Looking for lan/vlan help

[ccices]

Hello all,
I have a fortigate 80c router and a 3com Baseline Switch 2924-PWR Plus that I am using to try and configure our WAN/LAN with.
I also have 2 engenius 300C Wireless AP that I want to share on the LAN.

So far, I created a VLAN interface on the router and also a VLAN with the same ID on the switch. The switch has vlan 1 by default with all ports un-tagged and VLAN100 with a few ports marked as tagged. The ports that are tagged are the ones that I have going to the area where the vlan will reside.

However, everything that is connected is still on the original interface and nothing on the vlan interface of the router. Not sure where I went wrong..

I followed this guide in setting up the vlan
http://docs-legacy.fortinet.com/cb/html/index.html#page/FOS_Cookbook/Install_advanced/cb_install-vlan.html

is it that I needed to setup 2 vlans and not have any pc's etc on the default interface?

 

[abailey]

I am in a crunch for time right now and I will respond longer later tonight. In short tagged ports are to carry multiple VLAN's, like between the switch and the router, or switch to switch. Untagged ports are what devices (computers, etc) are hooked to. So both VLAN's should have maybe one or two tagged ports and all the rest should be untagged.

 

[ccices]

So, the ports that have the AP on that can carry more than one ssid and be assigned to multiple vlan would have their switch port tagged with each vlan they need to support?

that is most likely my issue because the ports i wanted on the seperate vlan, i left untagged in one vlan and tagged in another!

 

[abailey]

Yes if your AP's support multiple VLANs then they should be on a tagged port.

 

[funkahdafi]

What is it exactly you are trying to accomplish? That's not very clear to me from your first post.

I operate many Fortigate devices at my job, so I can probably help you, but I need to better understand what you are trying to accomplish.

 

[sinshiva]

some things that i've learned from dd-wrt;

1st it sounds like all your physical ports are still on the same vlan (interface) for untagged traffic

2. i think it's better to think of the relationship between vlan tags and physical ports as the vlan allows a port to pass tagged traffic rather than a vlan is simply tagged on a port.

3. my understanding is that in newer switchports, the vlan0 is meant to be like a null vlan. it sounds like the idea for pure trunk interface would be to remove it from any vlans/move it to null vlan and have it pass the vlan tagged traffic you desire

so, my goal in your shoes would be to decide whether i simply want the APs to be separated, in which case moving the physical ports to different vlan is ideal or if you want the APs themselves to broadcast for multiple vlans, then ensuring their physical ports ONLY pass tagged traffic

hopefully i'm not wildly off here as lately i've only dealt with moving physical ports on asus routers to different vlans

 

[ccices]

Yes, the AP have the ability for multiple VLANS. We have 2 in the area that we want to be able to work as the AP for the VLANS.

The goal is to have 3 distinct VLANS. One for our video station and cameras with the ability to connect to an AP to view the cameras. One for a separate VLAN area and one for a general AP connection to the internet.

The default vlan1 is currently all untagged.
I added the second VLAN but only tagged a few ports.

But from the first response, I think I see where the issue is as all items on both VLAN1 and VLAN100 are able to see each other.

VLAN100 is for the separate area, VLAN200 will be created for video station and vlan1 is for general internet AP connection.

Should I use a separate VLAN for general internet connection or should I leave that on vlan1? My guess is a separate one so that only the admin PC can connected to the router etc on VLAN1 right?

As for the features of the Fortigate, not there yet.. but it will be used for creating a VPN for the video mostly

 

[funkahdafi]

First of all, forget about tagging the ports for now. Disable all tagging on all ports. More on that later.

Second, VLAN1 is the default VLAN on 3COM switches and it contains all untagged ports by default. If you put an untagged port in another VLAN (let's say VLAN100), it will be removed from VLAN1. HOWEVER, and here is the big IF: If you put a port into VLAN 100 AND enable tagging on it, it will remain a untagged member of VLAN1 (the port will end up being a tagged member of VLAN100 and an untagged member of VLAN1). Because you enabled tagging on some ports, that's why your machines in VLAN1 and VLAN100 can see each other.

Now for the tagging part:

Tagging a port means you tell the switch to add the VLAN ID(s) of the port to the header of each packet that it sends out on that port. It is normally being used if you need to transport multiple VLANs on the same interface to another device (usually a Layer 3 device, like your Fortigate).

But before I start to get into the details of that, let me ask you two questions:

1.) Do you need any traffic to flow between your VLANs?
2.) How many free ports do you have left on your Fortigate?

