Based on the information you provided, I don't think you need *another* subnet so much as you need a *larger* subnet.  You could simply expand it to a /23 or /22 and leave your gateway at the same address.  Old DHCP or static clients would still reach the gateway but they might begin to have trouble reaching other clients in the expanded space until you updated their subnet mask (either via DHCP renewal or manually if they are static).

lobstercreed wrote:

Based on the information you provided, I don't think you need *another* subnet so much as you need a *larger* subnet.  You could simply expand it to a /23 or /22 and leave your gateway at the same address.  Old DHCP or static clients would still reach the gateway but they might begin to have trouble reaching other clients in the expanded space until you updated their subnet mask (either via DHCP renewal or manually if they are static).

This approach would only work with prior planning being that there may not be free room in the 192.168.2.0/24 range.

Depending on Marius's response, if he is running out of IP leases, I would suggest for a short term solution is to shorten the lease time to say 1-2 days. 

 

I don't need separate lan, I will use the same LAN port on Fortigate. I only want for example move my camera's IP to 192.168.2.x subnet and I want access them from 192.168.1.x subnet. I use the same Fortiagate gateway 192.168.1.1.

Based on this requirement, perhaps bind a secondary IP (say 192.168.2.1) to the internal interface (that covers 192.168.1.x), which should be able to communicate with the camera IP on 192.168.2.x.   If you need to access this camera from outside (WAN) you could try a VIP (port forward) to the camera's IPs on the internal interface.    Alternately, and more likely more preferred if you do have VLANs setup on the internal interface is to create a second VLAN for 192.168.2.x), but the camera device will need to have VLAN support if you are using the same cable connection.  If not, you will need to either break up the internal interface members (say remove port7) and create a separate network using that port or use either DMZ or WAN2 if these ports are not currently used.  

serfasit wrote:
I don't need separate lan, I will use the same LAN port on Fortigate. I only want for example move my camera's IP to 192.168.2.x subnet and I want access them from 192.168.1.x subnet. I use the same Fortiagate gateway 192.168.1.1.

Hello,

 

I using fortigate only for Gateway (IP 192.168.1.1), I have AD server (192.168.1.2) with DHCP enable on it. And DHCH IP adresses are enough for me. 

But I want move my hardware IP adresses (for example Ip cameras, printers and ect) to other subent example 192.168.2.x. 

But then I configure my camera and added IP for example 192.168.2.2 I can't ping from my computer (for example computer IP 192.168.1.42 DHCP from my AD server). 

What is the best way to reach subnet 192.168.2.x from my network?

The proper ideal way to separate your server, cameras, printers from your client devices is to place them on a separate cabled network (e.g. dividing up your switches and use at least two ports on the fgt device and a firewall policy for communicating between the two subnets or setup vlans.

 

If you simply want to create an IP space separation between servers/printers/devices and still be able to have them communicate with the other devices you need to enlarge the IP scope and adjust the subnet mask accordingly. You basically keep the same default GW address, but change the net mask.

 

Keep in mind that devices are only able to communicate with each other directly if they are detected on the same network (based on network/net mask) - otherwise communications is routed through the default gateway address. 

 

 

Hi,

So all what I need to do is simple change Fortigate net mask?