Skip to main content
J_One
J_One
New Member
August 7, 2018
Question

Multiple virtual interfaces

  • August 7, 2018
  • 1 reply
  • 10787 views

Hello everyone, I'm trying to setup my 40c with multiple virtual interfaces. I  simply followed this guide: http://kb.fortinet.com/kb....do?externalId=FD33738 Which basically comes down to: #FGT40C-3 # config system interface #FGT40C-3 (interface) # edit 'myvlan interface' #new entry 'myvlan interface' added #FGT40C-3 (test) # set interface internal #FGT40C-3 (test) # set vlanid 100 #FGT40C-3 (test) # set ip 192.168.100.254/24 #FGT40C-3 (test) # set vdom root #FGT40C-3 (test) # end I created the routes: IP 192.168.100.254/24 --> gateway 0.0.0.0 --> device wan1 And finally i created a policy to allow all outgoing traffic from 192.168.100.254/24 to the wan interface. My setup is: Fortigate 40c TP link sg108 (which holds the VLAN IDs) Intel NUC with ESX 6.5 (where I created the port groups based on the VLAN IDs) When I connect one of my VMs to one the newly created interfaces I can't get anything to work.

Any thoughts?

 

1 reply

Iescudero
Iescudero
New Member
August 7, 2018

Hi there!

maybe is a dumb comment, but can you double check your route?

It should look something like this:

 

configure routing static

edit 1

set gateway 172.100.20.5

set device wan1

set dst 0.0.0.0

next

end

 

And then, what I would do is this:

 

1) Check in your internal interface if you any traffic with this:

diagnose sniffer packet internal

 

If you see a packet like this: 

0.553565 802.1Q vlan#100 P0

1.553430 802.1Q vlan#100P0

That would mean that your Switch and VM host configuration is right, otherwise is not, so you will have to check that.

 

2) Assuming that you saw packets with the VLAN tag, now you have to do is analysis that traffic, for instance you can do a ping to a google DNS from a host in VLAN 100:

 

diagnose sniffer packet myvlan interface "host 192.168.100.10 and icmp"

0.822234 192.168.100.10 -> 8.8.8.8: icmp: echo request

 

3) Finally, you can debug this traffic to see what's going on:

diagnose debug flow filter saddr 192.168.100.10

diagnose debug flow filter daddr 8.8.8.8

diagnose debug flow filter proto 1

diagnose debug flow show console enable

diagnose debug flow trace start 100

diagnose debug enable

 

Then you should look the output and check if you see something like this:

"iprope_in_check() check failed, drop"  or "Denied by forward policy check"  or "reverse path check fail, drop"

 

Hope it helps!

sw2090
SuperUser
sw2090
SuperUser
August 7, 2018

Probably you have a mistake in your policy (If you set it like you wrote here).

You have to allow the traffc from the whole subnet 192.168.100.0/24

Routes have to be for the net too.

 

J_One
J_OneAuthor
New Member
August 8, 2018

Hello guys, apologies for the late reply.

 

I tried/checked all of the above (re-entered the route), but i don't see any traffic from VLANs 200 when I enter 'diagnose sniffer packet internal'.

And I'm pretty sure the VLANs are correct because is basically the same setup as before, just a few extra VLANs.

 

Terms & ConditionsAccessibility statement