Fortigate 60D as a vlan layer3 switch?

thetoad

Active Member
Feb 10, 2021
236
97
28
Someone gifted me a Fortigate 60D and I'm trying to figure out how to make it allow me to isolate my IOT (smart home) wifi network from the rest of my devices.

What I want is a layer3, so that I can set firewall rules that enable my home vlan to connect to the iot vlan (for home assistant usage), but prevent it in the other direction.

I currently have an Asus wireless router running freshtomato, and while that allows me to set up a virtual ssid that is isolated from the rest of my network, its fully isolated, i.e. doesn't help me for home assistant being able to connect to the iot devices locally without hitting the internet servers of the IOT manufacturer and then it going back to the IOT devices.

On my old juniper ex2200, if I wanted to do this, I'd think I'd just setup 2 vlans (home/iot) and create an ingress filter rule that denied all tcp initial traffic from iot into home, with a default allow underneath that (took me a little to learn, that without any filters, the default is allow, but once you add a single filter, the default becomes deny). I'd be able to associate the ports I want with each VLAN and even have the juniper manage dhcp for it.

My thought is that i'd want to do the same thing with the Fortigate. Instead of the WAN going into my asus router, I figure I can put it into just AP mode. Where it provides 2 SSIDs (home and iot) and each SSID is bridged to a single LAN port. those LAN ports would feed into 2 ports on the fortigate. say port 7 (home) and 8 (iot).

I'd want to create 2 VLANs on the foritgate (home and iot). with ports 2-7 (wan comes into living room, so multiple living room devices woul be connected to it on home vlan) being home and port 8 being iot. with port 1 being a trunk to another switch (i.e. the juniper i mentioned above in my rack, where home assistant VMs or containers will be running). In playing around with the fortigate, I'm unsure both how to create VLANs and associate multiple ports to them (think ihave to reove them from the internal switch interface first?) as well as create firewall rules between them.

My second thought was wondering if its possible for me to add a management vlan and include it in the trunk from the fortigate to the juniper (and split off port 2 on the fortigate for that purpose). The Juniper would have a firewall rule rejecting all traffic not on its own vlan, but this would enable me to keep an ethernet cable in my living room (on port 2) and more easily connect to the management vlan and going down to where the rack is to connect. Yes, this is not as secure as a fully airgapped management network (or even a virtually airgapped management network with just layer 2 VLAN), but for my home use is probably sufficient.

any help/pointers would be appreciated.
 

LodeRunner

Active Member
Apr 27, 2019
489
210
43
Create a Sub-interface, that's how you do tagging on most firewalls. The physical interface will be untagged, but it will have as many tagged virtual interfaces on it as you need. I believe you don't have to worry about actually telling it to be a trunk, once it has sub-interfaces it will act like one.
 

thetoad

Active Member
Feb 10, 2021
236
97
28
thanks, will have to play around with it. I actually find the juniper ex2200 I was also gifted (but not for keeping living room with wireless ap) to be much more intuitive, even if it can also be more complex.