Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jcvm
New Contributor III

Allow traffic between interfaces

Hello,

 

I am having problems and I need your urgent support.

 

I have a VLAN Switch (ID 0) and a Software Switch (With several interfaces on each)

 

VLAN Switch (ID 0): 192.168.33.0/24
Software Switch: 192.168.32.0/24

 

I have created the rules to allow traffic between the two but do not want to allow traffic.

8 REPLIES 8
AlexC-FTNT
Staff
Staff

For urgent support, please open a TAC support case and call the support line.

Your description does not tell us:

- what product you are referring to? Is there a FortiGate involved?
- how are they connected to the FortiGate? (I guess the software switch is set up on FortiGate)
- have you decided if you want to allow thet raffic or not? If not, simply remove the rules.


- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -
jcvm
New Contributor III

All in Fortigate 100F


I have port 3,4,5,6 configured in VLAN SWICH (ID 0) and I have port 10 and 11 configured in Software Switch.

 

VLAN Switch (ID 0): 192.168.33.0/24
Software Switch: 192.168.32.0/24


How do I do so that they can exchange traffic?

 

I have created the rule to allow traffic between the two but it does not want to pass.

AlexC-FTNT

You need to see where the bottleneck is.
Check routing:

get router info routing table detail 192.168.33.x

get router info routing table detail 192.168.32.y
check if both hosts are reachable:
exec ping-options source 192.168.33.1 (IP of switch)

exec ping 192.168.33.x

exec ping-options source 192.168.32.1 (IP of Soft switch)

exec ping 192.168.32.x

Check that the packets reach the correct interfaces:
diag sniffer packet any "host so.ur.ce.IP and host de.sti.nat.ion" 4 0 



- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -
AlexC-FTNT

The default settings are correct and nothing else is needed except the IPv4 policy between the 2 switches. Here is the setup:

AlexCFTNT_0-1641222013494.png

Test PC: 10.147.3.220
Sever (destination): 10.106.21.6

 

C:\Users\fortinet>ping 10.106.0.220 (fail)
C:\Users\fortinet>ping 10.106.1.26 (fail)

C:\Users\fortinet>ping 10.147.0.220 (gateway = ok)
Pinging 10.147.0.220 with 32 bytes of data:
Reply from 10.147.0.220: bytes=32 time<1ms TTL=255

 

Added ipv4 policy Software switch to VLAN switch, now traffic passes:

 

C:\Users\fortinet>ping 10.106.0.220
Pinging 10.106.0.220 with 32 bytes of data:
Reply from 10.106.0.220: bytes=32 time=1ms TTL=255

C:\Users\fortinet>ping 10.106.1.26
Pinging 10.106.1.26 with 32 bytes of data:
Reply from 10.106.1.26: bytes=32 time=1ms TTL=254

 

For the return to work you also need a policy from VLAN switch to Software switch.
Otherwise, the ping can't pass in reverse direction:
C:\Users\Server> ping 10.147.3.220 (fail)
C:\Users\Server> ping 10.147.0.220 (fail)


- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -
Tebogo
New Contributor

Hi jcvm

 

Please provide more detail about your config.

In the meantime, please see this and let me know if it helps you http://docs.fortinet.com/document/fortigate/6.2.10/cookbook/277799/software-switch

 

Just in case you're referring to a config on fortigate, check this out: https://youtu.be/5NXzxk__5z8

jcvm
New Contributor III

I have changed all the configuration and created two groups with Software SW interfaces.

 

With this and the corresponding firewall rules, the problem was corrected.

Apparently both VLANs SW to Software SW not working despite properly configured firewall rules.

Toshi_Esumi
Esteemed Contributor III

I'm just curious but why you originally used vlan ID/tag 0 on the hardswitch vlan subinterface? For Fortigate vlan_id=0 is still a tagged inteface, not a native vlan because it doesn't have the concept. And you can set IP/subnet on the parent hardswitch non-tagged interface.

 

Toshi

jcvm
New Contributor III

that was precisely the problem.

All of this was caused because I originally used the VLAN SW that comes by default with VLAN ID 0.

In the end it was tagged despite being 0. This was the problem with everything.

I just tried to test it because it was already VLAN SW by default and I don't know why I thought it was native.

Labels
Top Kudoed Authors