Hello!
I have two Fortigate 300C devices in two buildings. The connection is a layer 3 connection with static routes, as shown in the uploaded picture. The connection between the two Fortigates is configured on port 2. Also on Port 2 there is a tunnel interface with an IP address. The routing configuration between the Fortigates is static routing. On port 1 on both Fortigates is the connection to the local network of both buildings (connection to the main switches of the buildings).
Now I want to transport a second network from the Fortigate 1 over Port 2 to the Fortigate 2 device. This second network is connected on port 3 on the device Fortigate 1. The port on the Switch pointing to the Fortigate 1 is tagged, with one VLAN (VLAN ID 20). I want to transport this VLAN 20 tagged from port 3 (Fortigate 1) over the Port 2 to the other device Fortigate 2 and connect a switch on Port 3 on Fortigate 2. This switch will add this tagged VLAN 20 on his uplink port and then the other Ports will be untagged.
How can I configure the Fortigates, that the Layer 2 network will be transported over the Layer 3 network? I've tried to create a vlan subinterface on port 2 and then created a software switch, combing the vlan and the port 3, but it sadly didn't work.
I look forward to your reactions.
Mario
Solved! Go to Solution.
So, you want both fortigates to have the same layer2 network for this vlan20? What you are describing is a VXLAN.
To my knowledge this requires FortiOS 5.4:
http://kb.fortinet.com/kb/documentLink.do?externalID=FD38614
So, you want both fortigates to have the same layer2 network for this vlan20? What you are describing is a VXLAN.
To my knowledge this requires FortiOS 5.4:
http://kb.fortinet.com/kb/documentLink.do?externalID=FD38614
Exactly.
But also the other layer 3 network over the tunnel.
I will try to configure it, after the firmware upgrade.
Thank you!
You will create a VXTunnel and bind it to the software switch of the networks you want to bridge over.
For instance,
FGT1 has 192.168.1.0/24 on Port 1
FGT2 has 192.168.1.0/24 on Port 2
FGT1 make VXLAN tunnel and attach it via software switch to port 1 (so they bridge and broadcast across)
FGT2 make VXLAN tunnel and attach it via software switch to port 2 (so they bridge and broadcast across)
That single VLAN is then bridged across both gates so you can have the same local subnet on both sides.
Mike Pruett
Hello!
I solved my problem.
First I created a new VLAN named "test_vlan" and bound it to port2.
When I opened the drop down menu of port2, there was shown the tunnel interface and the "test_vlan".
Than I changed the status of port3 to "up".
I created a software switch named "software_switch" and added port3 and "test_vlan".
After that, port3 and the VLAN interface of port2 disappeared and were shown under the interface "software_switch"
I made the same configuration on the second Fortigate 300C.
On both sides on port3, I connected a switch, which have a Port untagged to the same VLAN, also named "test_vlan"
and also having the same VLAN id. I configured another Port to the same VLAN on the destination switch, for testing the connection and - it worked!
 
					
				
				
			
		
| User | Count | 
|---|---|
| 2645 | |
| 1405 | |
| 810 | |
| 688 | |
| 455 | 
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.