FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
AnthonyH
Staff
Staff
Article Id 275524
Description This article describes how to configure Inter-VLAN routing that will allow different VLANs on the FortiGate to communicate with each other while still maintaining overall network segmentation. 
Scope FortiGate.
Solution

In this example, the FortiGate is connected via the 'fortilink' Aggregate to a downstream FortiSwitch (which will handle the Layer 2 task of applying VLAN tags). Two VLANs will be created on this 'fortilink' interface (VLAN10 and VLAN20) with one computer placed in each VLAN (PC1 and PC2), and Firewall Policies will be created to allow ICMP pings between hosts on these VLANs.

 

Inter-VLAN_Routing_Diagram.png

 

 

  1.  Create the VLANs: From the GUI, go to Network -> Interface and select Create New -> Interface. In this scenario, VLAN10 is configured with 'fortilink' as the parent interface, a vlanid of 10, and an IP address of 10.10.10.1/25:

 

CLI configuration (VLAN10):

 

config system interface

edit 'VLAN10'

set vdom 'root'
set ip 10.10.10.1 255.255.255.128
set allowaccess ping
set role lan
set interface 'fortilink'
set vlanid 10

next

end

 

GUI configuration (VLAN10):

 

Vlan10.PNG

 

Note:

The Create address object matching subnet toggle has been enabled on the interface settings. This option is only visible for interfaces with the Role set to LAN, and it automatically creates an Interface Address Object based on the subnet to which the interface is associated.

 

For the second VLAN (VLAN20), the interface has been assigned an IP address of 20.20.20.1/25 and a vlanid of 20. The parameters are as follows:

 

CLI configuration (VLAN20):

 

config system interface

edit 'VLAN20'

set vdom 'root'
set ip 20.20.20.1 255.255.255.128
set allowaccess ping
set role lan
set interface 'fortilink'
set vlanid 20

next

end

 

GUI configuration (VLAN20):

 

Vlan20.PNG

 

  1. Create the Firewall Policies and Address Objects.  From the GUI, go to Policy and Objects -> Firewall Policy and select Create New. Two firewall policies will be necessary here: one policy to allow traffic initiated from VLAN 10 towards VLAN 20, and another policy to allow traffic initiated from VLAN 20 towards VLAN 10.

 

Firewall Policies are only necessary in the original direction of traffic, as reply traffic associated with an active session is automatically allowed back through the FortiGate (i.e., a Firewall Policy is necessary for PC1 to send an ICMP ping to PC2, but PC2's ICMP reply does not require a separate Firewall Policy).

 

In this scenario, the Service section has been set to the 'PING' service since the PCs only require ICMP ping access to each other. Other services can be specified based on what protocols should match the Firewall Policies (e.g., 'HTTP', 'FTP', or even 'ALL'). The firewall policy for VLAN10 to VLAN20 contains the following parameters:

 

CLI configuration (VLAN10 to VLAN20 Policy):

 

config firewall policy

edit 1

set name 'VLAN10-to-VLAN20'
set srcintf 'VLAN10'
set dstintf ' VLAN20'
set action accept
set srcaddr 'VLAN10 address'
set dstaddr 'VLAN20 address'
set schedule 'always'
set service 'PING'

next

end

 

GUI configuration (VLAN10 to VLAN20 Policy):

 

fp1.PNG

 

The reverse firewall policy for VLAN20 to VLAN10 contains the following parameters:

 

CLI configuration (VLAN20 to VLAN10 Policy):

 

config firewall policy

edit 7

set name 'VLAN20-to-VLAN10'
set srcintf 'VLAN20'
set dstintf 'VLAN10'
set action accept
set srcaddr 'VLAN20 address'
set dstaddr 'VLAN10 address'
set schedule 'always'
set service 'PING'

next

end

 

GUI configuration (VLAN20 to VLAN10 Policy):

 

fp2.PNG

 

The NAT was not enabled in this case since the two VLANs are locally-connected and the FortiGate is configured as the default gateway for the two PCs. For more information on NAT, refer to the following documentation: What Is Network Address Translation (NAT)?

 

  1. Test connectivity: On PC1, send an ICMP ping towards PC2 (20.20.20.100):

 

C:\Users\PC1_User>ping 20.20.20.100

 

Pinging 20.20.20.100 with 32 bytes of data:

Reply from 20.20.20.100: bytes=32 time=1ms TTL=127

Reply from 20.20.20.100: bytes=32 time=1ms TTL=127

Reply from 20.20.20.100: bytes=32 time<1ms TTL=127

Reply from 20.20.20.100: bytes=32 time<1ms TTL=127

 

Likewise on PC2, send an ICMP ping towards PC1 (10.10.10.100)

 

C:\Users\PC1_User>ping 10.10.10.100

 

Pinging 10.10.10.100 with 32 bytes of data:

Reply from 10.10.10.100: bytes=32 time=1ms TTL=127

Reply from 10.10.10.100: bytes=32 time=1ms TTL=127

Reply from 10.10.10.100: bytes=32 time<1ms TTL=127

Reply from 10.10.10.100: bytes=32 time<1ms TTL=127

 

If there are any communication issues, check the PCs to ensure that the FortiGate IP addresses have been set as the default gateway (10.10.10.1 and 20.20.20.1 for VLAN10 and VLAN20, respectively), and verify if the local firewall settings on the PCs are blocking ICMP traffic.

 

On the FortiGate side of things, check the traffic flow using the following CLI debug commands:

 

diagnose debug reset

 

diagnose debug flow filter reset

diagnose debug flow filter addr x.x.x.x <--- x.x.x.x is the IP address to filter for.

diagnose debug flow show function-name enable

diagnose debug flow trace start 100 <--- show up to 100 packets in the debug flow output.

 

diagnose debug enable

 

Related articles:

Technical Tip: How to configure a FortiGate for a directly connected Layer-3 Switch handling VLANs ...

Technical Tip: How to create a VLAN tagged interface (802.1q) on a FortiGate - tagged/untagged traf...

Comments
emmanuelgonzalez914

Nice Job!.