VLAN subinterfaces not communicating

Forum|Forum|11 years ago
July 3, 2014
7 replies
12690 views

Howdy, I am currently running an EOL Fotrigate 100A (3.00 559). I am trying to move to a newer Fortigate 60D (5.0 something) no wireless. I have created several vlan sub-interfaces under the INTERNAL interface. All the vlans are coming from the same switch then to the FGT for routing internally and if appropriate to the Internet. This worked fine on FGT100A not so much on the FGT60D. There are some physical differences between the FGT100A and the FGT60D but it doesn' t seem they are so different that what was done on the FGT100A shouldn' t work on the FGT60D. Using vlans 101, 102 103, 104 (there are more but I am trying to keep this brief). All vlans are on separate ports on the switch and the FGT unit. When all are connected, only the lowest numbered vlan, 101, can talk to the FGT60D. On vlan 101 I can ping the gateway address on the FGT and I can ping the other gateways on the FGT. None of the other vlans can get a response from the FGT even from thier respective gateway. If I disconnect vlan 101 then vlan 102 will start working, If 101 and 102 are disconnected then vlan 103 will start communicating. There is another vlan (150) that is a sub-interface of the DMZ port. the 150 vlan is coming from the same switch as the other vlans under the INTERNAL interface. The 150 vlan talks to the FGT regardless of the connect state of the INTERNAL vlan sub-interfaces. However no traffic passes through from the 150 vlan to any of the INTERNAL vlan sub-interfaces (at least which ever one is working at the time) or vice-versa. If the vlans are under different physical interfaces they can concurrently communicate to the FGT60D but traffic will not pass from one to the other ( yes, the firewall policies do exist that should allow the traffic to pass). If the vlans are under the same physical interface, only 1 vlan can communicate to the FGT60D. This same setup works fine using the EOL FGT100A. What am I missing? What has changed that this setup does work on the FGT60D? FWIW the switch is an old Dell 5324. Although it is the FGT unit that is being changed out, I understand it may require changes to the switch rather than to the FGT unit.

emnoc

New Member

Qs: What mode is your 60D ports 1-7 in ( hub/switch/internals ) ? Copy of the vlan sub-interface cfg ? what mode of operation are we talking about ( nat or transparent )?

All vlans are on separate ports on the switch and the FGT unit.

If your trying to do this as a switched interface, than I would expect problems like what your describing.

UgadataAuthor

New Member

What mode is your 60D ports 1-7 in ( hub/switch/internals ) ?

not sure - how would I determine what mode it is in? my guess would be it is in whatever the default mode would be. comparing system global setting of the FGT100A to the FGT60D neither shows an explicit mode setting. (the FGT100A does have cc-mode disable)

what mode of operation are we talking about ( nat or transparent )?

It should be nat but again how would I know for sure what mode it is in? OK further checking shows it is in NAT mode

Copy of the vlan sub-interface cfg ?

config system interface edit " dmz" set vdom " root" set ip 192.168.149.1 255.255.255.0 set allowaccess ping set type physical set snmp-index 4 next edit " internal" set vdom " root" set ip 10.0.0.1 255.255.255.0 set allowaccess ping https ssh http fgfm capwap set type physical set snmp-index 1 set secondary-IP enable config secondaryip edit 1 set ip 192.168.184.98 255.255.255.0 set allowaccess ping https next end next edit " 150 Spinnaker" set vdom " root" set ip 192.168.150.5 255.255.255.0 set allowaccess ping set snmp-index 7 set interface " dmz" set vlanid 150 next edit " 10Dot1" set vdom " root" set ip 10.0.1.1 255.255.255.0 set allowaccess ping https set description " Admin Subnet" set snmp-index 18 set interface " internal" set vlanid 101 next edit " 10DOT2" set vdom " root" set ip 10.0.2.1 255.255.255.0 set allowaccess ping https set description " OPS Subnet" set snmp-index 9 set interface " internal" set vlanid 102 next edit " 103 Wireless" set vdom " root" set ip 10.0.3.1 255.255.255.0 set allowaccess ping https set snmp-index 10 set interface " internal" set vlanid 103 next edit " 10Dot4" set vdom " root" set ip 10.0.4.1 255.255.255.0 set allowaccess ping https set description " 10DOT4 Security Camera Subnet" set snmp-index 11 set interface " internal" set vlanid 104 next edit " 147" set vdom " root" set ip 192.168.147.1 255.255.255.0 set allowaccess ping set snmp-index 12 set interface " internal" set vlanid 147 next edit " 1481" set vdom " root" set ip 192.168.148.17 255.255.255.240 set allowaccess ping set snmp-index 13 set interface " internal" set vlanid 1481 next edit " 1482" set vdom " root" set ip 192.168.148.65 255.255.255.224 set allowaccess ping set snmp-index 14 set interface " internal" set vlanid 1482

UgadataAuthor

New Member

Thank you emnoc, OK, your suspicions are correct, it is in switched mode. It is also in NAT mode. Would the old FGT100a have been in Interface mode by default? I don' t see anyway to change the mode on the FGT100A and when I made the configurations it just worked.

emnoc

New Member

So the 60D is using a " switch" interface ? You can confirm via; diag hardware deviceinfo nic switch I personally would convert the FGT to a non-switch mode; and use one of the 1st ports for the tagged uplink to the HP e.g config sys global set internal-switch-mode internal end next, on the HP switch do you have the vlanid set for the vlans ? vlan 150 tag 1 vlan 101 tag 1 vlan 102 tag 1 vlan 103 tag 1 vlan 104 tag 1 vlan 1 untag 1 vlan 1481 tag 1 vlan 1482 tag 1 Assumption are vlan1 is the native vlan for the physical inetrface and port 1 is where your fortigate uplink interface sits

netmin

New Member

You should also consider updating " 5.0 something" to at least 5.0.7. If I remember correctly there were also some VLAN (switch) related bugs resolved in 5.0.5.

UgadataAuthor

New Member

yes, it was in switch mode. I verified through the GUI Network->Network and right clicking on the (at the time) Internal physical interface. A context menu opens and I choose " change mode" with the options being switched or interface mode. It does mean reconfiguring whatever was on the Internal interface since after changing modes you will have 7 individual Interfaces (Internal1, Internal2, ..., Internal7). And you will lose ALL Firewall Policies except the default Implicit policy. So be sure to backup the configuration before making this change (yes, I knew this and had a backup before implementing this change) I still have some work to do before I can test the changes. But I now have some hope that I can get to where I need to get to, Thank You. will check back when I get further down this new path.

UgadataAuthor

New Member

OK, changed from switch mode to interface mode. re-did all FW addressing and FW policies. I have more tests to do before I can say ALL is good for sure but so far everything is working like I had hoped. On the FGT100A the most of the vlans were listed under the Internal interface. (the FGT100A has 2 DMZ ports and 2 vlans were listed under DMZ2 it - the FGT60D only has 1 DMZ port so the DMZ2 vlans were moved under Internal interface). I still need to verify these are going to work as expected but I' m done for today. The vlans 101, 102, 103 and 104 are working concurrently and communicating to each other. The 150 vlan is also working and now is communicating to the other vlans (vlan 150 is listed under the DMZ port on both FGT units) The FGT60D is running 5.0.4 ( build 4317?). I have no problem upgrading to 5.0.7 or even 5.2 but I prefer to ask my ISP first about what they prefer to support. Again Thank You for the help.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded