FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
alif
Staff
Staff
Article Id 380474
Description This describes hardware acceleration support with respect to 802.1 Q-in-Q VLAN tags.
Scope FortiGate.
Solution

Consider the following VLAN interfaces configured on FortiGate-I.

 

config system interface
    edit "vlan111"
        set vdom "root"
        set ip 10.111.1.1 255.255.255.252
        set allowaccess ping
        set interface "vlan222"
        set vlanid 111
        set snmp-index 10
    next
    edit "vlan222"
        set vdom "root"
        set interface "port1"
        set vlanid 222
        set snmp-index 20
    next
    edit "port1"
        set vdom "root"
        set role lan
        set type physical
        set snmp-index 30
    next
end

 

Likewise, the following VLAN interfaces are configured on FortiGate-II.

 

config system interface
    edit "vlan111"
        set vdom "root"
        set ip 10.111.1.2 255.255.255.252
        set allowaccess ping
        set interface "vlan222"
        set vlanid 111
        set snmp-index 40
    next
    edit "vlan222"
        set vdom "root"
        set interface "port2"
        set vlanid 222
        set snmp-index 50
    next
    edit "port2"
        set vdom "root"
        set role lan
        set type physical
        set snmp-index 60
    next
end

 

The network topology is as follows:


Windows10 (10.203.6.120) -- [(port10) FortiGate-I {port1 -- vlan222 -- vlan111 (10.111.1.1)}] ======= [{vlan111 (10.111.1.2) -- vlan222 -- port2} FortiGate-II (port20)] -- Windows10 (10.207.15.153)

 

A firewall policy has been configured to allow the traffic between Windows clients.

 

config firewall policy
    edit 1
        set name "Q-in-Q-Testing"
        set srcintf "port10"
        set dstintf "vlan111"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set logtraffic all
    next
end

 

With offloading enabled (default) on firewall policy ID 1, traffic stops after two ICMP requests.

 

FortiGate-I # diagnose sniffer packet any "host 10.207.15.153 and icmp" 4 0 l
interfaces=[any]
filters=[host 10.207.15.153 and icmp]
2025-01-09 09:20:37.184550 port10 in 10.203.6.120 -> 10.207.15.153: icmp: echo request
2025-01-09 09:20:37.184564 vlan111 out 10.203.6.120 -> 10.207.15.153: icmp: echo request
2025-01-09 09:20:37.184565 vlan222 out 10.203.6.120 -> 10.207.15.153: icmp: echo request
2025-01-09 09:20:37.184567 port1 out 10.203.6.120 -> 10.207.15.153: icmp: echo request
2025-01-09 09:20:37.184617 vlan111 in 10.207.15.153 -> 10.203.6.120: icmp: echo reply
2025-01-09 09:20:37.184623 port10 out 10.207.15.153 -> 10.203.6.120: icmp: echo reply
2025-01-09 09:20:38.181920 port10 in 10.203.6.120 -> 10.207.15.153: icmp: echo request
2025-01-09 09:20:38.181932 vlan111 out 10.203.6.120 -> 10.207.15.153: icmp: echo request
2025-01-09 09:20:38.181933 vlan222 out 10.203.6.120 -> 10.207.15.153: icmp: echo request
2025-01-09 09:20:38.181935 port1 out 10.203.6.120 -> 10.207.15.153: icmp: echo request
2025-01-09 09:20:38.181969 vlan111 in 10.207.15.153 -> 10.203.6.120: icmp: echo reply
2025-01-09 09:20:38.181978 port10 out 10.207.15.153 -> 10.203.6.120: icmp: echo reply
^C
12 packets received by filter
0 packets dropped by kernel

 

However, traffic works if offloading is disabled on firewall policy.

 

config firewall policy
    edit 1
        set auto-asic-offload disable
    next
end

 

The reason is that NP7 can NOT support 802.1Q over 802.1Q offloading due to hardware design. Fortigate supports 802.1Q over 802.1AD offloading only.

 

Related articles:

Contributors