I am not using a L3 switch, I am using an L2 swtich but now what I am looking at is since the switches are connected to the router LAN ports, how will the traffic be routed?

what will be the configuration on the WAN interface?

will the router still serve as a dhcp server or I should use the fortinet firewall as the dhcp server?

in this case, I think the router will be used as a dummy or what do you think?

My internet connection is an ADSL using PPPOE, so I don't know the IP ADD, it is not a static system, that means the WAN interface of the router will pick ip as a dhcp port too?

Does the Fortinet support ADSL using PPPOE ?

If not you will have to use the router to connect to your ISP which dictates where the firewall will go.

But that means you will need to be able to route your internal subnets off the inside of the firewall or maybe put the firewall in transparent mode (again if supported).

It really comes down to what is supported on the firewall.

Jon

yes the router supports ADSL using PPPOE and right now I just connected it and it is working with the network very well.

but the issue now is, since they want the cisco router to also work, what will it be doing?

since it is more like the connection center of the switches before now ( right now I have connected the core switch to one of the LAN ports of the firewall)

how will I connect the core switch back to the cisco router and route the network through the fortinet firewall?

yes the router supports ADSL using PPPOE and right now I just connected it and it is working with the network very well.

That's not what I asked.

Your original question was could you connect the firewall direct to the internet connection and I said it depends on whether the firewall supports it or not.

We know the router supports it.

If you want to have the router on the outside then you connect your LAN to the firewall and the outside interface of the firewall connects to the router.

You don't connect your core switch to the router because -

1) you would be bypassing the firewall

and

2) you can only have the L3 interfaces for your vlans on either the firewall or the router not both.

It also depends on your public IP addressing ie. if the router connects to the internet then it will have to do NAT for the internal clients not the firewall unless you have another public IP subnet allocated by the ISP.

So which do you want to do ?

Jon

please pardon my mistake, I wanted to say both the fortinet firewall and the router supports ADSL using PPPOE.

But if I have to put the router on the outside of the network, and connect LAN to the firewall, then firewall to the LAN interface of the router, who now becomes the dhcp server?

the connection from the firewall to the router: will it be on the WAN interface of the firewall? if yes, what form of ip address assignment will that interface be configured with?

No problem.

The firewall would be the DHCP server.

In terms of addressing that is what I meant about the public IPs. If you only have one subnet allocated then the addressing between the outside of the firewall and the inside of the router would have to be private addressing unless you look into bridging and I don't recommend that.

If you had two public IP blocks then you could use public IP addressing between the firewall and the router.

If you only have one block then the router does the NAT.

Personally I think the firewall should do the NAT in most cases as that is where you are controlling access but if you want to use both you won't be able to do this unless you put the firewall first and have the router behind it and then use the router purely for routing the internal LANs.

The outside router interface would then connect to the inside firewall interface using private addressing and the router would do DHCP for the clients.

Basically you only really need one or the other as you have originally said and having to use both really just makes it more complicated than it needs to be.

Jon

thinking of using the 2, if I use the put the firewall first before the router, the outside of the router connected to the inside of the firewall, using private ip addressing( since what I have is just one bloc of ip ).

the firewall will have to do the NAT, access control and all.

That means, the gateway add of the network will be the inside interface of the firewall.

on this my question is, how will the router now be used to route the internal clients?

The gateway for clients won't be the firewall, it will be the inside interface of the router.

The firewall can still do NAT, access control etc. without being the gateway for the clients. I say that although some small router/firewall devices can't but I would have thought a Fortinet would be okay.

The usual configuration for what you have is router outside and the firewall inside and then route LAN clients on the firewall.

Either will work and it really depends on where you want to do the NAT as much as anything else.

Like I say I would generally do that on the firewall but if you only have one set of public IPs you can only do this if you put the firewall outside of the router.

If there is only one ISP connection then it doesn't really matter which you choose but if you had multiple ISPs then you would probably want the router on the outside as they support PBR whereas firewalls (at least Cisco firewalls) don't.

Don't know about the Fortinets though.

It really is a matter of preference in your situation because you don't really need both devices.

Jon

Thanks Jon, I will just have to work things out somehow and I will tell you how I did it.

Hugs.