Enterprise Network Topology with FortiGate, MikroTik and Windows Client Segmentation.
Topology
Network Design Overview
In this lab we built a segmented network using VLANs connected to a FortiGate firewall. Two MikroTik switches are used to distribute access to different VLANs while sending tagged traffic to the firewall through trunk ports.
The goal is to simulate a multi-VLAN enterprise network where:
Each VLAN represents a different subnet
The FortiGate performs routing, DHCP and security policies
The MikroTik switches perform Layer-2 VLAN segmentation
VLAN Layout
| VLAN | Network | Purpose |
|---|---|---|
| VLAN 20 | 192.168.20.0 | Users Network |
| VLAN 30 | 192.168.30.0 | Users Network |
| VLAN 40 | 192.168.40.0 | Users Network |
| VLAN 50 | 192.168.50.0 | Users Network |
Switch 1 Configuration (VLAN 20 and VLAN 30)
Switch 1 Configuration (VLAN 20 and VLAN 30)
This switch connects two user machines and sends VLAN traffic to the FortiGate through a trunk port.
| Port | Role | VLAN |
|---|---|---|
| ether2 | Access | VLAN 20 |
| ether3 | Access | VLAN 30 |
| ether4 | Trunk to FortiGate | Tagged 20,30 |
MikroTik Configuration (Switch 1)
/interface bridge port remove [find]
/interface bridge vlan remove [find]
/interface bridge remove [find]
/interface bridge
add name=br1 protocol-mode=rstp vlan-filtering=no
/interface bridge port
add bridge=br1 interface=ether4 frame-types=admit-only-vlan-tagged ingress-filtering=yes
add bridge=br1 interface=ether2 pvid=20 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes
add bridge=br1 interface=ether3 pvid=30 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes
/interface bridge vlan
add bridge=br1 vlan-ids=20 tagged=br1,ether4 untagged=ether2
add bridge=br1 vlan-ids=30 tagged=br1,ether4 untagged=ether3
/interface bridge
set br1 vlan-filtering=yes
Switch 2 Configuration (VLAN 40 and VLAN 50)
Switch 2 Configuration (VLAN 40 and VLAN 50).
| Port | Role | VLAN |
|---|---|---|
| ether2 | Access | VLAN 40 |
| ether3 | Access | VLAN 50 |
| ether5 | Trunk to FortiGate | Tagged 40,50 |
MikroTik Configuration (Switch 2)
/interface bridge port remove [find]
/interface bridge vlan remove [find]
/interface bridge remove [find]
/interface bridge
add name=br2 protocol-mode=rstp vlan-filtering=no
/interface bridge port
add bridge=br2 interface=ether5 frame-types=admit-only-vlan-tagged ingress-filtering=yes
add bridge=br2 interface=ether2 pvid=40 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes
add bridge=br2 interface=ether3 pvid=50 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes
/interface bridge vlan
add bridge=br2 vlan-ids=40 tagged=br2,ether5 untagged=ether2
add bridge=br2 vlan-ids=50 tagged=br2,ether5 untagged=ether3
/interface bridge
set br2 vlan-filtering=yes
Explanation of the Configuration
Explanation of the Configuration
1. Bridge Creation
/interface bridge
add name=br1 protocol-mode=rstp vlan-filtering=no
A bridge acts as a virtual switch inside MikroTik. All ports participating in VLAN switching must belong to this bridge.
RSTP is enabled to prevent potential loops.
2. Access Ports
Example:
add bridge=br1 interface=ether2 pvid=20
Access ports are used by end devices.
The PVID (Port VLAN ID) assigns untagged traffic entering the port to a specific VLAN.
Example:
A PC connected to ether2 automatically belongs to VLAN 20.
3. Trunk Port
Example:
add bridge=br1 interface=ether4 frame-types=admit-only-vlan-tagged
This port connects the switch to the firewall.
It only accepts tagged VLAN traffic, meaning multiple VLANs can traverse the same physical link.
This is known as a 802.1Q trunk.
4. VLAN Table
Example:
add bridge=br1 vlan-ids=20 tagged=br1,ether4 untagged=ether2
This command defines:
Which VLAN exists
Which ports carry it tagged
Which ports carry it untagged
In this case:
VLAN 20 is tagged on the trunk (ether4)
VLAN 20 is untagged on the access port (ether2)
5. Enabling VLAN Filtering
set br1 vlan-filtering=yes
This activates the VLAN logic.
Without this step, the bridge behaves like a normal Layer-2 switch without VLAN isolation.
Traffic Flow Example
Example: PC in VLAN 20 accessing the network
PC sends untagged traffic to ether2
MikroTik assigns VLAN ID 20 using the PVID
Traffic leaves through ether4 tagged with VLAN 20
FortiGate receives the VLAN 20 packet
FortiGate routes the traffic to other VLANs or the internet
Key Advantages of This Design
✔ Network segmentation
✔ Reduced broadcast domains
✔ Improved security
✔ Centralized routing and security via FortiGate
✔ Easy scalability with additional VLANs
Real Enterprise Architecture
This architecture mirrors real corporate networks:
Users → Access Switch → Trunk → Firewall → Internet / Servers
Layer 2 switching is handled by the switches while Layer 3 routing and security are centralized in the firewall.
Fortigate configuration:
Interfaces y VLANs.
SD-CLARO(PORT1)
SD-WAN-ALTICE(PORT2)
Server-connection(port6)
Web-term conection.
Endpoint-conection-sala2
Endpoint-conections-sala1
VLAN-Lab/Test
VLAN-Management
VLAN-ING (Users)
VLAN-SALES (Sales)
Firewall policies:
port4-access
Server-Internet
Internet-access-users
Endpoint connections
LAB/TEST-INTERNET
VLAN50
Management-internet
VLAN-40-SERVER
Internet-access
Sales-Server
Windows server DNS + AD + Users.
DNS
Reverse
Active Directory
Users
Endpoints
WiNDOWS10-3
WINDOWS10-2
WINDOWS10-4
WINDOWS10-1
