Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
CSPSPB
New Contributor

VLANs on FortiGate 40F

Hello. I have to create several VLANs on my FortiGate 40F. Using the Fortigate's UI. I've created VLANs via Interfaces and attached them to `lan` Hardware Switch. Also created policies for both VLANs. If my laptop's Ethernet card is assigned an address within `lan` range (192.168.0.xxx) there's Internet access. If I try an address within `VLAN` range (e.g. 10.1.1.xxx), there's none. Check the pix:001.png002.png003.png004.pngWhat am I doing wrong? Thanks in advance.

5 REPLIES 5
Toshi_Esumi
Esteemed Contributor II

I'm assuming you're not using a switch to hook up your laptop. Then make sure you set the VLAN tagging on your laptop like below:
https://www.startech.com/en-us/faq/networking-vlan-tagging
Then check "get sys arp" to see if the laptop's MAC address is there. You can try pinging it from the 40F as well.
My guess is your NIC is not tagging.

 

Toshi

JonasV
New Contributor III

Agree with @Toshi_Esumi . VLANs created under your ‘lan’ will require that traffic is tagged with that VLAN ID. Your ‘lan’ works, as this is the default (untagged) VLAN. 
If you are to connect a non managed Fortiswitch, make sure that the uplink port of the switch also tagges the VLAN IDs. 

Kind regards
CSPSPB
New Contributor

Thanks @Toshi_Esumi @JonasV . There are two unmanaged Switches connected to Fortigate LAN ports. As far as I understand the customer, they'd like to manually assign IP addresses to network devices onsite and thus, depending on the address, put each of them to a certain VLAN. So it's not just about my laptop - smart TVs, network media players etc. are expected. The unmanaged switches are third-party, not Fortinet, but I'll check their tagging capabilities.

Toshi_Esumi
Esteemed Contributor II

If those are decent switches, they should support trunk and access ports so that each device doesn't have to be tagged when access ports are configured. So you should test with your laptop connected to those VLAN access ports.

 

Toshi

sw2090
Honored Contributor

well since an unmanaged switch cannot do vlan tagging on its ports your client devices will have to the tagging because as said above incoming packets have to have to correct vlan tag or they will not match any source interface on your FGT.

I would recommend using managed switches since many devices in the IoT and Smart Devices Sector do not support vlan tagging themselfes. Even many NICs built into PCs don't support that (unfortunately) at least in windows. It works with every supported nic in linux because the linux kernel supports it ;)

Managed Switches make life much easier here. They can tag the port into a vlan so if you connect a device to that port on that switch all traffic will be in that vlan (i.e. "untagged" on switches - means all traffic will be tagged in that vlan by the switch.


-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams