Skip to main content
iannoobie123
iannoobie123
New Member
October 6, 2018
Solved

FortiGate E100 and Aruba 2930F L3 switch VLAN routing issue in FortiGate

  • October 6, 2018
  • 1 reply
  • 9479 views

Hi All,

 

Good Day,

 

Thank you in advance for your time to read this and helping me to solve this problem.

 

Currently I have a setup like this

 

On Fortigate I remove port 2 and port 3 on the lan profile and configured as VLAN's each assigned to VLAN10 and VLAN20

 

ON VLAN10 --- > 10.10.0.1/24 - Untagged (Internet Access Hosts)

ON VLAN20 --- > 192.168.0.1/24 - Untagged (LAN Only)

 

Port 1-10 - VLAN10

Port 11-20 - VLAN20

 

Now my issue is this,

 

I've created the profile and rules as well as IP address that will be used by the VLANS in NAT/Route Mode in Fortinet

But My hosts that needs internet can't seem to route them.

 

Should I configure the VLAN's ports to be trunked so fortigate sees all ports as one? I want fortigate to do the routing so it makes sense that i will not define a default gateway in my vlans. 

 

I'm new to Fortinet and I've seen a lot of guides but no solid answer and I'm hoping if anyone here can give me one. Any help or advise is appreciated. 

 

Regards,

 

Ian

 

 

Best answer by sw2090

hard to say with such few details.

 

On a FGT you usually have a vlan as virtual interface that is bound to a physical one.

And then you have to have polices to allow your traffic that have the vlan interface as destination or source.

That's the way I do it here on our FGTs.

 

e.g

 

FGT Port1 (=physical interface) (static ip of our default subnet) - connected to switch

        + vlan1 (virtual vlan interface) VID 11 (static ip of vlan 11 subnet) [on FGT this will always be untagged!]

 

Switch: Uplink Port (physical interface connected to FGT Port1) is untagged in VID 1 (default vlan) [because HP switches want to have every port untagged in one vlan] AND tagged in VID 11. 

Ports that have to access (ONLY) VID 11 are Untagged in VID11 and not in any other VID.

Ports that have to access more VIDs have to be tagged in all of them. In this case the device connected to those has to do the correct vlan tagging on packets.

 

Then on FGT e.g. have Policy:

 

Source Interface: vlan 11

Destination Interface: WAN (Internet)

Source: vlan 11 subnet

Destination: any

Service: all

NAT: enabled (use ip of Destination Interface) [dnat]

 

Clients in vlan11 must have the vlan 11 subnet ip of the virtual interface  as default gw!

 

To clarify:

 

Untagged: Switch considers packets that come in on this port not to be vlan tagged and will then tag all packets with the vlan the port is untagged in. If a packet does have a vlan tagging it will be overwritten unless the port is als tagged in this vlan.

 

tagged: Switch will not touch vlan tagging on packets on this port at all. If the port is not untagged in one vlan it will then only accept packets with vids the port is tagged in.

1 reply

sw2090
SuperUser
sw2090Answer
SuperUser
October 10, 2018

hard to say with such few details.

 

On a FGT you usually have a vlan as virtual interface that is bound to a physical one.

And then you have to have polices to allow your traffic that have the vlan interface as destination or source.

That's the way I do it here on our FGTs.

 

e.g

 

FGT Port1 (=physical interface) (static ip of our default subnet) - connected to switch

        + vlan1 (virtual vlan interface) VID 11 (static ip of vlan 11 subnet) [on FGT this will always be untagged!]

 

Switch: Uplink Port (physical interface connected to FGT Port1) is untagged in VID 1 (default vlan) [because HP switches want to have every port untagged in one vlan] AND tagged in VID 11. 

Ports that have to access (ONLY) VID 11 are Untagged in VID11 and not in any other VID.

Ports that have to access more VIDs have to be tagged in all of them. In this case the device connected to those has to do the correct vlan tagging on packets.

 

Then on FGT e.g. have Policy:

 

Source Interface: vlan 11

Destination Interface: WAN (Internet)

Source: vlan 11 subnet

Destination: any

Service: all

NAT: enabled (use ip of Destination Interface) [dnat]

 

Clients in vlan11 must have the vlan 11 subnet ip of the virtual interface  as default gw!

 

To clarify:

 

Untagged: Switch considers packets that come in on this port not to be vlan tagged and will then tag all packets with the vlan the port is untagged in. If a packet does have a vlan tagging it will be overwritten unless the port is als tagged in this vlan.

 

tagged: Switch will not touch vlan tagging on packets on this port at all. If the port is not untagged in one vlan it will then only accept packets with vids the port is tagged in.

iannoobie123
iannoobie123Author
New Member
October 11, 2018

Hi sw2090,

 

Good Day,

 

I've managed to solve this issue last week and sorry for late response. 

 

What I did was, to connect my switch to FGT and disably aruba2930f layer3 on those VLAN's i need and tagged an uplink port to FGT and untagged to those of VLANS switches.

 

Appreciate your response and it was also helpful for future reference. 

 

Thank you and Regards,

 

Ian

Terms & ConditionsAccessibility statement