 

[ccices]

No traffic to flow between vlans.
3 seperate vlans in total. (not counting the default vlan1 on the 3com)
vlan100 - Lab - I have 2 wall ports to the 3 com switch. I currently have the 1 wall port connected to a D-Link D1008g 8 port aswitch with 7 devices attached. I need only one of these devices to have the ability to connect to the internet and the rest restricted from the internet. I need wireless connection to this network but no internet with wireless connection.
Vlan200 - Video - QNAP video station currently connected to a 3com port. Needs a wireless connection. Needs internet.
VLan300 - general internet connection via wireless ap.


The fortigate is 6 ports , 5 free and 1 to the 3com switch.

The 3com has port 13 to the fortigate, port 24 to video NAS, port 1,2 to LAB, and ports 7,8 to AP1, and AP2.

 

[funkahdafi]

Ok, if you don't need any traffic flow between the VLANs, and you have enough free ports on the Fortigate, then this should be easy. No need for trunking/tagging.

1. Turn off all tagging on all ports.
2. Move all ports to the VLANS (removing them from VLAN1).
3. Connect one port from each VLAN that needs internet to the Fortigate.
4. Configure those Fortigate interfaces with IPs from the respective VLANs
6. Make the IP address you assigned to the Fortigate interfaces the default gateway for the machines in the VLAN.
5. Create firewall policy on Fortigate that allows traffic to flow from/to internet.

If you later decide you need traffic to flow between the VLANs, all you have to do is create firewall rules on the Fortigate accordingly.

So in your case:

1. Put a free port of the 3COM in VLAN 100 and connect it to the first free port on the Fortigate.

2. Put a free port on the 3COM into VLAN 200 and connect it to the second free port on the Fortigate.

3. Put a free port on the 3COM into VLAN 300 and connect it to the third free port on the Fortigate.

4. Give each of those three Fortigate interfaces an IP address in the VLAN it connects to (say VLAN 100 has IP range 10.10.1.0/24 then you assign 10.10.1.254/24 to the Fortigate interface in that VLAN). Do the same for the other ports/VLANs (make sure the VLANs use different subnets!).

5. Change the default gateway for your computers/hardware to the IP address of the Fortigate (for example, for VLAN 100 it would be 10.10.1.254).

6. Create firewall rules on the Fortigate as you see fit (only allow IP addresses to access the internet that need internet, block the others, etc.).

I hope this makes some sense.

If you have any questions, let me know.

Good luck

 

[abailey]

Ok, if you don't need any traffic flow between the VLANs, and you have enough free ports on the Fortigate, then this should be easy. No need for trunking/tagging.

1. Turn off all tagging on all ports.
2. Move all ports to the VLANS (removing them from VLAN1).
3. Connect one port from each VLAN that needs internet to the Fortigate.
4. Configure those Fortigate interfaces with IPs from the respective VLANs
6. Make the IP address you assigned to the Fortigate interfaces the default gateway for the machines in the VLAN.
5. Create firewall policy on Fortigate that allows traffic to flow from/to internet.

If you later decide you need traffic to flow between the VLANs, all you have to do is create firewall rules on the Fortigate accordingly.

So in your case:

1. Put a free port of the 3COM in VLAN 100 and connect it to the first free port on the Fortigate.

2. Put a free port on the 3COM into VLAN 200 and connect it to the second free port on the Fortigate.

3. Put a free port on the 3COM into VLAN 300 and connect it to the third free port on the Fortigate.

4. Give each of those three Fortigate interfaces an IP address in the VLAN it connects to (say VLAN 100 has IP range 10.10.1.0/24 then you assign 10.10.1.254/24 to the Fortigate interface in that VLAN). Do the same for the other ports/VLANs (make sure the VLANs use different subnets!).

5. Change the default gateway for your computers/hardware to the IP address of the Fortigate (for example, for VLAN 100 it would be 10.10.1.254).

6. Create firewall rules on the Fortigate as you see fit (only allow IP addresses to access the internet that need internet, block the others, etc.).

I hope this makes some sense.

If you have any questions, let me know.

Good luck

This is probably not the way I would do it, but maybe it is the easiest way to do it. If you do it this way and want your AP's to serve multiple VLAN's then you will need to make sure the port they are plugged into is a Tagged member of every VLAN you want them to service.

 

[funkahdafi]

Yes. It's the easiest way to do it. I wanted to take out the confusion.

Personally, I wouldn't waste 3 interfaces on my firewall but instead build a trunk on a single interface. But if you don't know about these things, it can be very confusing. So I offered an easy way out.

 

[abailey]

Yes. It's the easiest way to do it. I wanted to take out the confusion.

