FortiWiFi 60E v7.2.3
Configuration:
Hardware Switch: "internal" (7 ports)
Software Switch: "lan" ("internal" + wfi SSID)
7 VLANs on the interface "internal"
lan: 10.10.5.2/24
Static routes that do not work for me like the following:
Destination: 10.0.3.0/24
Gateway 10.10.5.15
Interface: lan
and others that have similar configuration with the Gateway IP: 10.10.5.15
10.10.5.15 is the linux server with the lxc containers on it:
lxc bridge IP: 10.0.3.1
10.0.3.20 - IP of one of the lxd/lxc containers
10.0.3.20 is reachable only from the 10.10.5.0 subnet and not from any other VLANs.
inter-VLAN routing works where I allowed it to work.
This static route works on the pfSense router/firewall and Ubiquiti EdgeRouter.
I am, basically, replicating the pfSense configuration to FortiWiFi. It seems everything works besides those static routes with the 10.10.5.15 gateway.
What am I missing in my setup?
Thanks.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Do you have firewall policies allowing the inter-VLAN routing?
Hi Graham,
All VLANs see each other ( for the troubleshooting purposes, I have temporarily disabled some rules which blocked inter-VLAN routing for some VLANs). As of now, all VLANs have rules which allow access from any incoming interface and from all sources.
I think your problem is the VLANs are assigned to your hardware switch when in reality you need to have them assigned to your software switch. Can you try with VLAN assigned to software switch instead?
You can also try breaking your software switch if you don't need your wireless interface bridged to your hardware switch.
Created on 02-09-2023 12:57 PM Edited on 02-09-2023 12:58 PM
Probably you are right. This software/hardware concept is something new to me.
But the following policy worked for me:
Incoming interface: any
Outgoing interface: lan
Source (I set up a custom address "Trusted networks")
Destination: all
....
So this is basically a pass-through policy.
But I am not sure if this is the right way to configure on Fortigate, but at least it works now.
What do you think?
Well yes that's what I meant when I asked if you had the policies enabled for inter-VLAN routing.
Any traffic that needs to be forwarded between interfaces on the Fortigate requires a policy explicitly allowing it.
The only right way to do this is what makes sense for your environment and the restrictions you need to enable.
If you just want passthrough for your VLANs you can put them all into a Zone. Once they are in a zone, all traffic will pass through between the interfaces without requiring a policy.
Without that policy all VLANs were able to communicate with each other and with the native lan. That was a confusing part of this setup. This passthrough policy helped with those static routes.
Well i have no idea what VLAN the 10.0.3.20 host is in or what VLAN you need to transit to get to it but that IP address would have to be included as a destination in the policy that allows traffic out the VLAN that it exists in or transits to it.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1702 | |
1092 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.