- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: VPN and VLAN question
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
VPN and VLAN question
Hi all,
While I'm waiting on my first FortiGate's, I would like to prepare some things. We will have 11 BO which will connect to the HQ. At HQ we will have two 200F in HA, all BO will have 80F.
HQ will have one Win 2019 Server (DHCP, DNS, etc).
HQ will have FortiManager
I would like to make VLAN's and Subnets as next:
VLAN 2 - Workstations (each site with their subnet ex. 10.10.10.0/24; 10.10.11.0/24, 10.10.13.0/24, etc over the same VLAN)
VLAN 3 - Servers
VLAN 4 - Management (switches, FG)
VLAN 5 - WiFi - Emplyee
VLAN 6 - WiFi - Guests
VLAN 7 - Other (UPS)
VLAN 8 - Trunk
HQ - 100 Mbps Internet
BO - most of them 50 Mbps and some 80 Mbps
Obviously need to split the tunnel
My questions:
- What kind of VPN connection would you recommend? Routing?
- Would it be better if I split VLAN so for each subnet different VLAN (each BO with their VLAN)? I'm not sure if this would make more trouble for the administration. VLANs 2, 3, 4, 7 and 8 need to talk to each other. VLAN 5 and VLAN 6 need to be isolated from others.
Thank you all for your help!
Solved! Go to Solution.
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi,
some more general thoughts on how to design a new network.
To be secure, a network needs to be simple, robust and transparent. Simple so that one can grasp how the parts of the network work together easily. Robust means that small changes have equally small consequences. And transparent, all essential information is at your disposal at all times for you to manage the network.
At least that's what it's boils down to in my experience, dealing with networks for like 3 decades now.
In your case, I would try to use one template for the BOs and one for the HQ. That is, the same functionality would use the same VLAN ID (like VoIP is VLAN 101)*. If you're lucky the similarities are such that you can put the FMG to use and roll out one branch in no time, and then adjust the details (ISP etc.).
*hint: of course, do NOT reuse address ranges in different locations, even if you now do not intend to connect them. Always use unique ranges. RFC1918 provides so many choices that this should not be difficult.
IMHO BO to HQ needs IPsec site-to-site VPNs, no question. Corner cases like obtaining private addresses on the WAN side can still be included. In FortiOS, a no-brainer.
I'm not so much a fan of "fully meshed VPN" if more than 3-4 sites are involved. Simplicity is down, robustness might improve by having more redundancy, YMMV.
Much more important is routing in such a super-net (a network of sites all having networks). I'd always recommend using a dynamic routing protocol for 11 sites plus HQ, just because setup is easy and will pay off in the future with every network you need to connect to. Connecting networks itself is highly dynamic, you cannot foresee all connections you will need. So, OSPF is a good choice, quick and it relieves you a lot in case a node fails.
One hint for routing: assign a private IP address to each tunnel end (of course, stick with a scheme, like 'the smaller on HQ side, plus 1 on BO side'). You could as well create loopback addresses on each FGT but it's more work. Plan addresses such that you always have a super-net notation ready (e.g. 172.20.n.0/30 for BO <n>, 172.20.0.0/16 is the supernet).
When creating address objects, always make them routable. Can't be done in GUI afterwards, and it will come in handy later. Like, in static routes or in VPN phase 2 QM selectors. It's a pity that you cannot peek into a route which is based on a named object but it makes the routing table less error prone.
Hope this helps, all of this from my experience and not from books, highly subjective of course.
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
2 REPLIES 2
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi,
some more general thoughts on how to design a new network.
To be secure, a network needs to be simple, robust and transparent. Simple so that one can grasp how the parts of the network work together easily. Robust means that small changes have equally small consequences. And transparent, all essential information is at your disposal at all times for you to manage the network.
At least that's what it's boils down to in my experience, dealing with networks for like 3 decades now.
In your case, I would try to use one template for the BOs and one for the HQ. That is, the same functionality would use the same VLAN ID (like VoIP is VLAN 101)*. If you're lucky the similarities are such that you can put the FMG to use and roll out one branch in no time, and then adjust the details (ISP etc.).
*hint: of course, do NOT reuse address ranges in different locations, even if you now do not intend to connect them. Always use unique ranges. RFC1918 provides so many choices that this should not be difficult.
IMHO BO to HQ needs IPsec site-to-site VPNs, no question. Corner cases like obtaining private addresses on the WAN side can still be included. In FortiOS, a no-brainer.
I'm not so much a fan of "fully meshed VPN" if more than 3-4 sites are involved. Simplicity is down, robustness might improve by having more redundancy, YMMV.
Much more important is routing in such a super-net (a network of sites all having networks). I'd always recommend using a dynamic routing protocol for 11 sites plus HQ, just because setup is easy and will pay off in the future with every network you need to connect to. Connecting networks itself is highly dynamic, you cannot foresee all connections you will need. So, OSPF is a good choice, quick and it relieves you a lot in case a node fails.
One hint for routing: assign a private IP address to each tunnel end (of course, stick with a scheme, like 'the smaller on HQ side, plus 1 on BO side'). You could as well create loopback addresses on each FGT but it's more work. Plan addresses such that you always have a super-net notation ready (e.g. 172.20.n.0/30 for BO <n>, 172.20.0.0/16 is the supernet).
When creating address objects, always make them routable. Can't be done in GUI afterwards, and it will come in handy later. Like, in static routes or in VPN phase 2 QM selectors. It's a pity that you cannot peek into a route which is based on a named object but it makes the routing table less error prone.
Hope this helps, all of this from my experience and not from books, highly subjective of course.
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well maybe I can give you a clue:
we have 20 Shop-Sites with 50mbit Internet connection on two lines.
Each shop-site has 2 IPSec S2S Tunnels to HQ.
Each ship-site and also HQ use the same Vlan-IDs for their vlan.
Since the vlan is local on the FGT (and the switches behind it) that's no problem.
HQ has redundant static routes to all subnets at every shop-site. Shop-Site has redundant static routes to HQ.
Redundant static routes in this case means there is one static route for each tunnel and subnet. So each Shop-Site-SUbnet has a static route over both tunnels with different prio/distance. This creates redundancy because primarily traffic always uses the way with the lowest cost and if that ain't available the next highest.
Then all we need is policies at HQ and Shop-Sites to allow the traffic we want to flow (and do some UTM stuff).
To maintain all the FGTs we use FortiManager (as a VM at HQ). Works fine here.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
--
"It is a mistake to think you can solve any major problems just with
potatoes." - Douglas Adams
Related Posts
- Can't ping VLAN interfaces through VPN 58 Views
- FortiMail issue ip reputation 115 Views
- FortiSiem FSM-2000F the external collector 110 Views
- DoS policy in FortiGate 318 Views
- Akira Ransomware 258 Views
Labels
-
FortiGate
6,533 -
FortiClient
1,304 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
414 -
5.6
362 -
FortiSwitch
333 -
FortiAP
333 -
FortiClient EMS
263 -
6.2
251 -
FortiMail
242 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
150 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
88 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
60 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
24 -
Firewall policy
23 -
FortiConnect
23 -
FortiWAN
22 -
FortiConverter
21 -
VLAN
20 -
High Availability
20 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiAuthenticator
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
LDAP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Security profile
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.