| Description | This article describes how to configure Inter-VLAN routing that will allow different VLANs on the FortiGate to communicate with each other while still maintaining overall network segmentation. |
| Scope | FortiGate. |
| Solution |
In this example, the FortiGate is connected via the 'fortilink' Aggregate to a downstream FortiSwitch (which will handle the Layer 2 task of applying VLAN tags). Two VLANs will be created on this 'fortilink' interface (VLAN10 and VLAN20) with one computer placed in each VLAN (PC1 and PC2), and Firewall Policies will be created to allow ICMP pings between hosts on these VLANs.
CLI configuration (VLAN10):
config system interface edit 'VLAN10' set vdom 'root' next end
GUI configuration (VLAN10):
Note: The Create address object matching subnet toggle has been enabled on the interface settings. This option is only visible for interfaces with the Role set to LAN, and it automatically creates an Interface Address Object based on the subnet to which the interface is associated.
For the second VLAN (VLAN20), the interface has been assigned an IP address of 20.20.20.1/25 and a vlanid of 20. The parameters are as follows:
CLI configuration (VLAN20):
config system interface edit 'VLAN20' set vdom 'root' next end
GUI configuration (VLAN20):
Firewall Policies are only necessary in the original direction of traffic, as reply traffic associated with an active session is automatically allowed back through the FortiGate (i.e., a Firewall Policy is necessary for PC1 to send an ICMP ping to PC2, but PC2's ICMP reply does not require a separate Firewall Policy).
In this scenario, the Service section has been set to the 'PING' service since the PCs only require ICMP ping access to each other. Other services can be specified based on what protocols should match the Firewall Policies (e.g., 'HTTP', 'FTP', or even 'ALL'). The firewall policy for VLAN10 to VLAN20 contains the following parameters:
CLI configuration (VLAN10 to VLAN20 Policy):
config firewall policy edit 1 set name 'VLAN10-to-VLAN20' next end
GUI configuration (VLAN10 to VLAN20 Policy):
The reverse firewall policy for VLAN20 to VLAN10 contains the following parameters:
CLI configuration (VLAN20 to VLAN10 Policy):
config firewall policy edit 7 set name 'VLAN20-to-VLAN10' next end
GUI configuration (VLAN20 to VLAN10 Policy):
The NAT was not enabled in this case since the two VLANs are locally-connected and the FortiGate is configured as the default gateway for the two PCs. For more information on NAT, refer to the following documentation: What Is Network Address Translation (NAT)?
C:\Users\PC1_User>ping 20.20.20.100
Pinging 20.20.20.100 with 32 bytes of data: Reply from 20.20.20.100: bytes=32 time=1ms TTL=127 Reply from 20.20.20.100: bytes=32 time=1ms TTL=127 Reply from 20.20.20.100: bytes=32 time<1ms TTL=127 Reply from 20.20.20.100: bytes=32 time<1ms TTL=127
Likewise on PC2, send an ICMP ping towards PC1 (10.10.10.100)
C:\Users\PC1_User>ping 10.10.10.100
Pinging 10.10.10.100 with 32 bytes of data: Reply from 10.10.10.100: bytes=32 time=1ms TTL=127 Reply from 10.10.10.100: bytes=32 time=1ms TTL=127 Reply from 10.10.10.100: bytes=32 time<1ms TTL=127 Reply from 10.10.10.100: bytes=32 time<1ms TTL=127
If there are any communication issues, check the PCs to ensure that the FortiGate IP addresses have been set as the default gateway (10.10.10.1 and 20.20.20.1 for VLAN10 and VLAN20, respectively), and verify if the local firewall settings on the PCs are blocking ICMP traffic.
On the FortiGate side of things, check the traffic flow using the following CLI debug commands:
diagnose debug reset
diagnose debug flow filter reset diagnose debug flow filter addr x.x.x.x <--- x.x.x.x is the IP address to filter for. diagnose debug flow show function-name enable diagnose debug flow trace start 100 <--- show up to 100 packets in the debug flow output.
diagnose debug enable
Related articles: |
