Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Re: Creating Fortigate subnets vLAN's for VMWare h...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Creating Fortigate subnets vLAN's for VMWare hosts.
Hello,
I am new to Fortigate and I am sure I am missing something here. To be honest, not even sure wether it is a Fortigate or VMWare problem.
Here is my case: My Fortigate 60D is directly connected to two vmware 6.x hostservers. Not using any another physical switch, just the internal 7+1 hardware ports switch on the Fortigate.
On the VMWare hostservers there need to be separate networks. So I choose to use 172.16.0.0 (255.255.255.224) giving me about 23 possible subnets with 30 hosts, like this;
subnet 0 255.255.255.224 172.16.0.1 - 172.16.0.30 subnet 4 255.255.255.224 172.16.4.1 - 172.16.4.30 subnet 8 255.255.255.224 172.16.8.1 - 172.16.8.30 and so on.
So the internal Fortigate interface (and gateway) is set to 172.16.0.30. The subnets 4,8, and 12 were created as vLAN's. On the vmware server I use a standard virtual switch. Subnet 0 is used for the internal hardware (server NIC's, HP ilo port, storage server and so on.) A firewall object and security policy was created for this subnet. Al hosts are able to commicate witheach othe and to the outside world. This works fine.
For the other subnets different vlan's (port groups in vmware terminology) are created. In each subnet I used the last (.30) address as the default gateway for that particular subnet. These VM's are able to communicate with each other but not to the outside world. Created a Firewall object and Policy for these subnets, on the same way I did that for the internal network 0. But only the internal subnet 0 is able the reach the outside world.
Now what am I missing here? Is this even possible without an extra switch?
I hope someone is able to see the problem. Thanks in advance.
Eric Loderichs
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FortiGate vlan interfaces only work with vlan tagged packets. On the VMWare side, are the actual physical nics on your vmware host properly configured to pass the 802.1Q vlan tags? And to receive vlan tagged packets? How that's done seems to be a little different for every vendor, and to use slightly different terminology.
Assuming your vlan tags are getting sent through from the VMs, and should be received okay by the VMs, how is your FortiGate set up, and what version of FortiOS do you have?
On the FortiGate you've got multiple vlan interfaces created, with the proper VLAN ID, on top of the correct physical interfaces? And whatever IP you've listed for the vlan interfaces is set to be the default gateway for that interface from your VM side?
Assuming all that is the case, and that your vmware subnets match the subnets they need to talk to on the FortiGate, how about a simple test.
Before you dig into issues with security policy rules, DHCP, DNS etc., can you turn on *only* administrative access PING for one of the vlan interfaces, then try to ping the vlan's IP from a VM that should be able to access that vlan? That should let you make sure that you're at least getting to the FortiGate from the VM.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello tanr,
Thanks for the reply. Glad to hear that what I want is possible. Let me update;
1. Physical nics vmnic0 and vmnic1 are the onboard nics on my HPDL360G6 hostservers. I can see that the driver is " bnx2 ". But after a lot of research I 'm not sure 802.1q vlan tags are supported by these nics. Presume they will but keep looking for more info.
2. Fortigate setup. Operating mode is NAT. A VLAN VM Network 4 (172.16.4.1/255.255.255.224) was created under the wan1 interface as (public IP) well as under the internal network 172.16.0.30/255.255.255.224) both without result. Used the exact phrase in VMWare als in the Fortigate "VM Network 4".
- Firewall object "VM Network 4" Interface Any. Type subnet
- Policy VM Network 4 - wan: Source all, Destination all, schedule always, http+ https, Ping
3. FortiOS. Firmware version is v.50, build310 (GA Patch 11)
4.On the FortiGate I have multiple vlan interfaces created, with the proper VLAN ID. Used the physical wan 1 interface as well as the internal physical interface, both without result, should be wan I presume. After initally using the first IP in tht subnet I later changed it to the .30 number which is used as the gateway for that subnet. No result.
What I do I ping to the outside world (8.8.8.8) from a test VM in that subnet, For this moment all that the VMs have to do is see each other and the outside wolrd, and vice versa.
Really appreciate your help. New to fortigate, as you have proberly guessed.
Eric
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
1. If you've got an HP ProLiant DL360 G6 I would assume any nics that come with it can handle 802.1Q vlan tagging. A quick web search shows it as 8021.Q compliant. Note that the vlan interfaces from the FortiGate will only work with tagging, they don't do untagged vlans.
2. I don't think you want a (layer 2) vlan interface on your public facing wan port. Along with other problems, your upstream router will likely drop anything that isn't set to the default vlan 0. When you say you also have the same vlan set for your internal network, do you mean you've set it on a virtual-switch or switch-interface with that name? There are some big differences between FortiOS 5.0, 5.2, and 5.4 for this - see my comment on #3 below.
With the 60D and older versions of FortiOS you need to figure out how your internal switch mode is set. See http://kb.fortinet.com/kb/documentLink.do?externalID=FD37588 and https://blah.cloud/infrastructure/changing-fortigate-switch-mode-interface-mode/ for brief overviews.
Note that with FortiOS 5.4 the set type switch-vlan is rather different. See https://forum.fortinet.com/tm.aspx?m=139834 for a discussion.
3. FortiOS 5.0.11 (build 310) is pretty old, especially if it's a FortiGate 60D. Is there a reason you haven't upgraded it to 5.2.x or 5.4.x? I'm not familiar with 5.0.x.
4. I think you need to simplify this so that you can test each part separately on the FortiGate side before you pull in the VM side. On the FortiGate set a vlan 99 interface on an internal physical interface, NOT the wan interface and NOT any internal switch interface. Turn on admin access for ping on the vlan 99 interface (set allowaccess ping, or append allowaccess ping). Take a managed switch that can handle vlan tagging and connect it to the single physical port on the FortiGate which has the vlan 99 interface. Set that particular port on the switch to be vlan 99 tagged only. Set another port on the switch to be vlan 99 untagged. Hook a laptop to the vlan 99 untagged port, then see if you can ping the vlan 99 interface IP. Once you can do that, you can set up test security policies to allow wan access for vlan 99 and verify it works from the laptop. Then you can try adding in communication between vlans, with more vlans on the fortigate and the managed switch and another laptop.
Good luck!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
A quick reply. Again thanks will move on from here.
For your information, I recently bought 2 used and identical Fortigate 60D appliances. One is now already setup in a datacenter (not in production yet but working for the internal LAN) and the other is here on my Lab desk to play around with.
Totally agree of coarse that you dont want a switch on the Public wan. But that is not the case. If the VLAN is placed under the wan then there is still NAT I presume. Anyway thanks for the warning.
Now the internal LAN switch is serving the hardware as mentioned. Technically not a VLAN I guess. But if I understand you well I better return to .99 and use the vlan 99. Ok will try to do that.
First thing I did was upgrading the firmware with the Fortiexplorer app. Was under the impression that I was up to date now, ok so I was wrong :-). Will try to update them again now, although they are out of their maintenaince. Maybe I can find it somewhere. Did notice the differences with all the youtube instructional video's.
Ok Will keep you posted about the progress.
Eric
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,724 -
FortiClient
1,770 -
5.2
801 -
FortiManager
733 -
5.4
639 -
FortiAnalyzer
562 -
FortiSwitch
476 -
FortiAP
473 -
FortiClient EMS
435 -
6.0
416 -
5.6
362 -
FortiMail
319 -
6.2
251 -
SSL-VPN
246 -
FortiAuthenticator v5.5
234 -
IPsec
210 -
Fortiweb
205 -
5.0
196 -
FortiNAC
190 -
FortiGuard
139 -
6.4
128 -
SD-WAN
115 -
FortiAuthenticator
104 -
FortiGateCloud
102 -
FortiSIEM
99 -
FortiCloud Products
97 -
FortiToken
92 -
Firewall policy
83 -
Customer Service
80 -
Wireless Controller
79 -
4.0MR3
64 -
FortiProxy
60 -
High Availability
56 -
FortiADC
54 -
Fortivoice
53 -
FortiEDR
52 -
vlan
51 -
ZTNA
49 -
Routing
47 -
FortiExtender
45 -
FortiSandbox
44 -
DNS
43 -
FortiDNS
42 -
LDAP
42 -
BGP
40 -
Authentication
38 -
FortiGate v5.4
35 -
SAML
35 -
NAT
35 -
Certificate
35 -
FortiSwitch v6.4
34 -
RADIUS
34 -
SSO
33 -
Interface
31 -
FortiConnect
30 -
VDOM
30 -
FortiLink
29 -
FortiWAN
27 -
Web profile
27 -
Application control
26 -
FortiConverter
25 -
Logging
25 -
Virtual IP
25 -
FortiGate v5.2
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
Fortigate Cloud
20 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
FortiMonitor
18 -
Traffic shaping
17 -
FortiGate-VM
16 -
WAN optimization
16 -
FortiDDoS
15 -
OSPF
15 -
SSID
15 -
Automation
15 -
FortiGate v5.0
14 -
FortiSoar
14 -
Static route
14 -
System settings
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
SNMP
13 -
FortiCASB
12 -
Admin
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
Security profile
11 -
FortiManager v4.0
10 -
FortiBridge
10 -
IPS signature
10 -
FortiAP profile
10 -
Proxy policy
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
Fortinet Engage Partner Program
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
Web rating
6 -
API
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
TACACS
3 -
SDN connector
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
Vulnerability Management
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1720 | |
| 1095 | |
| 752 | |
| 447 | |
| 234 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.