Personally, I wouldn't waste 3 interfaces on my firewall but instead build a trunk on a single interface. But if you don't know about these things, it can be very confusing. So I offered an easy way out.

Sounds good, and a perfectly workable solution.

 

[ccices]

Thanks,
Yes, the wireless AP one is still confusing me.
The AP need to have an IP address themselves so on which subnet do I add them to?
Right now, the router, switch and AP are all on the Vlan1 subnet.
I think I understand the way you are saying to do it.. Currently I have only 1 port to the fortigate and your suggestion is 3 ports to the fortigate with each port being in the vlan defined within the fortigate.
Maybe I need a network map! I will attempt to draw one up for the way you suggested.

 

[funkahdafi]

A network drawing would probably be a good idea. This should give us a better understanding of what you are trying to achieve.

As for the APs: You said you have two different APs. Just put one in each VLAN that needs wireless and you are good. Since the VLANs are isolated from each other, the WLAN clients won't be able to see the clients on the other AP.

 

[ccices]

here is the network diagram.
The goal is to have 3 separate VLans
The 3Com switch has a default Vlan1 that I am unsure about.
Included in the diagram is what I have set up so far but again.. new to vlan.
I have yet to change it to the suggestion made earlier using a separate port from the Fortigate for each Vlan. I can change to that as well if it will serve the situation better as there will be no other components attached to the fortigate at this time. The main purpose of the switch is to patch in the EnGenius AP and the wall jacks from the lab (2).
The video server lan will need to connect to remotely located IP cameras by vpn (future use)
The subnet for the lab is currently DHCP from the fortigate but I think I should set that to manual.
Thanks all for your help.
(The pdf file has better resolution as the text in the image is small.)

 

[funkahdafi]

Ok, don't worry, this is actually very easy. Here is what you do, in a nutshell. If you need details, let me know.

1. Define three different IP address subnets, one for each of your VLANs. For example: 10.10.100.0/24, 192.168.100.0/24, 172.16.1.0/24. Configure your machines/clients accordingly.

2. Configure VLAN 100, 200 and 300 on your switch. Move the ports to the VLANs as needed, making sure you completely disable tagging everywhere. Move everything out of the default VLAN-1.

3. Configure your Fortigate with one WAN interface (Internet). Remove any bridge networks you may have configured. Then configure three interfaces for your three VLANs, putting each into it's own security zone (name the zones according to your VLAN names). For example:

Interface 0 -> Security Zone: WAN (Internet), IP: from ISP
Interface 1 -> Security Zone: LAB, IP: 10.10.100.254/24
Interface 2 -> Security Zone: Video, IP: 192.168.100.254/24
Interface 3 -> Security Zone: Internet, IP 172.16.1.254/24

Connect interfaces 1-3 to the switch, one in each VLAN (making sure to plug it into the correct VLAN).

4. Create security rules on the Fortigate as needed. For outgoing internet traffic from the Internet VLAN you would choose the from:Internet to:WAN security zone context and create rules in there. etc.

5. Configure all machines in the VLAN to use the IP address of the Fortigate as the default gateway. e.g. in the LAB VLAN you would use 10.10.100.254 if you would follow my example, the Video VLAN would use 192.168.100.254 etc.

6. You're all set.

7. send beer to me.

This setup will effectively route all traffic through the firewall (unless it stays in it's own VLAN). You use the firewall to route and control (security rules) the traffic.

Good luck.

 

[ccices]

Thanks,
The only issue that is confusing me is what IP do I configure the switch, Router and AP's on?
I would like to be able to get to the switch and AP and router through either the lab or on of the SSID of the AP.
I need all VLans to share the AP and the AP allow me to tag SSID within each to a VLAN.
When I first set up the Fortigate using the wizard, it put itself, the switch and the AP on it's own IP. This is currently on Vlan1 in the switch.

 

[funkahdafi]

Sorry, but can you rephrase your question(s)? I frankly did not understand what you mean.

 

[abailey]

Thanks,
The only issue that is confusing me is what IP do I configure the switch, Router and AP's on?
I would like to be able to get to the switch and AP and router through either the lab or on of the SSID of the AP.
I need all VLans to share the AP and the AP allow me to tag SSID within each to a VLAN.
When I first set up the Fortigate using the wizard, it put itself, the switch and the AP on it's own IP. This is currently on Vlan1 in the switch.

You can use a management VLAN if you want. This is what many people use VLAN1 for in their setups. Give VLAN1 its own subnet and put your management IP's in that subnet and VLAN. If you don't want to do that then you can put the IP for the switch, AP's and router in any subnet and VLAN that they can see.