Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
AnthonyH
Staff
Staff

Created on ‎09-24-2023 11:02 PM Edited on ‎09-25-2023 09:10 PM By Community Manager

Article Id 275524

Technical Tip: Configure Inter-VLAN Routing

Description This article describes how to configure Inter-VLAN routing that will allow different VLANs to communicate with each other while maintaining network segmentation. 
Scope FortiGate.
Solution

In this example, the necessary VLANs and firewall policies will be created to ping across VLANs. Two computers will be used to test connectivity and a FortiSwitch to provide our VLAN tagging.

 

router-on-a-stick.jpg

 

  1.  Create your VLANs:
  • From Gui, go to Network -> Interface and select 'Create New'.

 

For the first VLAN10, the VLAN10 interface has been configured and assigned an IP address of 10.10.10.1/25 and a vlanid of 10.

The parameters are as follows:

 

config system interface

    edit "VLAN10”

        set vdom "root"

        set ip 10.10.10.1 255.255.255.128

        set allowaccess ping

        set role lan

        set snmp-index 24 

        set interface "fortilink"

        set vlanid 10

    next

end

 

For my second VLAN, VLAN20, the interface has been assigned an IP address of 20.20.20.1/25 and a vlanid of 20.

The parameters are as follows:

 

config system interface

    edit "VLAN20 "

        set vdom "root"

        set ip 20.20.20.1 255.255.255.128

        set allowaccess ping

        set role lan

        set snmp-index 25

        set interface "fortilink"

        set vlanid 20

    next

end

 

  1. Create the firewall policies and objects. 

  • from GUI, go to Policy and Objects -> Firewall Policy and select 'Create new'.

Two firewall policies will be necessary. One for traffic coming from VLAN10 to VLAN20 and another for VLAN20 to VLAN10.

In the service, A ping to test the connectivity has been added. Allow 'All' or specify the services to include here.

 

The firewall policy for VLAN10 to VLAN20 contains the following parameters:

 

config firewall policy

    edit 1

        set name "VLAN10-to-VLAN20"

        set uuid 11cb442c-59af-51ee-1867-66547b077dc1

        set srcintf "VLAN10"

        set dstintf " VLAN20"

        set action accept

        set srcaddr "VLAN10 address"

        set dstaddr "VLAN20 address"

        set schedule "always"

        set service "PING"

        set nat enable

    next

end

 

The reverse firewall policy for VLAN20 to VLAN10 contains the following parameters:

 

config firewall policy

    edit 7

        set name "VLAN20-to-VLAN10"

        set uuid 163a2190-59af-51ee-1506-f9401bd93223

        set srcintf "VLAN20"

        set dstintf "VLAN10"

        set action accept

        set srcaddr "VLAN20 address"

        set dstaddr "VLAN10 address"

        set schedule "always"

        set service "PING"

        set nat enable

    next

end

 

  1. Test connectivity
  • Results from PC1 on VLAN10:

Pinging 20.20.20.3 with 32 bytes of data:

 

Reply from 20.20.20.3: bytes=32 time=1ms TTL=127

Reply from 20.20.20.3: bytes=32 time=1ms TTL=127

Reply from 20.20.20.3: bytes=32 time<1ms TTL=127

Reply from 20.20.20.3: bytes=32 time<1ms TTL=127 

 

Results from PC2 on VLAN20:

 

Pinging 10.10.10.2 with 32 bytes of data:

Reply from 10.10.10.2: bytes=32 time<1ms TTL=128

Reply from 10.10.10.2: bytes=32 time<1ms TTL=128

Reply from 10.10.10.2: bytes=32 time<1ms TTL=128

Reply from 10.10.10.2: bytes=32 time<1ms TTL=128
6681
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.