Skip to main content
jadacime
Staff
jadacime
Staff
September 5, 2023

Troubleshooting Tip: How to configure ISP WAN IPv4 with VLAN (Layer 3)

  • September 5, 2023
  • 0 replies
  • 14446 views
Description This article describes how to configure ISP IPv4 WAN on VLAN (Layer 3).
Scope FortiGate v6.0.0 and above.
Solution

For GUI:

Go to Network -> Interfaces.

 

  1. Create a VLAN interface over the WAN interface:
  • Select Type: VLAN.
  • Select the VLAN ID (number provided by the ISP).
  • Define the Role: WAN
  • Enter the IP address with the correct subnet mask (or leave DHCP if that is the case).
  • Define the Administrative Access for this VLAN, remember that this works similarly as a physical interface.
  • Select 'OK'.

 

jadacime_0-1693924766334.png

 

Remember that this information is provided by the ISP: 

 

  1. After creation, set the static IP, pointing to this new VLAN interface.

 

Go to Network -> static routes.

  • Create New.
  • Define the Gateway address.
  • Left the 0.0.0.0/0 as this is the default.
  • Select the interface ISP_L3.
  • Left the Default config for Administrative Distance and Priority.
  • Select 'OK'.

 

jadacime_1-1693924766340.png

 

  1. After creating the objects above steps, it is necessary to modify the LAN to WAN policy and ALL policies that mentioned this interface as a principal to allow traffic to the internet:
  • Select the Outgoing interface: The VLAN is created.
  • Select 'OK'.

 

jadacime_2-1693924766356.png

 

Configure the Interface by CLI console:

 

config system interface

    edit "ISP_L3"

        set vdom "root"

        set ip 181.181.181.186 255.255.255.248

        set allowaccess ping https http

        set role wan

        set snmp-index 19

        set interface "port2"

        set vlanid 100

    next

end

 

Configure the static route by CLI console:

 

FGTAWS (3) # show

config router static

    edit 3

        set gateway 181.181.181.185

        set device "ISP_L3"

    next

end

 

Modify the Policy by CLI console:

 

config firewall policy

    edit 7

        set status enable

        set name "To_INTERNET"

        set uuid 3730360e-4b5f-51ee-66bd-1481a21243de

        set srcintf "port3"

        set dstintf "ISP_L3" <----- This will be the new interface, the name may change by the configuration.

        set action accept

        set srcaddr "all"

        set dstaddr "all"

        set schedule "always"

        set service "ALL"

        set utm-status enable

        set ssl-ssh-profile "certificate-inspection"

        set logtraffic all

        set nat enable

        next

end

 

 

If there is any doubt about how to create a VLAN, check the document:

Configure the VLAN interfaces on FortiVoice and FortiGate
Technical Tip: How to create a VLAN tagged interface (802.1q) on a FortiGate - tagged/untagged traffic 
Terms & ConditionsAccessibility statement