FortiGate Inter-VLAN Routing Issues

neggly · ‎07-22-2018

I have a Fortigate 60D running 5.2.4 that I am trying to get the FGT to act like a router on a stick paired with a Cisco 2960x switch. However, I am having a very hard time to get the inter-vlan routing to work. Here is my current configuration.

[ul]

VLANS 10,30,40,50 are created on both the FGT and Cisco switch. (These show up as connected routes)

DHCP is configured for VLANs 40 and 50 (This works)

I have an "ALLOW ALL" policy in place to eliminate policies as a problem

Switch has a trunk port that allows the VLANs into that trunk

Internal interface has no IP address assigned. Only the VLANS have IP addresses[/ul]

I have been looking at this for quite a while and am not sure how to do a router-on-a-stick configuration on a FGT. Do you guys know of a good guide or some helpful tips on something that I may have overlooked?

Nicholas_Doropoulos · ‎07-22-2018

Hello,

Is NAT enabled on the firewall policies that match the relevant traffic?

Also, have you configured a forward domain?

Thanks.

NSE5, CCSE, CCNA R&S, CompTIA A+, CompTIA Network+, CompTIA Security+, MTA Security, ITIL v3

View solution in original post

Toshi_Esumi · ‎07-22-2018

Should be simple enough. You need to have a complete set of policies between all combination of two vlans for both direction, such as

vlan 10 -> 30

30 -> 10

10 -> 40

40 -> 10

and so on... totally (3+2+1)x2=12 policies.

Or if you don't have to limit access between them, you can put all of them in a zone and allow intra-zone traffic. Then you don't need those policies between them.

View solution in original post

Adam789 · ‎07-23-2018

Here how can you do it.

1-After creating your VLANs (10,30,40,50) in Cisco switch.

2-turn the port which connect to FGT to Trunk and allow VLANs 1,10,30,40,50 to pass.

3-Create same VLANs (10,30,40,50) in the port of FGT which connect to Cisco switch.

4-Create zone to combine all these VLANs and enable intrazone ( this will allow VLANs to talk to each others)

------Here how can you create zone--------

config system zone

edit "1" set intrazone allow set interface "vlan10" "vlan30" "vlan40" "vlan50" next end

View solution in original post

Nicholas_Doropoulos · ‎07-22-2018

Hello,

Is NAT enabled on the firewall policies that match the relevant traffic?

Also, have you configured a forward domain?

Thanks.

NSE5, CCSE, CCNA R&S, CompTIA A+, CompTIA Network+, CompTIA Security+, MTA Security, ITIL v3

neggly · ‎07-22-2018

I have turned NAT off. I am not sure what a forward domain is. I did not see that option in the configuration on the VLANs or the interface.

Toshi_Esumi · ‎07-22-2018

Should be simple enough. You need to have a complete set of policies between all combination of two vlans for both direction, such as

vlan 10 -> 30

30 -> 10

10 -> 40

40 -> 10

and so on... totally (3+2+1)x2=12 policies.

Or if you don't have to limit access between them, you can put all of them in a zone and allow intra-zone traffic. Then you don't need those policies between them.

neggly · ‎07-23-2018

I have attached the config file.

Adam789 · ‎07-23-2018

Here how can you do it.

1-After creating your VLANs (10,30,40,50) in Cisco switch.

2-turn the port which connect to FGT to Trunk and allow VLANs 1,10,30,40,50 to pass.

3-Create same VLANs (10,30,40,50) in the port of FGT which connect to Cisco switch.

4-Create zone to combine all these VLANs and enable intrazone ( this will allow VLANs to talk to each others)

------Here how can you create zone--------

config system zone

edit "1" set intrazone allow set interface "vlan10" "vlan30" "vlan40" "vlan50" next end

neggly · ‎07-26-2018

After having Fortinet and Cisco employees look at the switch and firewall they could not see anything wrong. The honest solution was to take it from Port 1 on the FGT and put it onto Port 2. Both of these ports are the same.