site1 as gateway. Then the FGT on Site2 needs the DHCP relays and a route back to those new subnets over the S2S Tunnel.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Well, when it comes to the getting IP address from a remote DHCP server you can configure the DHCP relay:
https://docs.fortinet.com/document/fortiswitch/7.2.3/administration-guide/559601/configuring-a-dhcp-...
While configuring it, make sure to configure IP addresses on the IPSEC tunnels.
As it is mandatory for the DHCP relay to work.
When it comes to the absence of static routes, try to use any dynamic routing protocol, so it will take care of the distributing the routing information between sites
Ahmad
Created on 04-20-2023 10:29 AM Edited on 04-20-2023 10:44 AM
Thanks a lot!!! There's no way around it but I think we're almost there ;)
(but not quite there yet)
DHCP RELAY on SITE2 interface:
IP on VPN interface on Site1: (Site2 is: 10.41.1.1)
Static ROUTE from site2 to Site1
Static Route from site1 to site2
IPsec Monitor on Site1:
Created on 04-28-2023 02:07 AM Edited on 04-28-2023 02:39 AM
@aahmadzada Ok, I replaced the static routes with a policy route which allows me to ping perfectly from the server to the remote VPN-ip (10.41.1.1) and vice versa. Unfortunately I can't ping to the remote interface of the same VLAN (204) on site 2.
I think there is a logical problem in your diagram.
You could do DHCP if you enabled a DHCP relay on the vlan 60 and also on vlan 204 interface on the FGT on Site2 and have it relay DNS Requests to the corresponding server on site1. That will work because DHCP is basically UDP broadcasting.
However you will not be able to route traffic because you have the same subnets on both sides at least in VLAN 204.
This works between switches but not over a vpn.
So I would recommend to have the DHCP Servers on SIte1 to have a pool for SIte2 that has a different subnet (Vlan 60 seems to be class B anyways already, 204 on Site1 might need a secondary IP on the vlan interface on site1 FGT) and also configure it to hand the FGT on site1 as gateway. Then the FGT on Site2 needs the DHCP relays and a route back to those new subnets over the S2S Tunnel.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
What you're looking for is called VXLAN if I understand your question correctly:
https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/38079/vxlan
This requires some configuration, of course.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.