Hello everyone, Before implementing the following configuration in production I'm testing it out in GNS3 and I'm facing issues with Inter-VLAN routing. I have configured FortiGate to act as router-on-a-stick. I have created VLAN 100 and VLAN 200 on the switch and allowed it over the trunk interface that is connected to the FortiGate. Configured the ports connecting the end devices as access ports.Created same VLANs on the FortiGate and attached it to the interfaces that is connected to the switch.Created the required Firewall polices, VLAN 100 -> VLAN 200 and VLAN 200 -> VLAN 100.From device in VLAN 100, I'm able to ping the VLAN 100 SVI IP address and the SVI IP address on VLAN 200. But unable to reach the other device in VLAN 200 and vice-versa.Packet sniffer on FortiGate shows that It is receiving the packet on VLAN 100 interface but it is not sending it out of VLAN 200 interface. Please, find the attached images for the reference. I believe I'm not missing anything here. Any suggestions would be helpful. Network Diagram: Firewall Polices: VLAN Interface details: Sniffer Output: Thank you IMPORTANT UPDATE: Hey everyone, This is important I guess, I just replaced the new FortiGate running FortiOS 7.2 with ForiOS 6.4.9. And, Inter-VLAN routing is happening now without any problem. I have same configuration in place like the one that I had earlier. Is this a bug or anything in 7.2 release? Can the Fortinet staff confirm this please? Please find my updated screenshots: PC1 to PC2: PC2 to PC1: Thank you

Explorer II

Solved

Inter-VLAN routing issues - FortiGate

Forum|Forum|3 years ago
May 11, 2022
12 replies
36712 views

Hello everyone,

Before implementing the following configuration in production I'm testing it out in GNS3 and I'm facing issues with Inter-VLAN routing. I have configured FortiGate to act as router-on-a-stick.

I have created VLAN 100 and VLAN 200 on the switch and allowed it over the trunk interface that is connected to the FortiGate. Configured the ports connecting the end devices as access ports.
Created same VLANs on the FortiGate and attached it to the interfaces that is connected to the switch.
Created the required Firewall polices, VLAN 100 -> VLAN 200 and VLAN 200 -> VLAN 100.
From device in VLAN 100, I'm able to ping the VLAN 100 SVI IP address and the SVI IP address on VLAN 200. But unable to reach the other device in VLAN 200 and vice-versa.
Packet sniffer on FortiGate shows that It is receiving the packet on VLAN 100 interface but it is not sending it out of VLAN 200 interface.

Please, find the attached images for the reference. I believe I'm not missing anything here. Any suggestions would be helpful.

Network Diagram:

Firewall Polices:

VLAN Interface details:

Sniffer Output:

Thank you

IMPORTANT UPDATE:

Hey everyone,

This is important I guess,

I just replaced the new FortiGate running FortiOS 7.2 with ForiOS 6.4.9. And, Inter-VLAN routing is happening now without any problem.

I have same configuration in place like the one that I had earlier.

Is this a bug or anything in 7.2 release? Can the Fortinet staff confirm this please?

Please find my updated screenshots:

PC1 to PC2:

PC2 to PC1:

Thank you

FortiGate

Best answer by jintrah_FTNT

Hi Chethan,

I tested this on a 7.2 device and it is found to work, so issue should be local to your environment only.

best regards,

Jin

aionescu

Staff

Hi chethan,

This is very nice explained issue.

Can you run the following commands and update us with the output?

Assuming the source is 10.0.100.10 and destination 10.0.200.10

Stop the traffic and clear the any possible existing session between the hosts

diagnose sys session filter src 10.0.100.10
diagnose sys session filter dst 10.0.200.10
diagnose sys session clear

confirm that there is no session with

diagnose sys session list

Run a debug flow while generating traffic
diagnose debug flow filter addr 10.0.100.10
diagnose debug flow trace start 100
diagnose debug enable

Collect the arp entries on the device:
get system arp

chethanAuthor

Explorer II

Thank you aionescu,

Here are the outputs for the following commands:

FortiOS-VM64-KVM # diag sys session filter src 10.0.100.10

FortiOS-VM64-KVM # diag sys session filter dst 10.0.200.10

FortiOS-VM64-KVM # diag sys sess cl
ambiguous command before 'sess'

