Hi All,
Good Day,
Thank you in advance for your time to read this and helping me to solve this problem.
Currently I have a setup like this
On Fortigate I remove port 2 and port 3 on the lan profile and configured as VLAN's each assigned to VLAN10 and VLAN20
ON VLAN10 --- > 10.10.0.1/24 - Untagged (Internet Access Hosts)
ON VLAN20 --- > 192.168.0.1/24 - Untagged (LAN Only)
Port 1-10 - VLAN10
Port 11-20 - VLAN20
Now my issue is this,
I've created the profile and rules as well as IP address that will be used by the VLANS in NAT/Route Mode in Fortinet
But My hosts that needs internet can't seem to route them.
Should I configure the VLAN's ports to be trunked so fortigate sees all ports as one? I want fortigate to do the routing so it makes sense that i will not define a default gateway in my vlans.
I'm new to Fortinet and I've seen a lot of guides but no solid answer and I'm hoping if anyone here can give me one. Any help or advise is appreciated.
Regards,
Ian
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
hard to say with such few details.
On a FGT you usually have a vlan as virtual interface that is bound to a physical one.
And then you have to have polices to allow your traffic that have the vlan interface as destination or source.
That's the way I do it here on our FGTs.
e.g
FGT Port1 (=physical interface) (static ip of our default subnet) - connected to switch
+ vlan1 (virtual vlan interface) VID 11 (static ip of vlan 11 subnet) [on FGT this will always be untagged!]
Switch: Uplink Port (physical interface connected to FGT Port1) is untagged in VID 1 (default vlan) [because HP switches want to have every port untagged in one vlan] AND tagged in VID 11.
Ports that have to access (ONLY) VID 11 are Untagged in VID11 and not in any other VID.
Ports that have to access more VIDs have to be tagged in all of them. In this case the device connected to those has to do the correct vlan tagging on packets.
Then on FGT e.g. have Policy:
Source Interface: vlan 11
Destination Interface: WAN (Internet)
Source: vlan 11 subnet
Destination: any
Service: all
NAT: enabled (use ip of Destination Interface) [dnat]
Clients in vlan11 must have the vlan 11 subnet ip of the virtual interface as default gw!
To clarify:
Untagged: Switch considers packets that come in on this port not to be vlan tagged and will then tag all packets with the vlan the port is untagged in. If a packet does have a vlan tagging it will be overwritten unless the port is als tagged in this vlan.
tagged: Switch will not touch vlan tagging on packets on this port at all. If the port is not untagged in one vlan it will then only accept packets with vids the port is tagged in.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
hard to say with such few details.
On a FGT you usually have a vlan as virtual interface that is bound to a physical one.
And then you have to have polices to allow your traffic that have the vlan interface as destination or source.
That's the way I do it here on our FGTs.
e.g
FGT Port1 (=physical interface) (static ip of our default subnet) - connected to switch
+ vlan1 (virtual vlan interface) VID 11 (static ip of vlan 11 subnet) [on FGT this will always be untagged!]
Switch: Uplink Port (physical interface connected to FGT Port1) is untagged in VID 1 (default vlan) [because HP switches want to have every port untagged in one vlan] AND tagged in VID 11.
Ports that have to access (ONLY) VID 11 are Untagged in VID11 and not in any other VID.
Ports that have to access more VIDs have to be tagged in all of them. In this case the device connected to those has to do the correct vlan tagging on packets.
Then on FGT e.g. have Policy:
Source Interface: vlan 11
Destination Interface: WAN (Internet)
Source: vlan 11 subnet
Destination: any
Service: all
NAT: enabled (use ip of Destination Interface) [dnat]
Clients in vlan11 must have the vlan 11 subnet ip of the virtual interface as default gw!
To clarify:
Untagged: Switch considers packets that come in on this port not to be vlan tagged and will then tag all packets with the vlan the port is untagged in. If a packet does have a vlan tagging it will be overwritten unless the port is als tagged in this vlan.
tagged: Switch will not touch vlan tagging on packets on this port at all. If the port is not untagged in one vlan it will then only accept packets with vids the port is tagged in.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Hi sw2090,
Good Day,
I've managed to solve this issue last week and sorry for late response.
What I did was, to connect my switch to FGT and disably aruba2930f layer3 on those VLAN's i need and tagged an uplink port to FGT and untagged to those of VLANS switches.
Appreciate your response and it was also helpful for future reference.
Thank you and Regards,
Ian
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.