![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
Hi All,
I'm currently trying to setup some managed switches to setup a different VLAN for our WIFI users and still give them access to resources on our main network.
I have VLANs setup to the point wherein I have different subnets, and connecting to certain SSIDs will put you in a different VLAN. DHCP is handled by our Fortinet / Firewall. Both VLANs now have access to internet.
Physical Setup
(A) Fortinet -> (B) Core Switch Cisco SG300 -> (C) 2 more SG300s -> APs, Unmanged Switches or Clients
*All the switches are currently in L3 mode
I have only done the following:
1. Setup the Fortinet with the VLANs (Port Tagging), allowing the VLANs to the internet as part of the firewall policy
2. Setup the Switches with the VLANs (Port Tagging)
3. Setup the APs with the VLANs (Matched the SSIDs to the VLAN numbers)
4. Setup the fortinet via FW to pass traffic from new VLAN to the main VLAN
However, I realize that with this current setup, all switching between VLANs happen on our Fortinet. To prevent someone pulling a large file from one VLAN to another from saturating our network/internet, I will need to move the inter VLAN routing to the "B" switch.
How am I supposed to do this? I think I have an idea based on a few hours of research but it's not really working out
This much I know:
1. Give B switch an IP on the new VLAN
2. Set Fortinet to continue to be DHCP on the new VLAN but set default gateway from "Same as Interface IP" to "Specify", use IP of the B switch on the VLAN
-- following this, I am no longer sure.
3. Setup DHCP Relay on the B switch on the VLAN subnet to point to the Fortinet IP on the VLAN (??)
4. Will I need to setup a static route somewhere on the switch level?
5. Our VLAN 1 / untagged VLAN currently has gateways all manually set to point to our Fortinet. Will I need to switch these to the B switch too on VLAN 1?
I'm pretty lost at this point.
Hope I explained my problem and the steps I have taken clearly (?)
** I intend to limit at the switch level, which IP addresses of the main network will be accessible via the inter VLAN routing, but I will do this after I get the setup running.
Thanks!
I'm currently trying to setup some managed switches to setup a different VLAN for our WIFI users and still give them access to resources on our main network.
I have VLANs setup to the point wherein I have different subnets, and connecting to certain SSIDs will put you in a different VLAN. DHCP is handled by our Fortinet / Firewall. Both VLANs now have access to internet.
Physical Setup
(A) Fortinet -> (B) Core Switch Cisco SG300 -> (C) 2 more SG300s -> APs, Unmanged Switches or Clients
*All the switches are currently in L3 mode
I have only done the following:
1. Setup the Fortinet with the VLANs (Port Tagging), allowing the VLANs to the internet as part of the firewall policy
2. Setup the Switches with the VLANs (Port Tagging)
3. Setup the APs with the VLANs (Matched the SSIDs to the VLAN numbers)
4. Setup the fortinet via FW to pass traffic from new VLAN to the main VLAN
However, I realize that with this current setup, all switching between VLANs happen on our Fortinet. To prevent someone pulling a large file from one VLAN to another from saturating our network/internet, I will need to move the inter VLAN routing to the "B" switch.
How am I supposed to do this? I think I have an idea based on a few hours of research but it's not really working out
This much I know:
1. Give B switch an IP on the new VLAN
2. Set Fortinet to continue to be DHCP on the new VLAN but set default gateway from "Same as Interface IP" to "Specify", use IP of the B switch on the VLAN
-- following this, I am no longer sure.
3. Setup DHCP Relay on the B switch on the VLAN subnet to point to the Fortinet IP on the VLAN (??)
4. Will I need to setup a static route somewhere on the switch level?
5. Our VLAN 1 / untagged VLAN currently has gateways all manually set to point to our Fortinet. Will I need to switch these to the B switch too on VLAN 1?
I'm pretty lost at this point.
Hope I explained my problem and the steps I have taken clearly (?)
** I intend to limit at the switch level, which IP addresses of the main network will be accessible via the inter VLAN routing, but I will do this after I get the setup running.
Thanks!
Last edited: