I am playing with a new Fortigate firewall at my company. I talked about it in the most recent episode of Tech Chop. Well it came in the mail today and I started to configure it. Unlike my current firewall, I can't assign particular VLANs to the individual physical ports. If I want to have multiple subnets on my network, which I do, I have to create virtual VLAN interfaces under the five physical "internal" ports.
This isn't a problem once I get it into place because my core switches handle VLAN tagging, and trunk ports. The problem is configuring it without a switch because by default your computer's NIC doesn't handle VLAN tagging.
In Windows, sometimes you can download a driver for your NIC to handle VLAN tagging, but not all NICs support it. For setting up this firewall though I was using an Ubuntu laptop. Setting up VLAN tagging in Ubuntu is actually pretty easy. Here's what you do:
- Install VLAN package on your computer:
#sudo apt-get install vlan
- Edit your /etc/network/interfaces file so it would contain the following:
# The loopback network interfaceOnce that is edited, save the file and reboot. When your Ubuntu computer comes back up, as long as it is plugged into a switch or a firewall interface configured for VLAN tagging it should work fine. Also, if you need to configure a static IP address on a particular VLAN here is an example of that:
auto lo
iface lo inet loopback
# This is a list of hotpluggable network interfaces.
# They will be activated automatically by the hotplug subsystem.
# VLAN 1
auto vlan1
iface vlan1 inet dhcp
vlan_raw_device eth0
# VLAN 2
auto vlan2
iface vlan2 inet static
address 192.168.0.8
netmask 255.255.255.0
network 192.168.0.0
broadcast 192.168.0.255
gateway 192.168.0.1
mtu 1500
vlan_raw_device eth0
Notice that you can tag your VLAN any way you want. If your VLAN is tagged VLAN 104 on your switch, your interface will be vlan104 in Ubuntu. Makes sense right?
The only problem I had with this is that if I wanted to change the VLAN tagging to test connectivity on the other VLANs I was setting up I had to reboot for the changes to take affect. Simply restarting the network service didn't do the trick. If you know of a better way than rebooting, let me know in the comments.
Anyway, since I was able to tag my NIC with various VLANs, I was able to test connectivity on all the virtual interfaces on my new Fortinet without having to set up another switch!
[Via MySideNotes]