How to: Run two VLANs on a single subnet through one port on FIREWALL (SOPHOS, FORTIGATE)

  • هذا الموضوع فارغ.
  • Post
    • ديسمبر 21, 2024 الساعة 5:48 ص
    Weekend Wiki
    مدير عام
    Running two VLANs on a single subnet through one port in a FortiGate firewall is achievable, but it requires careful configuration of VLAN interfaces and policies. Below is a step-by-step “How-To” guide to achieve this setup.

    Overview of the Setup

    • Single Subnet: 192.168.10.0/24
    • VLAN IDs:
      • VLAN 10 (Tagged traffic)
      • VLAN 0 (Untagged traffic/native VLAN)
    • Firewall Interface: e.g., port1

    Step 1: Access the FortiGate Management Interface

    1. Log in to the FortiGate Web GUI or CLI using your admin credentials.
    2. Identify the physical interface (e.g., port1) connected to your switch.

    Step 2: Create VLAN Interfaces in FortiGate

    In Web GUI

    1. Go to Network > Interfaces.
    2. Click Create New > Interface.
    3. Configure the VLAN for VLAN 10:
      • Name: VLAN_10
      • Interface: Select port1 (or the appropriate physical port).
      • VLAN ID: 10
      • IP/Netmask: Set an IP in the same subnet, e.g., 192.168.10.1/24.
      • Leave DHCP disabled if the DHCP server is elsewhere.
      • Enable Administrative Access (if required).
    4. Repeat the above steps for the native VLAN (VLAN 0) by creating another interface:
      • Name: VLAN_0
      • Interface: port1
      • VLAN ID: 0 or leave VLAN ID blank (untagged traffic).
      • Use the same subnet IP for communication, e.g., 192.168.10.2/24.
    5. Click OK to save both interfaces.

    In CLI

    # Create VLAN 10 Interface
config system interface
    edit "VLAN_10"
        set vdom "root"
        set mode static
        set ip 192.168.10.1 255.255.255.0
        set interface "port1"
        set vlanid 10
    next

# Create VLAN 0 (Native VLAN) Interface
    edit "VLAN_0"
        set vdom "root"
        set mode static
        set ip 192.168.10.2 255.255.255.0
        set interface "port1"
        set vlanid 0
    next
end

    Step 3: Configure the Switch (Trunk and VLAN Settings)

    On the Switch

    1. Trunk Port (Switch to Firewall):
      • Configure the port connected to FortiGate as a trunk port.
      • Allow VLAN 10 (tagged) and configure VLAN 0 as the native VLAN (untagged).
    2. Access Ports (Devices):
      • Assign VLAN 10 to ports for VLAN 10 devices.
      • Use the native VLAN (VLAN 0) for untagged devices.

    Step 4: Enable Inter-VLAN Routing on FortiGate

    To allow devices in VLAN 10 and VLAN 0 to communicate with each other, ensure the following:

    In Web GUI

    1. Go to Policy & Objects > IPv4 Policy.
    2. Create a new policy:
      • Name: VLAN_10_to_VLAN_0
      • Incoming Interface: VLAN_10
      • Outgoing Interface: VLAN_0
      • Source: All (or specify the subnet/IPs of VLAN 10).
      • Destination: All (or specify the subnet/IPs of VLAN 0).
      • Service: All.
      • Action: Accept.
      • Enable NAT if required.
    3. Create another policy for traffic in the opposite direction:
      • Name: VLAN_0_to_VLAN_10
      • Incoming Interface: VLAN_0
      • Outgoing Interface: VLAN_10.
    4. Save both policies.

    In CLI

    # Policy: VLAN 10 to VLAN 0
config firewall policy
    edit 1
        set name "VLAN_10_to_VLAN_0"
        set srcintf "VLAN_10"
        set dstintf "VLAN_0"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set nat enable
    next

# Policy: VLAN 0 to VLAN 10
    edit 2
        set name "VLAN_0_to_VLAN_10"
        set srcintf "VLAN_0"
        set dstintf "VLAN_10"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set nat enable
    next
end

    Step 5: Verify the Configuration

    Check Interfaces

    1. In the GUI, go to Network > Interfaces.
    2. Ensure both VLAN_10 and VLAN_0 are up and connected.

    Check Policies

    1. Go to Policy & Objects > IPv4 Policy.
    2. Ensure the policies for inter-VLAN routing are active and properly configured.

