Technical Tip: Configure Inter-VLAN Routing

In this example, the necessary VLANs and firewall policies will be created to ping across VLANs. Two computers will be used to test connectivity and a FortiSwitch to provide our VLAN tagging.

1.  Create your VLANs:

• From Gui, go to Network -> Interface and select 'Create New'.

For the first VLAN10, the VLAN10 interface has been configured and assigned an IP address of 10.10.10.1/25 and a vlanid of 10.

The parameters are as follows:

config system interface

    edit "VLAN10”

        set vdom "root"

        set ip 10.10.10.1 255.255.255.128

        set allowaccess ping

        set role lan

        set snmp-index 24 

        set interface "fortilink"

        set vlanid 10

    next

end

For the second VLAN, VLAN20, the interface has been assigned an IP address of 20.20.20.1/25 and a vlanid of 20.

The parameters are as follows:

config system interface

    edit "VLAN20 "

        set vdom "root"

        set ip 20.20.20.1 255.255.255.128

        set allowaccess ping

        set role lan

        set snmp-index 25

        set interface "fortilink"

        set vlanid 20

    next

end

2. Create the firewall policies and objects. 

• From GUI, go to Policy and Objects -> Firewall Policy and select 'Create new'.

Two firewall policies will be necessary. One for traffic coming from VLAN10 to VLAN20 and another for VLAN20 to VLAN10.

In the service, A ping to test the connectivity has been added. Allow 'All' or specify the services to include here.

The firewall policy for VLAN10 to VLAN20 contains the following parameters:

config firewall policy

    edit 1

        set name "VLAN10-to-VLAN20"

        set uuid 11cb442c-59af-51ee-1867-66547b077dc1

        set srcintf "VLAN10"

        set dstintf " VLAN20"

        set action accept

        set srcaddr "VLAN10 address"

        set dstaddr "VLAN20 address"

        set schedule "always"

        set service "PING"

        set nat enable

    next

end

The reverse firewall policy for VLAN20 to VLAN10 contains the following parameters:

config firewall policy

    edit 7

        set name "VLAN20-to-VLAN10"

        set uuid 163a2190-59af-51ee-1506-f9401bd93223

        set srcintf "VLAN20"

        set dstintf "VLAN10"

        set action accept

        set srcaddr "VLAN20 address"

        set dstaddr "VLAN10 address"

        set schedule "always"

        set service "PING"

        set nat enable

    next

end

• The NAT should be enabled if the communication is flowing between two different networks.
  
  
• To help a better visualization of how NAT works, refer to the following article to see a few network address translation examples: What Is Network Address Translation (NAT)?

3. Test connectivity.

• Results from PC1 on VLAN10:

Pinging 20.20.20.3 with 32 bytes of data:

Reply from 20.20.20.3: bytes=32 time=1ms TTL=127

Reply from 20.20.20.3: bytes=32 time=1ms TTL=127

Reply from 20.20.20.3: bytes=32 time<1ms TTL=127

Reply from 20.20.20.3: bytes=32 time<1ms TTL=127 

Results from PC2 on VLAN20:

Pinging 10.10.10.2 with 32 bytes of data:

Reply from 10.10.10.2: bytes=32 time<1ms TTL=128

Reply from 10.10.10.2: bytes=32 time<1ms TTL=128

Reply from 10.10.10.2: bytes=32 time<1ms TTL=128

Reply from 10.10.10.2: bytes=32 time<1ms TTL=128