Hi there!
I need some help with configuring Transit VLAN on FortiGate firewall.Basically as you can see in the attached diagram that I need to link between two networks; network EAST got L3 switch whereas network WEST got L2 switch and connected FortiGate firewall which handles the routing. I've been told that in order to make both networks to communicate and reach other that i need to use "Transit VLAN" between the L3 Switch on EAST and FortiGate firewall and use it for routing.
So, shall I use another physical port from the firewall to L2 Switch and create this Transit VALN under that physical port? or use the existing physical port (port1) and create transit VLAN under it?
Solved! Go to Solution.
ok then I assume your clients at network west use the FGT there as default gw.
if so this is rathr the same we do here.
On Site there is a bunch of vlans on L2 Switches and a FGT as Gateway.
At Central there is a bunch aof vlans on L2 Switches and a FGT as Gateway.
between Site and Central is an IPsec Tunnel.
So both FGT have vlan interfaces for their vlans with corrsponding ip (execpt from vlan1 as any switchport used for thi is untagged on the switches and FGT knows untagged only anyhow).
To get from HQ to a vlan on Site all I need is a route to it at HQ FGT and a Policy to allow the traffic and a route back to HQ net on Site FGT (reverse route) and of course on Site a policy to allow the trafic.
To the FGT it does not matter if the means of transportation between Site and HQ is ipsec or just ethernet. This is all handled by interfaces on a FGT so its always the same basically.
So if you clients at west use the FGT as default gw. The FGT must know routes to the Subnets on East. It must use the same vids as there are at East and you have to make sure the vlan tag persists all the way from west to east!
As the L3 switch on east does the routing there it must know a route back to the west subnet(s).
We do that by vlan tagging on the switches and vlan interfaces on the FGTs. So traffic going out to a vlan will leave the destination FGT via the correct vlan interface to get tagged correctly. In this case vlan tag does not need to be persistent or exist at all because the destination FGT will tag the packets anyway.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
hm accoarding to your diagram die FGT is only in effect cor traffic that goes to the internet, while cliets are conected to the L2 Switch directly.
So traffic to the nets on east would only go through the fortigate if the client had a route for this nets with the fgt als gateway or no route to them at all.
Do I undestand that correct?
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Firstly, thank you so much for your reply.
At the moment, we only concern about the internal routing between the two networks.
Currently, as you can see from the diagram the FTG is connected on the physical port1 to the switch on VLAN1 (Default VLAN) and FTG is DHCP Server for more than 200 users.
I tried to configure interface VLANs (sub-interfaces) under port1 (removed the IP address from port1), so I created two VLANS; VLAN1(192.168.0.1) and VLAN7-Transit (172.30.7.2) and I configured the switch port as trunk/tagged for VLAN1&7. Unfortunately, I couldn't reach/ping the ip address of VLAN1 in FTG. However, if I change VLAN1 in the FW to other VLAN than VLAN 1, it works fine. I don't know what I need to configure on switch port that connected to FTG to make VLAN1 reachable?
(P.s: I can't change VLAN1 as all the users switch ports are configured to use the default VLAN1)
ok then I assume your clients at network west use the FGT there as default gw.
if so this is rathr the same we do here.
On Site there is a bunch of vlans on L2 Switches and a FGT as Gateway.
At Central there is a bunch aof vlans on L2 Switches and a FGT as Gateway.
between Site and Central is an IPsec Tunnel.
So both FGT have vlan interfaces for their vlans with corrsponding ip (execpt from vlan1 as any switchport used for thi is untagged on the switches and FGT knows untagged only anyhow).
To get from HQ to a vlan on Site all I need is a route to it at HQ FGT and a Policy to allow the traffic and a route back to HQ net on Site FGT (reverse route) and of course on Site a policy to allow the trafic.
To the FGT it does not matter if the means of transportation between Site and HQ is ipsec or just ethernet. This is all handled by interfaces on a FGT so its always the same basically.
So if you clients at west use the FGT as default gw. The FGT must know routes to the Subnets on East. It must use the same vids as there are at East and you have to make sure the vlan tag persists all the way from west to east!
As the L3 switch on east does the routing there it must know a route back to the west subnet(s).
We do that by vlan tagging on the switches and vlan interfaces on the FGTs. So traffic going out to a vlan will leave the destination FGT via the correct vlan interface to get tagged correctly. In this case vlan tag does not need to be persistent or exist at all because the destination FGT will tag the packets anyway.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
You didn't have to create VLAN1 subinterface, which is a tagged interface with vlan ID=1. You needed to simply add vlan 7 subinterface to port1. Then you needed to make the L2 switch port as trunk, and span the vlan 7 toward the LAG interface.
When you use VLAN1 subinterface, the L2 switch needs to be able to handle vlan 1 tagged packet, but probably it's used internally so that couldn't take it.You just need to design vlan arrangement properly at the L2 switch.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1748 | |
1114 | |
765 | |
447 | |
241 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.