Confused on creating vlan for 40F

ryzen5 · ‎11-10-2023

I have 40F firewall.

I have a setup a lan to wan, when plugged in on interface 1 can get internet and can see the gateway.

I removed interface 2 and 3 from the hardware switch and made a new hardware switch with port 2

I added a vlan to port 2

ipaddress is 172.16.0.1

DCHP range 172.16.0.2-172.16.0.62

mask 255.255.255.192

when I plug in a test device I get 169.254.0.0 which points to fortilink and I'm not sure why

I just need to understand why I'm not getting the 172 when I plug into to port 2

ryzen5 · ‎11-11-2023

diagnose sniffer packet any 'portrange 1000-3000' 6 0 a - I tried this in CLI and it says unknown action

ryzen5 · ‎11-11-2023

but basically I will need to get a managed switch in order to test off correct? I believe that makes sense for the vlan.

I have my main machine on port 1 which is hardware switch. I'm kinda surprised I can't just replicate this on port 2 or 3 with different ip range.

Toshi_Esumi · ‎11-11-2023

It works on my 40F/7.0.13:

fg40f-utm (root) # diag sniffer packet any 'portrange 1000-3000' 6 0 a
interfaces=[any]
filters=[portrange 1000-3000]
2023-11-11 18:42:52.301815 fap221b in 192.168.5.3.51644 -> 239.255.255.250.1900: udp 175
0x0000 0100 0000 0000 bcf1 718b 9bb0 0800 4500 ........q.....E.
0x0010 00cb 53c4 0000 0111 afb8 c0a8 0503 efff ..S.............
0x0020 fffa c9bc 076c 00b7 ef18 4d2d 5345 4152 .....l....M-SEAR
0x0030 4348 202a 2048 5454 502f 312e 310d 0a48 CH.*.HTTP/1.1..H
0x0040 4f53 543a 2032 3339 2e32 3535 2e32 3535 OST:.239.255.255
0x0050 2e32 3530 3a31 3930 300d 0a4d 414e 3a20 .250:1900..MAN:.
0x0060 2273 7364 703a 6469 7363 6f76 6572 220d "ssdp:discover".
0x0070 0a4d 583a 2031 0d0a 5354 3a20 7572 6e3a .MX:.1..ST:.urn:
0x0080 6469 616c 2d6d 756c 7469 7363 7265 656e dial-multiscreen
0x0090 2d6f 7267 3a73 6572 7669 6365 3a64 6961 -org:service:dia
0x00a0 6c3a 310d 0a55 5345 522d 4147 454e 543a l:1..USER-AGENT:
0x00b0 204d 6963 726f 736f 6674 2045 6467 652f .Microsoft.Edge/
0x00c0 3131 392e 302e 3231 3531 2e35 3820 5769 119.0.2151.58.Wi
0x00d0 6e64 6f77 730d 0a0d 0a ndows....

2023-11-11 18:42:53.313971 fap221b in 192.168.5.3.51644 -> 239.255.255.250.1900: udp 175
0x0000 0100 0000 0000 bcf1 718b 9bb0 0800 4500 ........q.....E.
0x0010 00cb 53c5 0000 0111 afb7 c0a8 0503 efff ..S.............
0x0020 fffa c9bc 076c 00b7 ef18 4d2d 5345 4152 .....l....M-SEAR
0x0030 4348 202a 2048 5454 502f 312e 310d 0a48 CH.*.HTTP/1.1..H
0x0040 4f53 543a 2032 3339 2e32 3535 2e32 3535 OST:.239.255.255
0x0050 2e32 3530 3a31 3930 300d 0a4d 414e 3a20 .250:1900..MAN:.
0x0060 2273 7364 703a 6469 7363 6f76 6572 220d "ssdp:discover".
.....

And nobody said duplicate the config on lan1/lan hard-switch wouldn't work. Just trying to simply the config to find the cause of the problem, which I think not so usefule because I believe the 40F is working fine.
By the way, putting only one port into a hard-switch wouldn't help much for performance. It's beneficial when you put mulitple ports in.

Just test with a switch. Also decent/recent laptops with NIC are capable to set VLAN ID/tagging on the interface, I wouldn't trust them in some cases.

Toshi

ryzen5 · ‎11-11-2023

"And nobody said duplicate the config on lan1/lan hard-switch wouldn't work."

-not really what I was implying....

I have created another interface on port 3 and see the ip, I just have to validate other devices can ping each other. Long term willl just bring in a managed swtich.

adimailig · ‎11-14-2023

@ryzen5 Since you want to utilize VLAN interface on Port2 and you directly connect the test device (PC) to port2, you need to configure VLAN Tagging on your computer network card.
By default, PC accepts untagged traffic.

VLAN Interface = Tagged Traffic
Physical Interface = Untagged Traffic

The IP range 169.254. 0.1-169.254. 255.254 is for APIPA and is commonly seen on windows machine that could not connect to DHCP Server.

Best Regards,

Arnold Dimailig
TAC Engineer

mahesh_pm · ‎11-14-2023

Hi,

please check the below work flow. is this your setup?.

Regards

Mahesh

sw2090 · ‎11-14-2023

I think you do not get the APIPA (=169.x.x.x) from your FGT.

I think your problem is that the traffic from your testdevice does hit port2 of your FGT but it does not hit the vlan interface and I suppose that is because there is no vlan tag in it.

Basically if you config a vlan on a FGT then it will be bound to a vswitch,hswitch or physical interface.

Traffic without vlan Tag or non-matching vlan Tag wil then hit the root interface and only traffic tagged with matching vid will hit the vlan interface.

On switches one calls that "Tagged".

So to me it just looks like your DHCP Requests from your testdevice hit Port2 due to no vlan tag and there is no dhcp server active on port2. DHCP Doesn't need Policies here since it is basically UDP broadcasting and that cannot be routed (unless you configure some DHCP Relay on your FGT).

So if you want you testdevice to get an ip vom the dhcp in the vlan on port2 of your FGT then either your testdevice has to do the vlan tagging or you have to have some vlan capable switch between it and the FGT that does the tagging (in that case the testdevice's Port on the switch has to be set to untagged or pvid).

--

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams