Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
gateberg77
New Contributor II

DHCP on VLAN - No IP Address assigned, no communication

I'm new to Fortigate and installing a Fortigate 40F on my homenetwork.
The goal is to isolate IoT Devices with a VLAN, but at first i'd like to connect only one PC to one Port of the Fortigate to test.

The setup is pretty easy at the moment:
gateberg77_0-1675322108488.png

 


Fortigate is directly connected to the PC on lan2 Port. The Interface has one single VLAN configured with DHCP enabled.

Config is:
The "physical interface" lan2 is unconfigured.

 

 

config system interface
    edit "VLAN_7"
        set vdom "root"
        set ip 10.35.0.1 255.255.255.0
        set allowaccess ping https ssh http
        set device-identification enable
        set role lan
        set snmp-index 13
        set interface "lan2"
        set vlanid 7
    next
end

 

 

Output of command

 

config system interface
edit?

 

 

 

name Name.
VLAN_7 static 0.0.0.0 0.0.0.0 10.35.0.1 255.255.255.0 up disable vlan
a static 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 up disable physical
fortilink static 0.0.0.0 0.0.0.0 10.255.1.1 255.255.255.0 up disable aggregate
l2t.root static 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 up disable tunnel
lan static 0.0.0.0 0.0.0.0 192.168.1.99 255.255.255.0 up disable hard-switch
lan1 static 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 up disable physical
lan2 static 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 up disable physical
lan3 static 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 up disable physical
modem pppoe 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 down disable physical
naf.root static 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 up disable tunnel
ssl.root static 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 up disable tunnel
wan dhcp 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 up disable physical

 

 


  • The PC cannot get an IP address assigned and always ends with a self-assigned IP (169.xxx...)
  • Setting the PC to static ip address, it shows "connected" but cannot communicate in either way with the Fortigate.
  • Configuring the DHCP on the "Physical Interface" works well.
  • FortiOS is 7.2.3 

What am i missing here to get the IP assigned?
4 REPLIES 4
srajeswaran
Staff
Staff

As per this configuration the interface VLAN_7 will expect packets to reach with vlan-tag 7. Your PC cannot send packets with VLAN tag and thats the possible issue.

 

Can you delete the VLAN interface and configure IP and DHCP services directly on port 2 and check?

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

akristof
Staff
Staff

Hello,

This will not work. You would need to put switch in between that will mark packets with vlan for you or you would need to configure vlan-id on PC directly. And to be honest, with Window PC I don't have experience how well it works with vlans. On linux, you can do quite easily and works good.

Because the problem is, that at the moment, your PC is sending packets without any VLAN-id. So it will be processed by LAN2 interface. That's reason why it also works when you configure IP on LAN2 directly. With Vlan configured under LAN2 port, FortiGate expect incoming packet with vlan-tag and based on this vlan-tag, it will be forwarded to correct VLAN. So you need to instruct either PC to send packets with these VLAN-tags or have switch (managed) in between PC and FGT, configure VLANs on switch and access and trunk ports correctly. Hope it makes sense.

Adrian
gateberg77
New Contributor II

What i actually thought was, that the internal switch of the Fortigate will do the tagging.

On the LAN, it reads "hardware switch"

gateberg77_0-1678188684543.png

and that there is no VLAN tagging available is not clear.

 

Muhammad_Haiqal

Hi @gateberg77 

 

PC did not support VLAN. By default there are no options for you to set VLAN on the PC level.
Example:
On the switch, you have 3 VLAN.
VLAN10
VLAN20
VLAN30

 

When you connect to switch, how you define your PC to sit on VLAN10,20 or 30 ?
This must be done on the switch level. example:
Port1 - VLAN10 << If your pc connect to port1, you will get VLAN10 IP

Port2 - VLAN20 <<  If your pc connect to port1, you will get VLAN20 IP

Port3 - VLAN30 <<  If your pc connect to port1, you will get VLAN30 IP

Fortigate <<Trunk>> Switch (port1-vlan10) <<>> PC
PC will get VLAN10 ip.

Hope that helps.

haiqal
Labels
Top Kudoed Authors