Skip to main content
azwanarif
azwanarif
New Member
November 8, 2016
Question

Control same sub interface VLAN traffic

  • November 8, 2016
  • 1 reply
  • 7687 views

Hi All,

 

As per subject above our client is using Fortigate 100D as a router on the stick with multiple sub interface VLAN

Their objective or planning is to block same segment traffic on one of the VLAN, example creates a policy to block all PC communication within the sub interface VLAN1.

 

Does this policy or method achievable?. Thanks

    1 reply

    oheigl
    oheigl
    New Member
    November 8, 2016

    You want to block traffic within a VLAN which is connected to the FortiGate? That's not possible, because the layer 2 traffic is not going to/through the firewall if it's only in the same VLAN. You would need to configure this on the switch where the PCs are connected to. Maybe checkout this link: [link]https://en.wikipedia.org/wiki/Private_VLAN[/link]

    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    November 8, 2016

    I just thought you could force the hosts to use routing, thus involving the FGT as their router.

    Specify the host's address as "a.b.c.d/32", and it's default gateway as the FGT VLAN port address. I wonder if that would work...

     

    Of course, oheigl is right in stating that intra-VLAN traffic is on Layer2 and so the FGT is not involved. Controlling connections by application on the switch would be a quite advanced feature for such a device. Maybe you can get away with specifying the ports used (like tcp/135, 137, 138, 139, 445)...

    oheigl
    oheigl
    New Member
    November 8, 2016

    Really interesting view Ede, I wonder if that's going to work, because how can he reach the gateway IP address if it's not in the same subnet (/32 only has the one host, so theoretically he can't access anything other than itself).

     

    I don't mean by application in this case, just that the clients can only access the physical port where the FortiGate is connected to. I saw this configuration once at a customer's site, he did only allow the servers in a VLAN to reach the monitoring server and nothing else, if you want to filter on application basis my suggestion is useless tough 

    Terms & ConditionsAccessibility statement