FortiOS-VM64-KVM # diag sys session clear

FortiOS-VM64-KVM # diag sys session list
total session 0

FortiOS-VM64-KVM # diag deb flow filter addr 10.0.100.10

FortiOS-VM64-KVM # diag deb flow trace start 100

FortiOS-VM64-KVM # diag deb en

FortiOS-VM64-KVM # id=65308 trace_id=1 func=print_pkt_detail line=5895 msg="vd-root:0 received a packet(proto=1, 10.0.100.10:30945->10.0.200.10:2048) tun_id=0.0.0.0 from VLAN100. type=8, code=0, id=30945, seq=1."
id=65308 trace_id=1 func=init_ip_session_common line=6076 msg="allocate a new session-0000035b, tun_id=0.0.0.0"
id=65308 trace_id=1 func=vf_ip_route_input_common line=2605 msg="find a route: flag=04000000 gw-10.0.200.10 via VLAN200"
id=65308 trace_id=2 func=print_pkt_detail line=5895 msg="vd-root:0 received a packet(proto=1, 10.0.100.10:31457->10.0.200.10:2048) tun_id=0.0.0.0 from VLAN100. type=8, code=0, id=31457, seq=2."
id=65308 trace_id=2 func=init_ip_session_common line=6076 msg="allocate a new session-0000036a, tun_id=0.0.0.0"
id=65308 trace_id=2 func=vf_ip_route_input_common line=2605 msg="find a route: flag=04000000 gw-10.0.200.10 via VLAN200"
id=65308 trace_id=3 func=print_pkt_detail line=5895 msg="vd-root:0 received a packet(proto=1, 10.0.100.10:31969->10.0.200.10:2048) tun_id=0.0.0.0 from VLAN100. type=8, code=0, id=31969, seq=3."
id=65308 trace_id=3 func=init_ip_session_common line=6076 msg="allocate a new session-00000379, tun_id=0.0.0.0"
id=65308 trace_id=3 func=vf_ip_route_input_common line=2605 msg="find a route: flag=04000000 gw-10.0.200.10 via VLAN200"
id=65308 trace_id=4 func=print_pkt_detail line=5895 msg="vd-root:0 received a packet(proto=1, 10.0.100.10:32481->10.0.200.10:2048) tun_id=0.0.0.0 from VLAN100. type=8, code=0, id=32481, seq=4."
id=65308 trace_id=4 func=init_ip_session_common line=6076 msg="allocate a new session-00000382, tun_id=0.0.0.0"
id=65308 trace_id=4 func=vf_ip_route_input_common line=2605 msg="find a route: flag=04000000 gw-10.0.200.10 via VLAN200"
id=65308 trace_id=5 func=print_pkt_detail line=5895 msg="vd-root:0 received a packet(proto=1, 10.0.100.10:32993->10.0.200.10:2048) tun_id=0.0.0.0 from VLAN100. type=8, code=0, id=32993, seq=5."
id=65308 trace_id=5 func=init_ip_session_common line=6076 msg="allocate a new session-00000384, tun_id=0.0.0.0"
id=65308 trace_id=5 func=vf_ip_route_input_common line=2605 msg="find a route: flag=04000000 gw-10.0.200.10 via VLAN200"

FortiOS-VM64-KVM #
FortiOS-VM64-KVM # get system arp
Address Age(min) Hardware Addr Interface
10.0.200.10 3 00:50:79:66:68:01 VLAN200
192.168.233.1 0 00:50:56:c0:00:08 mgmt
10.0.100.10 1 00:50:79:66:68:00 VLAN100
192.168.233.2 0 00:50:56:f3:62:fc mgmt

aionescu

Staff

Hello Chethan,

Is there any VIP configured?

Also, are you able to ping 10.0.200.10 from the Fortigate? What is you ping with source 10.0.100.254

agodbole

Staff

Hi Chethan

Can you run a sniffer on the FortiGate when you ping devices in different VLAN.

Also one of the most common issues if you have windows machines is the windows firewall so if they are windows machines would suggest you to disable that before you run the sniffer

chethanAuthor

Explorer II

Hi agodbole,

There are no windows endpoints. I have attached the screenshot for the sniffer in my original post.

FortiGate receives the packet on its incoming VLAN interface but it is not forwarded to the outgoing VLAN interface.

Eg:

source: 10.0.100.10 (end device in VLAN 100)

destination: 10.0.200.10 (end device in VLAN 200)

Ping Fails.

source: 10.0.100.10 (end device in VLAN 100)

destination: 10.0.200.254 (VLAN 200 SVI IP address)

Ping Succeeds.

These are directly connected subnets for FortiGate

seshuganesh

Staff

Hi chetan,

Ignore: there are only in packets in sniffer no out packets..this reply wont help

can you get this output:

execute ping-options source 10.0.100.254

execute ping 10.0.200.10

execute ping-options reset

execute ping-options source 10.0.200.254

execute ping 10.0.200.10

Please get both these outputs

chethanAuthor

Explorer II

Hi seshuganesh,

It can ping.

Thank you

seshuganesh

Staff

In this case, is it possible to take packet capture in switch to check what is happening with this traffic?

I believe firewall is forwarding the packets

sw2090

SuperUser

hm what is in the addressobjects (vlan 100 adress, vlan 200 address). To reach the whole subnet it has to be a subnet or ip range.

