DHCP on VLAN - No IP Address assigned, no communication
I'm new to Fortigate and installing a Fortigate 40F on my homenetwork.
The goal is to isolate IoT Devices with a VLAN, but at first i'd like to connect only one PC to one Port of the Fortigate to test.
The setup is pretty easy at the moment:
Fortigate is directly connected to the PC on lan2 Port. The Interface has one single VLAN configured with DHCP enabled.
The "physical interface" lan2 is unconfigured.
config system interface
set vdom "root"
set ip 10.35.0.1 255.255.255.0
set allowaccess ping https ssh http
set device-identification enable
set role lan
set snmp-index 13
set interface "lan2"
set vlanid 7
Output of command
config system interface
VLAN_7 static 0.0.0.0 0.0.0.0 10.35.0.1 255.255.255.0 up disable vlan
a static 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 up disable physical
fortilink static 0.0.0.0 0.0.0.0 10.255.1.1 255.255.255.0 up disable aggregate
l2t.root static 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 up disable tunnel
lan static 0.0.0.0 0.0.0.0 192.168.1.99 255.255.255.0 up disable hard-switch
lan1 static 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 up disable physical
lan2 static 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 up disable physical
lan3 static 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 up disable physical
modem pppoe 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 down disable physical
naf.root static 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 up disable tunnel
ssl.root static 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 up disable tunnel
wan dhcp 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 up disable physical
The PC cannot get an IP address assigned and always ends with a self-assigned IP (169.xxx...)
Setting the PC to static ip address, it shows "connected" but cannot communicate in either way with the Fortigate.
Configuring the DHCP on the "Physical Interface" works well.
This will not work. You would need to put switch in between that will mark packets with vlan for you or you would need to configure vlan-id on PC directly. And to be honest, with Window PC I don't have experience how well it works with vlans. On linux, you can do quite easily and works good.
Because the problem is, that at the moment, your PC is sending packets without any VLAN-id. So it will be processed by LAN2 interface. That's reason why it also works when you configure IP on LAN2 directly. With Vlan configured under LAN2 port, FortiGate expect incoming packet with vlan-tag and based on this vlan-tag, it will be forwarded to correct VLAN. So you need to instruct either PC to send packets with these VLAN-tags or have switch (managed) in between PC and FGT, configure VLANs on switch and access and trunk ports correctly. Hope it makes sense.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.