Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
peon2t
New Contributor

VLAN separation, does this setup what it should?

Hello

 

We have this FortiGate 40F that has been set up in a certain way buy we're not entirely sure if it actually does what we expect it to do.

 

We have a small office with a main tenant and a subtenant. Their networks should be separated.

Also there is a guest network that should of course also be separated from the other two.

 

Main tenant operates on 192.168.54.0, subtenant on 192.168.41.0 and guest network is 192.168.31.0

 

I attached some screenshots from the FortiGate UI. Is it possible to tell from those screenshots if those three "areas" are separated from each other so that for example a device in 192.168.41.0 can't connect to anything in the 192.168.54.0 area?

 

Switch is some UniFi product that has the ports that are used in the subtenant's part of the office set up with the corresponding VLAN ID. The guest WiFi does the same.

On first sight it seems to do as it should, meaning the subtenants receive IPs from the 192.168.41.0 range if they plug in and the devices on the guest WiFi receive IPs from the 192.168.31.0 range.

 

However I've read that VLANs aren't actually separated "by default" and that devices from the different VLANs can interact with each other. If this is true, the setup would only be "cosmetically" fine (different areas have different IP ranges) but the intended security aspect wouldn't be met.

 

Can anyone help?

 

Policies:

2023-01-07_13-40.png

Interfaces:

2023-01-07_13-39.png

4 REPLIES 4
Toshi_Esumi
Esteemed Contributor III

If it's just a L3 router, those VLAN interfaces can talk each others. That's the purpose of routers to connect networks.

The FortiGate is a firewall with L3 router features. Without policies like lan<->XXXerdhcp, lan<->guestdhcp, etc. they cannot talk each others. That's the purpose of firewall to restrict/control traffic between connected networks.

 

Yes, looks fine to me.

 

Toshi

seshuganesh
Staff
Staff

Hi Team,

 

Since there are already sepeated with different VLAN ID, only if you create firewall policy in the firewall between VLAN interface to normal interface traffic will be accepted.

Else, traffic will get denied when reaching from one interface to another interface

peon2t
New Contributor

Very well, thank you.

I guess what I read was referring to a situation where the Switch had some routing capabilities but this probably isn't the case here.

 

I have an additional question (which was the reason why we started looking at the firewall in the first place):

The subtenant wants to start using the network printer that is in the main tenants network. Is this achieveable without big impacts to the separation of the VLANs?

Toshi_Esumi
Esteemed Contributor III

That's the situation what I meant in "Without policies like lan<->XXXerdhcp..." above. You just need to add a policy to allow XXXerdhcp->lan to the printer's address. One direction should be suffice since printer access is generally one way.

 

Toshi

Labels
Top Kudoed Authors