Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
CrainBramp
New Contributor

Fortigate 40F: VLAN to LAN Issues

Morning:

 

New to Fortigate, and am trying to setup SNATing some VMs out to the Internet from my home lab on VLANs. It's a 40F, so it doesn't have a VLAN switch.

 

In this instance, the VM is on vlan50, using the Fortigate as a DHCP server. It receives an IP in the proper range, and I can move the VM from vlan to vlan in the lab, and it recognizes the different subnets and gets DHCP for them. So tagging seems fine. I just can't get out.

 

My process

  1. Added VLAN interfaces to the LAN w/DHCP, which is just ports 1-3 for now.
  2. Central SNAT is enabled. ALL/ALL
  3. Firewall policy: vlan50 > wan, ALL/ALL/ALL

The policy is getting hits, but I still can't ping out to any external IPs. I have a feeling I'm missing something simple here :)

 

Any suggestions on what I'm missing?

 

 

id=20085 trace_id=197 func=print_pkt_detail line=5846 msg="vd-root:0 received a packet(proto=17, 10.16.50.50:57296->1.1.1.1:53) tun_id=0.0.0.0 from vlan50. "
id=20085 trace_id=197 func=init_ip_session_common line=6025 msg="allocate a new session-000d605e, tun_id=0.0.0.0"
id=20085 trace_id=197 func=vf_ip_route_input_common line=2605 msg="find a route: flag=04000000 gw-64.xxx.xxx.x via wan" [IP REMOVED FOR PRIVACY]
id=20085 trace_id=197 func=fw_forward_handler line=881 msg="Allowed by Policy-2:"
id=20085 trace_id=197 func=__ip_session_run_tuple line=3525 msg="run helper-dns-udp(dir=original)"

 

 

Thanks,

Don

 

1 Solution
CrainBramp
New Contributor

This turned out to be my Central SNAT rule.

 

I had a LAN > WAN ALL/ALL rule and erroneously thought b/c the VLANs were added to the LAN interface, the ALL/.ALL SNAT would also catch them.

 

Adding a SNAT rule per VLAN worked to fix this.

View solution in original post

2 REPLIES 2
Christian_89
Contributor III

Did you configure a static rule?

You can find this under network and static route.

CrainBramp
New Contributor

This turned out to be my Central SNAT rule.

 

I had a LAN > WAN ALL/ALL rule and erroneously thought b/c the VLANs were added to the LAN interface, the ALL/.ALL SNAT would also catch them.

 

Adding a SNAT rule per VLAN worked to fix this.

Labels
Top Kudoed Authors