Created on 12-05-2021 01:33 AM
first time poster here so have mercy :)
I am new to Fortinet but a long time security / networking administrator. I recently acquired a FortiGate 40F, FortiSwitch 108F and a FortiAP 221 to test it out and learn about Fortinet.
I am running into a stupid problem that I can't understand:
I would like to create VLANs on both FortiSwitch and FortiGate so that FortiGate is the gateway and DHCP-server on these VLAN networks. Furthermore, I would like to use the VLANs on the FortiSwitch so that I can use multiple ports on the switch on these VLANs, say port 1-4 has native VLAN accounting_VLAN and port 5-8 has VLAN printer_vlan, etc.
I would also like to use 1 or more ports on the FortiGate on these VLANs if needed. But this does not seem to be possible, to create a VLAN and then tag the VLAN on both FortiGate and FortiSwtich ports?
From what I can see now, if using VLANs on the FortiSwitch, I can't use these VLANs on the FortiGate ports and use the FG ports for connecting devices to the VLANs that I use?
High Level overview of what I am trying to do:
1. Create VLAN accounting_VLAN(VLAN ID=10) and office_VLAN(VLAN ID=20) on FortiGate with IP-address and DHCP enabled etc. so that the Fortigate is the gateway for the VLAN network.
2. Use the accounting_VLAN on FortiGate ports so that devices can be plugged into the FortiGate and assigned to one of these VLANs.(if FG-40F, then less ports to use, if 200F then more ports to use)
3. Connect FortiSwtich to FortiGate using Fortlink.
4. Trunk the accounting_VLAN on the trunk to the FortiSwitch
5. Use the accounting_VLAN ports on the FortiSwitch, for example ports 1-8 on accounting_VLAN and ports 9-13 on office_VLAN.
However, this doesn't seem to be possible from my testing different configurations? I can create VLANs on the FortiSwtich and tag them as native VLANs on different ports, but I can't use those VLANs on the FortiGate for creating a firewall/gateway interface to those VLANs.
What am I missing?
Created on 12-06-2021 04:36 AM
From what I understand, you want to share a subnet between FGT and FSW ports.
You can create a software switch interface type - add FSW vlan and FGT ports as memeber of the software switch (make sure FSW vlan and FGT ports dont have any references) - Configure the software switch with ip address, dhcp, etc. and finally create policy for the software switch interface.
yes, but how? :) Adding software switch is a no-brainer and attaching the port as members. But then when it comes to VLANs it becomes tricky as the VLANs on the FSW cannot be used on the FGT ports directly, seems I have to create ANOTHER VLAN(not the same name, but the same VLAN ID) on the FGT side and then use that on the software switch side...and hopefully the VLAN ID being the same for the FGT and FSW will propagate over the Fortilink port to the FSW where the VLAN is tagged...
Do you have any configuration examples for this? CLI command or even screenshots?
Created on 12-06-2021 04:57 AM
here is an example of a software switch setup with VLANs, both on FGT och FSW:
Whats confusing is that: 3 interfaces are needed: Software switch to collect the ports on the FGT, VLAN on the FGT to assign to the software switch and additionally the same VLAN on the FSW...all these interfaces can have IP-addresses, DHCP servers, etc. configured which is confusing. And then in firewall policy the software switch must be used as using the VLAN on FGT or VLAN on FSW does not work.
Created on 12-06-2021 05:40 AM
Here is another try to set this up, see screenshot.
However, in this setup it works as long as I connect to port 1-3 on the FGT but if I connect to a port on the FSW where there is another VLAN used with the same VLAN ID as Native VLAN, it does not work and the the host connected on the FSW doesn't get DHCP and has no access to the Internet...so the link between FGT and FSW does not propagate the VLAN domain between FGT and FSW...
Created on 12-06-2021 06:21 AM
I just can't get the FortiGate VLANs and the FortiSwitch VLANs to work together.
The FortiSwitch VLANs can't be used on the ports in the FortiGate and the VLANs on the FortiGate can't be used on the FortiSwitch. Creating a separate VLAN with the same VLAN ID on the FortiGate doesn't "bridge" the VLANs so that they work together, in my example here I have created a VLAN interface "CLIENT_FGT" with the same VLAN ID 10 as CLIENT VLAN that exists on the FortiSwitch. In this example I configured IP + DHCP Server on the FortiSwitch and that works ok and any devices connected to the switch has the access I define in policies. But if I try to add any FortiGate physical ports to the same VLAN by creating a software/hardware switch and then adding a VLAN with the same VLAN ID(can't use the CLIENT VLAN on the FGT unfortunately, have to create a new one with a different name and same VLAN ID...)
Should I just give up or can this work at all?????
Created on 12-06-2021 07:27 AM
Please check if this matches your requirement.
Requirement: Configure a vlan/subet so that clients connecting to FSW port, FGT port should get IP from that VLAN.
Refer the below example/configuration:
Step1:- Create a vlan on FSW (Wifi & switch controller -> Fortiswitch Vlans), don’t give any IP address.
Interface is showing as port4 because it’s the Fortilink interface (dedicated to FSW)
Give vlan id for eg . 100.
<Don’t map the VLAN to any FSW port before step2.>
Step2:- Create a Software Switch Interface on FGT (Network -> Interfaces -> Create new interface -> select interface type as software switch -> and map the FSW vlan100 and FGT physical port as interface members)
In below example suppose we want client connecting to port2 of FGT should get ip from 100.100.100.x subnet.
Give IP address and netmask, enable DHCP server on FGT OR if its external DHCP server, configure the same.
Step3:- Map the vlan100 to any one of the FSW ports:
Step4: Connect a client to FSW port1 and FGT port2 and client will get ip address from vlan100
Hello, thanks for the detailed instructions, but here is why it fails for me on my FGT-40F:
In step 2, after creating the VLAN on the FortiSwitch(Wifi & switch controller -> Fortiswitch Vlans) and then proceeding to create a Software Switch Interface on the FGT, I can only add physical ports to the software switch, not any VLANs and definitely not VLANs from the FortiSwitch. The only way to get a VLAN ID involved in the config is to create a new VLAN and then add the software switch to that VLAN, not the other way around adding the VLAN to the Software Switch...??? WTF? :) I am using latest FortiOS 7.0.2 if that matters?
Created on 12-06-2021 08:02 AM
As per my understanding when vlan has references for eg if its already mapped to switchports or anywhere else, you wont be able to add the vlan as member to software switch.
OK...well in this case the VLAN is not mapped to any switch ports, except the Fortilink port on which the VLAN is automatically tagged on...so not sure what you mean by that.
Is this a GUI issue? Should I try CLI instead?