DHCP and WiFi network subnets

Question

I have 3 wireless networks, all on the same subnet, which are fed by a UniFi switch and configured by a UniFi Controller. All of this is fed by a Fortinet.

The 3 networks are guest, staff1 and staff2. Currently all 3 WiFi networks are on the 192.168.1.0/24 subnet, but I am trying to get the Guest network onto their own subnet.

From my understanding, I need to create the subnet on the Fortinet first - or do I do this on the UniFi switch?

The reason for doing it is we are running out of DHCP leases when lots of guests try to logon - as well as the security risk of having them on the same subnet as our staff.

I am going to create the subnet on the Fortinet, configure the UniFi switch to see it, then configure the UniFi controller to give out this range to the guest network. I've been thrown in the deep end here and can't really afford to mess up. I admit I'm a bit out of my depth here, and am looking for any advice or pointers while I'm searching and investigating myself.

Many thanks!

Answer 1

Usually subnets go together with VLANs – one per subnet. That way the subnets are really separate – all communication between them must go through the router/firewall, and each VLAN can run DHCP & RA independently.

I haven't ever used a "Fortinet", but it seems that it's a regular firewall that has has router capabilities and tagged VLAN interfaces.

• On the router/firewall, create three new VLAN interfaces [2, 3, 4] on top of the main Ethernet interface, and configure each to be in a new subnet [192.168.2.0/24, etc.] The original 192.168.1.0/24 subnet remains 'untagged'.

• On the switch, configure both the Fortinet port and the AP ports to accept the newly created VLANs as 'tagged', in addition to the existing untagged VLAN. (For testing, you could also configure another port to e.g. have VLAN 2 as the default and nothing else.) The switch does not need to know about IP subnets besides the 'management' one.

• On the UniFi controller, configure the apropriate VLAN ID for each SSID [guest = 2, staff1 = 3, staff2 = 4]. The APs will then automatically add the correct VLAN tag for every user's traffic, and the firewall will see it as arriving through one of the virtual interfaces.