routing/subnetting question with DHCP

H

haunter

[H]ard|Gawd
Joined
Jul 20, 2011
Messages
1,884
alright, pertinent details

(ips changed blah blah)

main network is 192.168.1.0/24
increasing wifi coverage, need to setup DHCP(no dhcp currently, dont ask, not my call)
would like to do this on 192.168.2.0/24


I have a cisco 2911 at .1.2
and a fortigate 60c at 1.4

the 60c sits between the network, and the internet doing its job as a UTM and handling a few P2P vpn's, the cisco has some T1's to other offices into it

I gave the fortigate a secondary IP of .2.4 and set a DHCP pool on the internal interface to hand out .2.100-.2.150

it will not work. the 2911 has a 0.0.0.0/0.0.0.0 route that points to the 60C, I added a route in for 232.0 on it to point at .1.4 as a test and it did not help.

the 60c and 2911 are not directly connected, but both go to the same switch

the device that I am trying to get DHCP is attached to a different switch, which is on a 10gb link to the other one. if I put DHCP on .1.0 it works just fine so its not the 60cs dhcp server just not working.

I am just missing something. and I am not sure what

its making me feel very silly. if it was easier to do so I would just give all my .1 stuff a subnet of .254.0 but since its about 150 devices on static ip's thats a huge undertaking I am trying to avoid(and I think that would fix the issue?)
 
you will need to use an ip helper address in order to provide dhcp to another subnet because a couple steps in the dhcp process uses broadcast and broadcast traffic does not get routed.
 
I haven't tried this myself with secondary IP and don't have anything to test with at the moment but could it be possible for you to create a new vlan interface on the 60C to do this with? It may be easier this way.
 
Last edited:
Cmoney90 said:
you will need to use an ip helper address in order to provide dhcp to another subnet because a couple steps in the dhcp process uses broadcast and broadcast traffic does not get routed.
Click to expand...

I've added that to the internal int(GE 0/0) on the cisco pointing at 1.4 but it doesnt seem to be helping

also tried .2.4 with no luck

this might help a bit

wifi.jpg
 
1 move DHCP server function to the 2911 and remove all traces from attempt on the 60c
2 trunk connection from cisco to switch
3 on switch assign port to 60c vlanX
4 on switch assign port to AP vlanY
5 setup ge0/0.X on 2911 with a 1.2 addy
6 setup ge0/0.Y on 2911 with 2.4 addy
7 default route to fortigate at 1.2 which is where you said you are currently defaulting to.
 
Last edited:
Nicklebon said:
1 move DHCP server function to the 2911 and remove all traces from attempt on the 60c
2 trunk connection from cisco to switch
3 on switch assign port to 60c vlanX
4 on switch assign port to AP vlanY
5 setup ge0/0.X on 2911 with a 1.2 addy
6 setup ge0/0.Y on 2911 with 2.4 addy
7 default route to fortigate at 1.2 which is where you said you are currently defaulting to.
Click to expand...

I may end up just putting the wifi on the DMV of the Fortigate, as it will simplify *everything* and allow me to allow partial access inside the real network and block other traffic.(plus it gets it own DHCP server

I really REALLY appreciate the help. vlans are on the list of to do's, I really need to finish my house projects and dig back into my CCNA studies :(



edit....well.................I can do the security restrictions in UniFi, so I guess I will be trying this.

will I need to setup a vln on the fortigate too you think?

Do I not use the same vlan ID on each switch? I have 8 switches, I may just ensure all AP's end up on the same switch. the 60 and 2911 should be on the same switch now, if not they will be soon!
 
Moving the access point to the DMZ will simplify everything or else you will need to configure vlans on all the switches.
 
Cmoney90 said:
Moving the access point to the DMZ will simplify everything or else you will need to configure vlans on all the switches.
Click to expand...

yeah I just realized that I may not be able to do what I want security wise like that. I need to flesh out the 'plan' more, I was asked to spec and order the hardware on thursday....it got here yesterday :p

end of budget year funz

I would need a vlan on EVERY switch, not just the ones linking the pertinent equipment?
 
Assumption: All of your switch attached gear is currently on VLAN1.

You can leave it there and add a second VLAN say VLAN20 for your access point(s). Every switchport attached to an AP would need to be on VLAN20. Every switchport used to link switches would need to be trunked with VLAN1 and VLAN20. The switchport attached to the router would need to be trunked also as well.

Unless your goal is to secure your wired clients from your wireless then using the router as your dhcp server is the better solution.
 
Nicklebon said:
Assumption: All of your switch attached gear is currently on VLAN1.

You can leave it there and add a second VLAN say VLAN20 for your access point(s). Every switchport attached to an AP would need to be on VLAN20. Every switchport used to link switches would need to be trunked with VLAN1 and VLAN20. The switchport attached to the router would need to be trunked also as well.

Unless your goal is to secure your wired clients from your wireless then using the router as your dhcp server is the better solution.
Click to expand...

i am 99% sure that all my switches are vlan'd out of the box on vlan1 with HP(A5120)

thanks again for the help guys

edit: bolded: the AP's have that security built into them, I can choose what address ranges/subnets to block access to based on authentication, so I can log in and get to my stuff, but joe blow here to give a presentation can only get to the internet
 
Last edited:
holy crap.

one of the a5120's locked up applying the vlan to a port

unfortunately it was the switch that half of my 911 dispatch machines were plugged into

that was a fun 5 minutes
 
alright.

vlan1 is default on everything.

created vlan2 for wifi

trunked all my 10gb uplinks with 1 as untagged and 2 as tagged

created vlan interface for vlan2 on fortigate at 2.4,

plugged laptop into port, set it to vlan2, set ip address at .2.18

can't ping the fortigate from it. they are on the same switch. switch is setup exactly how hp recommends too. im a bit.....flabbergasted
 
yup.

still a no go

can hit the internet from the laptop, see the AP's, currently have traffic flowing freely between lan and vlan and can see my interal web stuff.

but can't ping or http the fortigate.

rather confusing lil issue

but its nice to see its a fortigate weirdness issue and not my VLAN settings

I'm working out some L3 management issues with the UniFi's now

once I get the network 'setup' I will go back and crank down security settings
 
I know you probably did this but it is worth it to bring up. Did you set ping and HTTP access to the fortigate on the VLAN interface you created and not just on the main interface port it is attached to?
 
yes on the vlan interface. i removed and readded it a few times.

tempted to reboot it
 
Yeah that is odd. Perhaps before you reboot it, jump into CLI and issue the show command to see if HTTP and PING are indeed on the VLAN interface. The web GUI may be having an issue is why I say that,
 
Last edited:
good call, I'll dig thru the CLI reference to find that

I do not have a good grasp on the foriOS cli
 
so digging into the ubiquitis more

they can assign vlan tags to SSID's

so I added a second vlan subnet on the fortigate

much easier to segment traffic, secured ssid on vlan allowed to see our main subnet, and currently open ssid(will get a password but not a very 'secure' one will only be allowed to the external interface on the fortigate

the ubiquitis are pretty decent

the management looks nice but its a bit....clunky at the cost of being pretty

though the factory reset button on them sucks bad and doesnt work on atleast one of the units, so I might have to RMA it

if you search their forums for it you get about 8 different ways it 'works'
 
You must log in or register to reply here.
Back
Top