    Ping Test

    1. Test connectivity between devices in VLAN 10 and VLAN 0.
    2. Ensure devices can access the FortiGate’s IP in the subnet (e.g., 192.168.10.1).

    Step 6: Enable DHCP (Optional)

    If FortiGate is to provide DHCP for both VLANs:

    In Web GUI

    1. Go to Network > Interfaces.
    2. Edit VLAN_10 and VLAN_0.
    3. Enable DHCP and configure the DHCP ranges (e.g., 192.168.10.100 - 192.168.10.200).
    4. Save the settings.

    In CLI

    # DHCP for VLAN 10
config system dhcp server
    edit 1
        set interface "VLAN_10"
        set start-ip 192.168.10.100
        set end-ip 192.168.10.150
        set netmask 255.255.255.0
        set gateway 192.168.10.1
    next

# DHCP for VLAN 0
    edit 2
        set interface "VLAN_0"
        set start-ip 192.168.10.151
        set end-ip 192.168.10.200
        set netmask 255.255.255.0
        set gateway 192.168.10.2
    next
end

    Step 7: Save and Test

    1. Save the configuration: 
      execute save
    2. Test communication between devices in VLAN 10 and VLAN 0.

    Let me know if you need any further help!

    Prerequisites: SOPHOS FIREWALL

    1. Sophos Firewall: Ensure the firewall is configured, and the port in question is functional.
    2. VLAN IDs: Have two distinct VLAN IDs (e.g., VLAN 10 and VLAN 20).
    3. Network Plan: Ensure the IP address range of the subnet is sufficient to cover both VLANs without conflicts.
    4. Switch Support: The switch connected to the Sophos Firewall must support VLAN tagging (802.1Q).

    Configuration Steps:

    1. Configure VLANs in Sophos Firewall:

    1. Log in to the Sophos Firewall Admin Console.
    2. Go to Network → Interfaces.
    3. Click Add Interface → Add VLAN.
    4. Configure the first VLAN:
      • Parent Interface: Select the physical interface (e.g., Port 1).
      • VLAN ID: Enter the VLAN ID (e.g., 10).
      • IP Assignment: Assign an IP from the subnet (e.g., 192.168.1.1/24).
      • Save the configuration.
    5. Repeat for the second VLAN:
      • Use the same Parent Interface but a different VLAN ID (e.g., 20).
      • Assign an IP from the same subnet (e.g., 192.168.1.2/24).
      • Save the configuration.

    2. Configure the Switch:

    1. Access the switch’s management interface.
    2. Locate the port connected to the Sophos Firewall.
    3. Set the port to Trunk Mode.
    4. Add the VLANs (e.g., VLAN 10 and VLAN 20) to the trunk configuration.
    5. Assign the respective VLAN tags (802.1Q tagging).

    3. Configure Routing on the Firewall:

    1. In the Sophos Firewall, ensure routing is enabled for inter-VLAN communication.
    2. Go to Rules and Policies → Firewall Rules.
    3. Create rules to allow traffic between the VLANs if needed:
      • Source: VLAN 10
      • Destination: VLAN 20
      • Action: Allow
      • Save the rule.
    4. Repeat for the reverse traffic (VLAN 20 to VLAN 10).

    4. Test the Setup:

    1. Connect devices to the VLANs on the switch.
    2. Assign IP addresses within the same subnet (e.g., 192.168.1.x/24).
    3. Verify communication between devices on different VLANs.

    Notes and Considerations:

    • Broadcast Issues: Running multiple VLANs in the same subnet can lead to broadcast conflicts. This setup is generally not recommended for production environments.
    • Routing Complexity: Use a single VLAN per subnet for better segmentation and performance.
    • Testing: Always test the configuration in a controlled environment before deploying it in production.

    Would you like detailed screenshots or CLI commands for Sophos or a specific switch?

  • يجب تسجيل الدخول للرد على هذا الموضوع.
arArabic
en_USEnglish arArabic