Sometimes there is a need to combine multiple firewall interfaces to function like a switch or hub (for those of us who remember what a hub is :). A good example would be the internal interface of a FortiWifi and the WLAN interface. If your firewall is in NAT mode you have to assign separate IP addresses in different subnets to each interface.
Now let's assume you have some kind of device on your network like a Sonos music player. Your laptop is on the wireless network provided by the FortiWifi and the Sonos is on the wired net. Even if you have rules permitting all traffic between your wired and wireless network you will not be able to connect to your Sonos player. This is because the Sonos is detected via broadcasts that stay local to each subnet. The same principle is used for Slingboxes and other devices.
The answer is to combine the WLAN and internal interfaces into a new "switch" interface. This can be done from the command line. As a prerequisite you must not have anything referecing the interfaces you wish to combine, such as firewall policies, routes, etc. Also you have to be running at least FortiOS 3.0 MR6. Here's an example of how to set it up:
** Important: You should enable https or ssh access to some other interface other than the ones you are combining. When you combine the internal interface with another one you will loose connectivity to the internal interface until you access the firewall either via the console or another interface and configure an IP on the newly create interface. (Thanks for the heads up Simon). **
config system switch-interface
edit Lan
set member internal wlan
end
You now have a new interface in the GUI called Lan which you can use to create policies with and combines the internal and wlan interfaces. Any traffic between the two interfaces will always be allowed, including broadcasts, since they are now part of the same "switching zone".
There are a number of other options for this command. For more information go ahead and check out the FortiOS CLI reference at http://docs.forticare.com
** It appears that combining interfaces using this "software switch" causes problems with various forms of spanning tree (STP) **
1 comment:
Seems only to work on physical interface and not on VLAN-interfaces :(
Post a Comment