Also do PC1 and PC2 have static route to the "opposite" vla with the FGT as gateway? Or do they have the FGT as default gw? If neither is the case the traffic from client to client in other vlan will never hit the FGT hence it would take the wrong route.

chethanAuthor

Explorer II

Hi,

Thank you for responding.

The address objects are subnets not individual IP addresses.

Yes, The PCs are configured with default gateway on each VLAN.

If it were not configured, the device in VLAN 100 would not be able to ping VLAN 200 interface IP and vice versa.

PC1 output:

PC2 Output:

seshuganesh

Staff

@chethan

Ignore: no out packets in sniffer, so this reply wont help

Hi chetan,

can you get this output:

execute ping-options source 10.0.100.254

execute ping 10.0.200.10

execute ping-options reset

execute ping-options source 10.0.200.254

execute ping 10.0.200.10

Please get both these outputs

sw2090

SuperUser

hm ok so you can ping the FGT in vlan 200 from the Pc1 in vlan 100 and the FGt in vlan 100 from the PC2 in vlan 200. So that means the routing on the pc is good (if not that wouldn't work) and traffic does hit the fgt with correct vid.

Sounds more like if some kind of isolation is enabled on the vlans somewhere. I never had that on our FGT though. So maybe your L2 Switch is causing this?

chethanAuthor

Explorer II

Hi, I have mentioned you in another similar reply.

Thank you

SveN2

New Member

Hi,

looking at the sniffer echo request reaches the firewall but did not leave it.
Form my experience, 99% I had a similar issue it was either routing or firewall policy.
I understand no routing is required as both vlans are directly connected.
And from the other screenshot firewall policy looks good, too.
But have you checked the logs on the Fortigate, anyway? Does the log is showing any denies?
Are you sure the objects used in the policy have the correct IP configured?
Because that has happened to me multiple time. Object name looks good but the IP configured in that object had an error like two digits in the wrong order or something.

chethanAuthor

Explorer II

Hello,

I have enabled all logs, but I do not see any violation logs there.

Yes, The objects are configured correctly. Those are subnet address type. I have attached the screenshot in my previous replies.

jintrah_FTNT

Staff

Hi Chethan,

It appears like FortiGate itself not able to reach 10.0.200.10 in first place, did you check? Is it possible to gather the below debug flows while pinging 10.0.200.10,

#diag deb reset

#diag deb flow filter trace start 5

#diag deb flow filter proto 1

#diag deb flow filter add 10.0.100.10

#diag deb flow show con en

#diag deb flow show fun en

#diag deb con time en

#diag deb en

Best regards,

Jin

sw2090

SuperUser

but 10.0.200.254 is a vlan interface on the FortiGate - how can the FGT not reach its own interfaces?

jintrah_FTNT

Staff

edited the original post, it was meant to be 10.0.200.10 instead.

Best regards,

Jin

jintrah_FTNT

Staff

Hi Chethan,

If you upgrade the new FortiGate 6.4.9 to 7.2 following upgrade paths, are you hitting the same issue?

Best regards,

Jin

chethanAuthor

Explorer II

Hi,

I'm testing in a lab environment. I directly download 7.2 and 6.4.9. and running it individually.

I did not upgrade it from previous version.

jintrah_FTNT

Staff

thats understood....But i am checking with you that If you upgrade the working FortiGate following the upgrade paths, are you seeing same behavior? Also, if issue persist, could you fetch the debug flow commands posted in my initial response, I am eager to look what policy id is it matching among other info as well.

Best regards,

Jin

chethanAuthor

Explorer II

Sure, I'll test that out soon and keep you posted.

sw2090

SuperUser

hm I tested it on my lab fgt60 that runs 7.0.3.

Hooked an old hp procurve 2524 to it and created vid 100 and 200 on it and made on port untagged in 100 and one untagged in 200 on it.

Created both vlans on a port of the fgt. Created Policies and Services for ping as there as none per default and it works fine.

Maybe in 6.4.9 there still is a working factory ping service once can chose in a police which does not exist in 7.x anymore?

Basically you need two services for ping:

ICMP Echo (ICMP Protocol #8 with no code)

ICMP Echo Reply (ICMP Protocol #0 with no code)

with adding both to the policies I can ping from my laptop which is on the 2524 on the port untagged in vlan 100 to the rpi400 which is on the 2524 on the port in vlan 200 and vice versa. I can also ping the FGT in both vlans from both vlans.

chethanAuthor

Explorer II

Hi, I tested by allowing all services as well just to make sure. But no luck.

It is working on 7.0.x versions but not on 7.2.

May its happening only with me. Don't know.

jintrah_FTNTAnswer

Staff

Hi Chethan,

I tested this on a 7.2 device and it is found to work, so issue should be local to your environment only.

best regards,

Jin

Show more replies

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded