Transparent VLAN between LAN and WAN

Question

Hello.I searched forum, google and reddit and still can't do it. Our ISP manage our switches in lan. He have his router connected to our FG WAN and his switch connected via trunk on our FG aggregate (HA1+HA2). I have 2 VLANs on WAN interface - VLAN 99 (internet) and VLAN 6 (switch management).On LAN side (aggregate port) I have a few vlans in trunk included VLAN 6. Fortigate run in NAT mode, internet on all VLANs working fine. However i need do transparent config for VLAN 6 - between connection on WAN side and connection on LAN (HA) side. How can i do this? I read this - https://community.fortinet.com/t5/FortiGate/Technical-Note-Configure-a-FortiGate-unit-in-Transparent-mode/ta-p/194458 and this https://docs.fortinet.com/document/fortigate/7.4.3/administration-guide/402940/vlanIt's the same, based on informations in articles it should work but not working for me, I don't know why. Next I want to try Virtual pairs - https://docs.fortinet.com/document/fortigate/7.4.3/administration-guide/335884/using-vlan-sub-interfaces-in-virtual-wire-pairs - but cannot select any of members - list is empty, despide the fact I have no configuration on VLAN 6 interfaces. I saw something like l2forward or vlanforward or forward-domain parametres on interfaces, but have no idea how it works and if it's what I need. In manual I see only infromations like "it enable ... or it disable..", buť no practical info:( Thank you for your tips.Rob

Raghu_Kumar · Answer

Hello Robert,Thank you for the detailed information. Based on your current setup and requirements, here are the key steps and considerations to help you achieve a transparent VLAN configuration between the WAN (VLAN 6) and LAN:    Transparent VLAN Overview: Since FortiGate is in NAT mode and you require VLAN 6 to be forwarded transparently between WAN and LAN, the typical routing/NAT functions won’t work as expected. You’ll need to configure the VLAN in a way that bypasses these NAT functions.     Using Virtual Wire Pairs: Virtual wire pairs can help bridge VLAN traffic transparently. The issue you're facing where the list of members is empty could be related to the existing configuration on the aggregate port. Ensure that VLAN 6 is free from any other bindings or policies before you configure it for a virtual wire pair.     Steps:  Remove any policies or references to VLAN 6 interfaces. Navigate to Network > Interfaces. Create a virtual wire pair between the WAN and LAN interfaces, making sure to select VLAN 6 on both sides. After that, create a firewall policy allowing traffic through the virtual wire pair.      Forwarding Domain: If you're seeing parameters like l2forward, vlanforward, or forward-domain, these are part of FortiGate’s layer 2 forwarding configuration options. These allow certain interfaces or VLANs to be linked at Layer 2, which means traffic can be forwarded without NAT or routing.Try this approach:  Set up l2forward or forward-domain between the interfaces where you want the transparent forwarding. You can enable this using the CLI by assigning both VLAN 6 interfaces (WAN and LAN) to the same forward domain. Example:config system interfaceedit VLAN_6_WANset forward-domain 10nextedit VLAN_6_LANset forward-domain 10end  Verification: After configuring the virtual wire pair or forwarding domain, verify that VLAN 6 traffic is passing transparently between WAN and LAN without being processed by the FortiGate’s NAT functions. Ensure that management traffic on VLAN 6 is reaching the switch correctly.    If these solutions don’t work or if you're still facing challenges, feel free to share more details, and we’ll help you troubleshoot further.Thanks,

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded