Separate Network before Firewall

[Modifyinc]

Company A has two buildings with building #1 providing internet to both building #1 and #2. Company A has allowed us to lease building #2 to run our business, which I'll call Company B. So my company, Company B, is operating in building #2.

 

The problem we want to resolve is now how do we separate the two company's into two networks while sharing the same internet? I would think it would be best to bypass their firewall completely for best results.

 

The ONT or modem is located in building #1. A network cable runs from the ONT to the firewall in the server room. The firewall connects to two HPE OfficeConnect 1920S JL385A switches labeled Switch 1 & Switch 2. Switch 2 feeds building #2 (my building) via SFP port using fiber optics.

 

So would I just need to purchase maybe the EdgeRouter X SFP, and place it before their firewall to accomplish this? Would Company A's network still work correctly coming off of the EdgeRouter back into their firewall or would it require some changes on the EdgeRouter or their firewall? Is there a better or even simpler solution, maybe?

[Electronics Wizardy]

What firewall model? Just have that firewall give you anouther subnet for your buniess, and then block any communcation to their network.

 

Normally you can only attach one device to the ont at a time, as it will only give one ipv4.

[Modifyinc]

27 minutes ago, Electronics Wizardy said:

What firewall model? Just have that firewall give you anouther subnet for your buniess, and then block any communcation to their network.

 

Normally you can only attach one device to the ont at a time, as it will only give one ipv4.

It's a Fortigate 80E. Wouldn't we still be affected by any of their firewall rules? Because currently we can't remote into our network in building #2 which I assume is because of their firewall.

 

I realized from the ONT there is usually only one device that can be connected, but if it's a layer3 switch or has routing capability, can't you provide internet to separate devices or networks?

[Electronics Wizardy]

3 minutes ago, Modifyinc said:

It's a Fortigate 80E. Wouldn't we still be affected by any of their firewall rules? Because currently we can't remote into our network in building #2 which I assume is because of their firewall.

 

I realized from the ONT there is usually only one device that can be connected, but if it's a layer3 switch or has routing capability, can't you provide internet to separate devices or networks?

You can setup routes on the fortinet to have multkpel subnets and controls what can flow between them.

 

 

If you setup a l3 switch before the fortinet, you basically just put a router there, and the fortinet can do all of that already.

[Modifyinc]

2 minutes ago, Electronics Wizardy said:

You can setup routes on the fortinet to have multkpel subnets and controls what can flow between them.

 

 

If you setup a l3 switch before the fortinet, you basically just put a router there, and the fortinet can do all of that already.

The problem with making changes in the Fortigate firewall is that it's not our firewall. It's Company A's firewall, and they would rather us not make any changes in it, which we can't do without the login credentials anyway. They don't mind if we just bypass the firewall, so that's why I'm trying to figure the easiest way to do that.

[Alex Atkin UK]

4 hours ago, Modifyinc said:

The problem with making changes in the Fortigate firewall is that it's not our firewall. It's Company A's firewall, and they would rather us not make any changes in it, which we can't do without the login credentials anyway. They don't mind if we just bypass the firewall, so that's why I'm trying to figure the easiest way to do that.

Depends, if they are only getting a single public IP address then that is probably assigned to the firewall so you're SOL.

[eece_ret]

If its a FG 80e.  Id create three VDOMs.  WAN VDOM, Corp1 VDOM and Corp2 VDOM.  WAN VDOM peers with Corp1 and Corp2 via Intra VDOM links and takes care of the WAN IP and NAT functions.  Then tag the VLANs for the CORP1 and CORP2 vlans though the intermediary L2 infrastructure and present on a per port basis as is correct for the office space. 

The FortiGate will control flows between CORPX and WAN as well as block (or permit if desired) Corp1 <->Corp2 flows.

[eece_ret]

OK, if you cannot change the Fortigate.

 

Then you need more than one WAN IP otherwise you WILL be traversing their FW.

 

If Traversing the FW is OK.... Simply create a new interface and tag that to Corp2.  IF THAT is a bridge too far.

Stand up a FW and double NAT, but that will be an issue down teh road.

 

In teh end, you REALLY need some very small changes on teh FGate to support your needs.

[Modifyinc]

I had read that people put switches after the modem but before the firewall, but I didn't realize they must of had multiple public IPs to allow it to feed the different networks. This is new to me, I have never needed to separate a network.

 

So I can't put my own firewall between the modem and their firewall? That way I can configure our firewall first, and then branch off from our firewall: one feed going to their firewall and the other going to our building's switch, building #2?