VLANS in fortinet 30E

Hello,

I need help configuring VLANs and DHCP for my clinic Wi-Fi setup. Here’s my setup and the issue I am facing:

Setup / Concept:

• Goal: Segregate Wi-Fi into 3 SSIDs:

  • Corp → VLAN11 → Internal network (192.168.11.0/24)

  • Employees → VLAN20 → Separate subnet (192.168.20.0/24)

  • Guest → VLAN30 → Separate subnet (192.168.30.0/24) with captive portal

• Firewall: FortiGate 30E Firmware v6.2.15 build1378

  • Acts as DHCP server for all VLANs.

  • firewall Port lan2 used as uplink to my managed switch.

  • VLAN sub-interfaces on lan2:

    • lan2.11 → VLAN ID 11 → IP = 0.0.0.0 (since lan1 is already 192.168.11.1)

    • lan2.20 → VLAN ID 20 → IP = 192.168.20.1/24, DHCP enabled

    • lan2.30 → VLAN ID 30 → IP = 192.168.30.1/24, DHCP enabled

• Switch: D-Link DGS-1210-10P (Managed PoE)

  • Port 8 = Uplink to FortiGate lan2 (untagged VLAN11,tagged VLAN 20 & 30)

  • Switch management IP = 192.168.11.7

  • Ports 1,2,3 = For UniFi U7-Pro APs (untagged VLAN11, tagged VLAN20 + 30)

• Controller: UniFi virtual controller at 192.168.11.50 (inside VLAN11)

• APs: 3× UniFi U7-Pro (need management IP from VLAN11, and SSID VLANs 20/30 passed)

Issue / Problem:

• When connecting a PC to switch port 1 (untagged VLAN11, tagged VLAN20/30), it does not get an IP from FortiGate DHCP.

• Switch management IP (192.168.11.7) is reachable if PC uses static IP, but DHCP is not working.

• VLAN20 and VLAN30 also not providing DHCP IPs.

• I suspect either:

  • FortiGate VLAN sub-interface setup is incorrect (lan2.11 IP = 0.0.0.0 might be the problem)

Question / Help Needed:

• How should I correctly configure FortiGate VLAN sub-interfaces, especially VLAN11 since lan1 is already 192.168.11.1?

• How should I configure the D-Link switch uplink port and AP ports so that VLAN11, 20, and 30 all get DHCP from FortiGate and APs adopt correctly?

Thank you in advance for guidance.