Hot!Seperate Computers and Cellphones on the same Network with Different IP addresses

Author
Chrispike89
New Member
  • Total Posts : 5
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/09/05 05:26:59
  • Status: offline
2019/09/05 06:51:38 (permalink)
0

Seperate Computers and Cellphones on the same Network with Different IP addresses

Good Day
 
I am Fairly new to Advanced Fortigate settings.
 
This is my Idea and how my infrastructure is currently setup, After-which i will explain what i am trying to do.
 
I have a Fortigate 100E - 5 HPE Switches - 5 UniFi AP's 
 
WAN2 - Wireless Internet
WAN1/SPF1 - Fiber Internet (currently awaiting fiber installation)
 
Port 1 - Connected to Switch 1 & 2 - PoE switches connecting IP phones to PABX and internet for Times
Port 2 - Connected to Switch 3, 4 & 5 - HPE switches connecting computers and laptops to Network & Internet
Port 3 - Connected to Security Camera System - Gives all cameras internet access for external viewing
 
(Unifi Ap's Connected to Switch 5 giving laptops and Cellphones internet with same IP range as Computers)
All the Above is Hardware switches configured on the Fortigate 100E
 
What I am trying to do...
 
I would like to keep the UniFi's on the same network but want them to be separate addresses to the computers.
Computer-PC with 192.168.0.1
Android 9.1   with 10.0.0.1
 
After achieving this I can then make rules for cellphones to use low bandwidth and restrict sites (keep people off Facebook and YouTube)
 
I have thought of making another hardware switch just for the WiFi but there are some laptops and computers that need to connect to the wifi (Faulty RJ45 ports etc)
 
I know there is a device inventory and would like to make use of it so that only computers connect to 192.168.0.1 and android and iphones connect to 10.0.0.1 
 
 
Thank you in advanced
#1

7 Replies Related Threads

    OneOfUs
    Bronze Member
    • Total Posts : 30
    • Scores: 6
    • Reward points: 0
    • Joined: 2019/07/16 06:32:59
    • Status: offline
    Re: Seperate Computers and Cellphones on the same Network with Different IP addresses 2019/09/05 07:23:42 (permalink)
    0
    If you had FortiAPs you could create separate SSIDs for Computers and Phones.  Computer SSID would let bridge the the local network (or tunnel for more policy control) and Phone SSID would tunnel to the Fortigate.
     
    In your case, you can see if you can create separate SSIDs and assign them to different VLANs.  You can then layer 2 the VLAN to the Fortigate for policy control.
    #2
    Chrispike89
    New Member
    • Total Posts : 5
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/09/05 05:26:59
    • Status: offline
    Re: Seperate Computers and Cellphones on the same Network with Different IP addresses 2019/09/06 00:49:56 (permalink)
    0
    Thank you for your reply.
     
    The UniFi AP's where from the old building and we needed to cut costs, Im not familiar with Vlans on fortigate and Unifi's but I will do some digging to see what i can do in that regard.
    #3
    SecurityPlus
    Gold Member
    • Total Posts : 280
    • Scores: 4
    • Reward points: 0
    • Joined: 2014/08/11 18:41:34
    • Status: offline
    Re: Seperate Computers and Cellphones on the same Network with Different IP addresses 2019/09/06 02:40:27 (permalink)
    0
    We did an installation where we did what Chrispike98 suggested and it appears to work well. We are not using device invitory.

    FWF30E, FG50E, FWF50E, FG60D, FWF60D, FG60E, FG80E, FG100D
    FortiOS 5.2, 5.4, 5.6, and 6.0
    FortiSwitch FS-224E-POE
    FAP-221E, FAP-221C
    #4
    Chrispike89
    New Member
    • Total Posts : 5
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/09/05 05:26:59
    • Status: offline
    Re: Seperate Computers and Cellphones on the same Network with Different IP addresses 2019/09/10 22:55:09 (permalink)
    0
    Hi SecurityPlus
     
    Can you give me a bit of enlightenment on how i can seperate my computers on the LAN?
     
    I was thinking of creating two Policies one for Windows Pc's and MAC Pc's and another policy for everything else.
    #5
    sw2090
    Gold Member
    • Total Posts : 396
    • Scores: 21
    • Reward points: 0
    • Joined: 2017/06/14 01:27:25
    • Location: Regensburg
    • Status: offline
    Re: Seperate Computers and Cellphones on the same Network with Different IP addresses 2019/09/10 23:18:58 (permalink)
    0
    why do you want to seperate them at all?
     
    What we dohere with FGT  + HP or Dell Switches + Unify APs is this:
     
    there is one subnet for PC. This has a DHCP Server in it (not on the FGT) that serves the PC.
    there is three subnets for the three Wifis we have. Those are on vlan interfaces on the FGT.
    there is one subnet for Management. This is a vlan on the FGT too. The Unify AP and the Switches have IPs in this one.
    The Unifiy APs are connected to a vlan trunk port on the switch (i.e. tagged in all but the main vlan (vid 1) due to hp reasons). The APs do vlan tagging for the three Wifis.
    The FGT does act as DHCP Server in two of the three wifi subnets and as DHCP Forwarder in the third one.
    There is Policies on the FGT to allow traffic between all these subnets as we need it.
     
    Works fine so far.
     
    Maybe this gives you some inspiration?
    #6
    Chrispike89
    New Member
    • Total Posts : 5
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/09/05 05:26:59
    • Status: offline
    Re: Seperate Computers and Cellphones on the same Network with Different IP addresses 2019/09/10 23:34:09 (permalink)
    0
    Thank you for the feedback i'm not clued up on vlans, everyone i have spoken too says its very easy.
     
    I tried to configure vlans once but failed and had to factory reset the switches as whilst doing the setup i was under a lot of pressure to get the site up and running before everyone was settled at their desks.
     
    I am trying to free up one switch so that i can play around with it and do some vlan training on it.
     
    I know what vlans are suppose to do because i need to do this to get a nanobeam to send both lan and telephone network over it.
     
    i have a few different ranges that i have setup on my FGT.
     
    192.168.0.1 - Computers
    192.168.1.1 - Telephones
    192.168.2.1 - Cameras
     
    these are set using hardware switch function where my telephones are on 2 PoE switches connected to LAN1 and Computers are connected to LAN2 with 3 Switches and LAN3 is connected to a seperate NetworkCabinet with the DVR and its switches
     
    My reason for separation is because i want to block cellphones from youtube and facebook and give them a bandwidth limit so that they don't effect my internet in the office, everyone has an android or an iphone and some have watches and tablets so im sitting at around 60 devices pulling my internet down and my computers running tracking are suffering.
     
     
    #7
    sw2090
    Gold Member
    • Total Posts : 396
    • Scores: 21
    • Reward points: 0
    • Joined: 2017/06/14 01:27:25
    • Location: Regensburg
    • Status: offline
    Re: Seperate Computers and Cellphones on the same Network with Different IP addresses 2019/09/11 00:38:02 (permalink)
    0
    If its just for utm and trafficshaping you don't neccessarily need to have different subnets.
    You could ip ranges inside one subnet and make policies for them with utm/Trafficshaping enabled.
    You would then just have to mind the order of your policies!
    #8
    Jump to:
    © 2019 APG vNext Commercial Version 5.5