Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Xaak
New Contributor

Allowing traffic between 2 Vlan switches

Device is FG-60f running the latest 7.4 firmware.

 

I have 2 vlan switches set up.  One routs traffic to wan1 and the other to wan2.  I set up policies and routing policies for them and both are working fine.

 

Vlan switch 1 services subnet 192.168.2.0/24 and vlan switch 2 services subnet 192.168.3.0/24.

 

What I need to do is allow traffic between the two subnets.

 

When I set up firewall policies to allow traffic between source vlan switch 2 destination vlan switch 1, I can ping and access 192.168.2.1 from the 192.168.3.0/24 subnet, but I can't see any of the other devices/ips on the 192.168.2.0/24 subnet.  Same thing with firewall policy source vlan switch 1 destination vlan switch 2.

 

Firewall policies:

 

Fortinet_Gateway (14) # show
config firewall policy
edit 14
set name "Vlan1"
set uuid 3961879a-900e-51ee-e003-307188be460d
set srcintf "internal"
set dstintf "Internal wan2"
set action accept
set srcaddr "internal"
set dstaddr "Internal wan2 address"
set schedule "always"
set service "ALL"
set profile-protocol-options "test"
set nat enable
next
end

Fortinet_Gateway # config firewall policy

Fortinet_Gateway (policy) # edit 15

Fortinet_Gateway (15) # show
config firewall policy
edit 15
set name "Vlan2"
set uuid 6964594a-900e-51ee-fb76-e2b129d79f1e
set srcintf "Internal wan2"
set dstintf "internal"
set action accept
set srcaddr "Internal wan2 address"
set dstaddr "internal"
set schedule "always"
set service "ALL"
set profile-protocol-options "test"
set comments " (Copy of InterVlan)"
next
end

 

Ok, so what am I doing wrong here?

 

TIA

11 REPLIES 11
ndumaj
Staff
Staff

Hello Xaak,

What is this interface "internal" ?
What is the sub interface for Vlan switch 1 services subnet 192.168.2.0/24 ?

Do you see if the traffic is hitting the policy 14, or not?
-BR*

- Happy to help, hit like and accept the solution -
ndumaj

Additionally is there any reason using NAT in policy 14 :
set nat enable

-BR-

- Happy to help, hit like and accept the solution -
Xaak
New Contributor

No particular reason for using nat.  I tried it both with nat on and nat off, and when I captured the config it happed to be on.

Xaak
New Contributor

I don't have any sub interfaces on vlan switch 1 or switch 2.  internal is the actual interface name for what I called vlan switch 1.

 

ndumaj
Staff
Staff

So interface "internal" = Vlan switch 1 services subnet 192.168.2.0/24

Why are you using NAT in policy 14 :
set nat enable

-BR-

- Happy to help, hit like and accept the solution -
Xaak
New Contributor

@ndumaj 

Correct

"internal" = vlan switch 1 services 192.168.2.0/24

"Internal wan2" = vlan switch 2 services 192.168.3.0/24

 

I set nat disable initially, when it didn't work as expected, I set nat enable to try.  I just happend to capture the config while it was set to enable.

 

Toshi_Esumi
Esteemed Contributor III

Not sure how your "Vlan1" is configured, but vlan tag 1 is reserved in FortiOS.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Reserved-VLAN-ID-1/ta-p/270111

Toshi

Xaak

Hi @Toshi_Esumi,

 

Coming to the rescue again :) 

 

Both vlan switches have vlan id = 0 and have no vlans underneath them.

ndumaj
Staff
Staff

Hi,
What is  "internal" interface configuration?
Do you have configured route?
BR

- Happy to help, hit like and accept the solution -
Top Kudoed Authors