Description
This article describes how to create multiple subnets with vlan0 while connected to a Layer 2 switch and as a requirement, the subnets have to talk to each other even though the switch is not aware of the VLAN configuration.
Scope
Deployment example:
Solution
Without the VLAN interface configured on the FortiGate and with L2 switches the solution would be to configure all subnets on the FortiGate interface with one primary subnet and the reset as secondaries and create a firewall policy where:
- Incoming and outgoing interfaces are the same interface.
- Source and destination addresses are the same subnets configured on the interface as primary and secondary addresses.
config system interface
Atlantis-kvm97 (interface) # edit "port3"
config sys inter
config system interface
edit "port3"
set vdom "root"
set ip 192.168.10.1 255.255.255.0
set allowaccess ping
set type physical
set snmp-index 3
set secondary-IP enable
config secondaryip
edit 1
set ip 192.168.20.1 255.255.255.0
next
edit 2
set ip 192.168.30.1 255.255.255.0
set allowaccess ping
next
end
Firewall policy:
config firewall policy
edit 1
set name "Test"
set uuid eff88a4e-2597-51ee-54d5-821301a3017a
set srcintf "port3"
set dstintf "port3"
set action accept
set srcaddr "192.168.10.0" "92.168.20.0" "92.168.30.0"
set dstaddr "192.168.10.0" "92.168.20.0" "92.168.30.0"
set schedule "always"
set service "ALL"
set nat enable
next
end
In v7.0.14+, v7.2.6+, and v7.4.0+, an additional option is needed for this traffic to work.
'allow traffic redirect' should be disabled for traffic ingressing and egressing the same interface to pass.
See this article for more info: Technical Tip: How to allow traffic when using the same logical interface for ingress and egress wit...
