Solved

Multiple DHCP-enabled VLAN's in Fortigate Switch Mode

Posted on 2016-09-06
4
191 Views
Last Modified: 2016-09-11
I have one Fortigate 80C in switch mode (which means I have one "internal" group that holds all physical LAN ports)

I'm creating a couple of VLANS under the "internal" interface for different purposes (192.168.1.0 and 192.168.2.0) and I will enable DHCP for both VLANs.

Questions:

1) Every client will try to get an IP address, but there are actually two DHCP (one for 192.168.1.0 and another for 192.168.2.0), which makes me think it won't work. How should I implement multiple DHCP-enabled VLAN's?

2) Is it possible to instruct Fortigate to route all Internet traffic from one VLAN through wan1 and another VLAN through wan2?

3) In order to allow Inter-VLAN traffic... Do I need something in addition to create a static route o PBR (and its corresponding policies)?

Thanks!
0
Comment
Question by:dsuy
  • 2
4 Comments
 
LVL 18

Accepted Solution

by:
Garry Glendown earned 250 total points
ID: 41788527
1 - To serve two DHCP ranges, you will need to be in both broadcast domains with an active interface. Assuming you have created two VLAN interfaces, with IP-addresses, you should be ready to go, just add the ranges to the respective interfaces and it ought to work.

2 - you can do that either by adding a policy route, or by setting up VDOMs. The latter is a more stringent way to split the two VLANs, as it creates two virtual firewalls that have nothing to do with each other (unless you configure an Inter-VDOM-Link). Either way will work, you just need to see which one fits your overall requirements better.

3 - if the interfaces are in the same VDOM, no. The routes are there automatically, as they are both connected subnets. You will have to configure rules, though (unless you put both VLAN interfaces in the same zone with in-zone access open.

For more detailed information, you'd need to provide some more information on what you are actually setting up. Apart from that, the setup is pretty easy and could probably be finished within 15 minutes by remote session ;)
1
 
LVL 16

Assisted Solution

by:vivigatt
vivigatt earned 250 total points
ID: 41788858
I am not familiar with Fortigate, but I know DHCP quite well.

You can have a single DHCP serving 2 different subnets if you use DHCP relaying :
https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol#DHCP_relaying

In Cisco-ish, the command is ip helper-address.
0
 
LVL 18

Expert Comment

by:Garry Glendown
ID: 41789055
Cisco commands don't really help much with Fortigate ... ;) We do both, and they are not very alike ... as the FG seems to be terminating both VLANs, DHCP relaying doesn't seem to be necessary in this case ... testing the config, it seems as if FGs do not support ranges outside of the interface broadcast domain... so adding a subnet 192.168.10.0/24 to an interface with an address in 192.168.0.0/24 e.g. is not permitted on the web interface (5.2.8) - on the CLI, it can be configured, but I did not test if the actual server is behaving correctly (if they are using some standard Linux DHCP server internally, it might)
0
 

Author Closing Comment

by:dsuy
ID: 41793574
Excellent, this was helpful. Thank you so much.
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
Learn how to PXE Boot both BIOS & UEFI machines with DHCP Policies and Custom Vendor Classes
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question