Skip to main content
A
Anonymous_User
New Contributor III
August 24, 2010
Question

Software switch with VLAN sub interfaces = no go !?

  • August 24, 2010
  • 20 replies
  • 9307 views
Evening all, have logged this with Fortinet support but thought i would try the neighborly approach as well ;) Setup: - Two ports configured as a software switch, this switch has no IP assigned and no management access of any kind. - A VLAN subinterface was created on the software switch, this was assigned an IP and management access as well as ping. - An ESX test server connected to each switch port (trunk) with suitably tagged test VM in place. - Firewall NAT policy in place to allow hosts on the VLAN out to the internet. Issue: The two VM test servers are able to talk to each other across the firewall' s two switch ports via the VLAN subinterface. No problem here, they can ping the gateway address also no prob. They can also ping out to the internet as expected. The issue is the hosts are NOT able to actually load a web page from the itnernet, or even the local network (outside of the VLAN), browsers just sit there waiting for the return data after DNS lookups are done. This is strange becuase: - The same test VM servers can access the internet perfectly when the subinterface is on one physical port and not a soft switch. - The same test VM servers can access the internet perfectly when connected to a soft switch directly (no VLAN subinterface) - All of the expected routes are shown in the route monitor and pings to the internet work flawlessly as do DNS lookups. - I can telnet from a test server to a web server on port 80 no problem. So there seems to be either some configuration step I have missed that is required for using VLAN subinterfaces AND soft switches together ... or a bug ? or something else ... ?

    20 replies

    Show previous replies
    Carl_Wallmark
    Carl_Wallmark
    New Member
    August 26, 2010
    did you try the new Patch 2 ?
    A
    Anonymous_UserAuthor
    New Contributor III
    August 26, 2010
    Have downloaded and installed just now (thanks for the reminder !) and will test it out today ... can' t see anything in the release notes so not holding out much hope for it.
    A
    Anonymous_UserAuthor
    New Contributor III
    August 26, 2010
    I can confirm there is no change with patch 2
    Carl_Wallmark
    Carl_Wallmark
    New Member
    August 27, 2010
    but it did work when you lowered the MTU value ?
    A
    Anonymous_UserAuthor
    New Contributor III
    August 27, 2010
    When the server NIC MTU is lowered everything is fine yes, it' s not really a great permanent system wide fix though.
    Carl_Wallmark
    Carl_Wallmark
    New Member
    August 29, 2010
    and fortinet doesnt agree that it is a bug ?
    A
    Anonymous_UserAuthor
    New Contributor III
    August 29, 2010
    I' ve not received any response from them since the 25th !! Not very impressive, i' ll post another followup message to them now and see if anyone is home.
    FortiRack_Eric
    FortiRack_Eric
    New Member
    September 1, 2010
    Why would one use a software switch on a FG unit? Especially in combination with VLAN' s. Even if it would work (which a doubt with VLANs) all traffic would go through CPU!!! Thus seriously degrading performance. What kind of FG are you using? Furthermore if you lower MTU on FG then the nic connected to the FG must have matching MTU
    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    September 1, 2010
    Interesting aspect. When using " type=switch" on an interface I never thought of NPU usage before. Havent' t used this feature often but only for " renaming" ports: instead of " port13(wan1)" -> " port12(internal)" in the policy list, it would read " wan1->internal" which is way clearer. In all I know of 3 ways to change the port name: - alias - zone - switch (with only 1 member) The alias feature is half-baked as cited above - the alias does not replace the port name but is appended only. Ugly and error prone. Zone and switch definition (in this respect only) are the same to me - would you think in terms of performance that a zone def would be less detrimental to performance than the switch def? (I can imagine that looking at this usage from the perspective of performance and NPU usage could make you feel bad for the rest of the day...but it' s creative usage at least).
    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    September 1, 2010
    ...the 200B has no issue with 5 Mbps via CPU at all...
    A
    Anonymous_UserAuthor
    New Contributor III
    September 1, 2010
    I' ll create a quick diagram in the morning to illustrate why the switch and VLAN combination is desired, essentially its to control traffic flow between two WAN end points of the same subnet (one side local to the firewall and one geographically remote). I had not considered CPU utilisation for this setup, the circuit is 5MBit.
    Terms & ConditionsAccessibility statement