Technical Note: Configure a FortiGate unit in Transparent mode with trunks (802.1q - VLANs) and forwarding domains
Purpose
This article describes how to setup a FortiGate unit in Transparent mode, in the presence of trunks containing multiple VLANs (802.1q tagged interfaces).
Scope
FortiGate units or VDOMs, configured in Transparent mode.
Diagram
The following diagram illustrates this example:
It is assumed that the trunk is a single physical interface with VLANs 102 and 103.
Expectations, Requirements
The FortiGate unit must filter traffic from port2 to port3 and vice versa.
This article does not cover any aspects of content inspection (no protection profile).
Configuration
Step 1: Create VLANs and forwarding domains
In order to avoid any L2 issue due to broadcast domain overlap and packets looping back on the trunk, assign each pair of VLAN interfaces into a unique forwarding domain. This will, for each VLAN, create independent broadcast domains on the FortiGate unit and confine all broadcasts and multicast traffic between the interfaces belonging to a same forward-domain.
edit "vlan102_intern"
set interface "port2"
set vlanid 102
set interface "port3"
set vlanid 102
set interface "port2"
set vlanid 103
next
set interface "port3"
set vlanid 103
next
Note that the forward-domain ID can be different to the VLAN ID, but it is recommend for troubleshooting and readability to keep them the same.
Step 2: Create the appropriate Firewall Policies
edit 1
set srcintf "vlan102_extern"
set dstintf "vlan102_intern"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ANY"
next
edit 2
set srcintf "vlan102_intern"
set dstintf "vlan102_extern"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ANY"
next
edit 3
set srcintf "vlan103_intern"
set dstintf "vlan103_extern"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ANY"
next
edit 4
set srcintf "vlan103_extern"
set dstintf "vlan103_intern"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ANY"
next
end
Notes:
- Only interfaces from the same forwarding domains can have Firewall Policies between each others.
- By default, if a tagged packet is received on a FortiGate physical interface which does not have a VLAN interface configured matching the VLAN id of the packet, the packet will be forwarded to all physical interfaces in the same VDOM without a policy required.In this example a tagged packet with VLAN id 5 received in port2 would be forwarded as-is on port3 even with no policy configured. To block such packets, on the physical interface section (port2 and port3 in this example) configure "set vlanforward disable"
Verification
Troubleshooting
To verify if traffic flows or troubleshoot any issue, please refer to any of the methods described in the related articles at the end of this page.
Related Articles
Troubleshooting Tip : How to use the FortiGate sniffer and debug flow in presence of NP2 ports
Technical Tip : Troubleshoot and verify if traffic is hitting a Firewall Policy
Troubleshooting Tool: Using the FortiOS built-in packet sniffer