Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
azwanarif
New Contributor

Created on ‎11-07-2016 10:29 PM

Control same sub interface VLAN traffic

Hi All,

 

As per subject above our client is using Fortigate 100D as a router on the stick with multiple sub interface VLAN

Their objective or planning is to block same segment traffic on one of the VLAN, example creates a policy to block all PC communication within the sub interface VLAN1.

 

Does this policy or method achievable?. Thanks

6995
0 Kudos
4 REPLIES 4
oheigl
Contributor II

Created on ‎11-08-2016 01:25 AM

You want to block traffic within a VLAN which is connected to the FortiGate? That's not possible, because the layer 2 traffic is not going to/through the firewall if it's only in the same VLAN. You would need to configure this on the switch where the PCs are connected to. Maybe checkout this link: [link]https://en.wikipedia.org/wiki/Private_VLAN[/link]

3393
0 Kudos
ede_pfau
SuperUser
SuperUser
In response to oheigl

Created on ‎11-08-2016 03:45 AM

I just thought you could force the hosts to use routing, thus involving the FGT as their router.

Specify the host's address as "a.b.c.d/32", and it's default gateway as the FGT VLAN port address. I wonder if that would work...

 

Of course, oheigl is right in stating that intra-VLAN traffic is on Layer2 and so the FGT is not involved. Controlling connections by application on the switch would be a quite advanced feature for such a device. Maybe you can get away with specifying the ports used (like tcp/135, 137, 138, 139, 445)...

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
3393
0 Kudos
oheigl
Contributor II
In response to ede_pfau

Created on ‎11-08-2016 03:58 AM

Really interesting view Ede, I wonder if that's going to work, because how can he reach the gateway IP address if it's not in the same subnet (/32 only has the one host, so theoretically he can't access anything other than itself).

 

I don't mean by application in this case, just that the clients can only access the physical port where the FortiGate is connected to. I saw this configuration once at a customer's site, he did only allow the servers in a VLAN to reach the monitoring server and nothing else, if you want to filter on application basis my suggestion is useless tough 

3393
0 Kudos
Nils
Contributor II
In response to ede_pfau

Created on ‎11-08-2016 06:18 AM

ede_pfau wrote:

I just thought you could force the hosts to use routing, thus involving the FGT as their router.

Specify the host's address as "a.b.c.d/32", and it's default gateway as the FGT VLAN port address. I wonder if that would work...

 

Of course, oheigl is right in stating that intra-VLAN traffic is on Layer2 and so the FGT is not involved. Controlling connections by application on the switch would be a quite advanced feature for such a device. Maybe you can get away with specifying the ports used (like tcp/135, 137, 138, 139, 445)...

If this is a working solution I guess you have to turn on "proxy arp" on the fortigate. Otherwise the traffic will be dropped due to wrong subnet-mask.

3393
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.