Skip to main content
rickarderiksson
rickarderiksson
New Member
February 20, 2025
Solved

VLAN Routing to external gateway

  • February 20, 2025
  • 3 replies
  • 1800 views

Hi.

 

I have a Cisco switch configured with gateway IP at 10.24.111.65. The switch is connected to the fortigate through a trunk with VLAN 101 tagged. Im trying to do vlan-routing from my VLAN1 which is configured with gateway in the fortigate to VLAN101 with the Cisco Switch as gateway.

 

I have created VLAN101 in the fortigate without address.

Firewall policies from-to VLAN1-VLAN101.

Static route Destination 10.24.111.64/255.255.255.192, Gateway 10.24.111.65 and Interface VLAN101

 

I cannot ping the gateway or any devices on vlan 101 from vlan 1. (Reply from 192.168.80.254: Destination host unreachable.)

 

The devices on VLAN101 are showing up in the fortigate users & devices under VLAN101.

 

What am I doing wrong?

The cisco and all devices connected to that is supplied by a third-party supplier and I cannot do any configuration on that network.

Best answer by Toshi_Esumi

Check the routing table now, then configure IP like 10.24.111.66/26 on VLAN101 interface then check the routing table again with "get router info routing-t all. You should be able ping the GW IP at that time.

Static routes (and any other routes provided via routing protocols) are providing instructions how to reach those destination subnets that are NOT on the router, in your case your FGT, by instructing it to send those packets to the GW IP, which has to be reachable.
This is the very basic of "routing" or router.

Toshi

3 replies

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
February 20, 2025

Why you decided not to configure IP on VLAN101 interface on the FGT? Just like any other routers, like Cisco, without the IP with a proper subnet mask, that GW subnet wouldn't be in the routing table so the GW is not reachable from the FGT. The static route as the result wouldn't show in the routing table either.

Check with "get router info routing-table all" to see the routing table.

Toshi

rickarderiksson
rickarderikssonAuthor
New Member
February 20, 2025

Hi,

Wouldn't that create a new gateway on that subnet? 

 

Thanks,

Toshi_Esumi
SuperUser
Toshi_EsumiAnswer
SuperUser
February 20, 2025

Check the routing table now, then configure IP like 10.24.111.66/26 on VLAN101 interface then check the routing table again with "get router info routing-t all. You should be able ping the GW IP at that time.

Static routes (and any other routes provided via routing protocols) are providing instructions how to reach those destination subnets that are NOT on the router, in your case your FGT, by instructing it to send those packets to the GW IP, which has to be reachable.
This is the very basic of "routing" or router.

Toshi

rickarderiksson
rickarderikssonAuthor
New Member
February 20, 2025

Hi, i tried this. I got one successful ping after setting the IP to 10.24.111.66/26 on VLAN101:

Reply from 192.168.80.254: Destination host unreachable.
Reply from 192.168.80.254: Destination host unreachable.
Reply from 10.24.111.65: bytes=32 time=2006ms TTL=253
Request timed out.
Request timed out.

 

But it works to ping other devices on that subnet/vlan.

 

Thank you!

dingjerry_FTNT
Staff
dingjerry_FTNT
Staff
February 20, 2025

Hi @rickarderiksson ,

 

The VLAN ID 1 is reserved on FGT, so if you configure a VLAN interface with ID 1, it may not work.

 

Please try another VLAN ID.

Terms & ConditionsAccessibility statement