I'm really not sure what has been done, or why this has stopped working, but let me give a little insight.
We've provisioned a new site with a Fortigate 60F. There is an IPsec tunnel setup back to our main site, and this works fine.
We use internal2 port for our internal traffic, which is configured for 192.168.110.0/24. DHCP is enabled, options are configured, and everything works. Ports are either tagged/untagged where appropriate for this VLAN, and it's all fine.
Yesterday I created a new virtual interface VLAN on the Internal2 interface, for VLAN 241. This is our guest VLAN. The IP range on the fortigate has been setup for 192.168.111.0/24. DHCP has been configured and the ports for our wireless access point, and ports were tagged with VLAN 241 where appropriate. I attempted to connect to our guest SSID and I got an IP address correctly from the guest range. I added an outbound rule for internet, and everything worked just fine.
I've come back to it today, and I am not getting DHCP from the virtual interface VLAN. The main interface for corporate traffic is fine, that's giving out DHCP, but my virtual interface is not working. I've tried a few things such as recreating, checking my port tags, and everything looks fine. I even setup a wall port untagged on VLAN 241 and plugged my laptop into it, no matter what I do though, I'm just getting a 169 address now, for all devices.
Someone on my team did make some changes, but they've been reverted from what I can see, either something else has been changed, or I'm missing something. I know this is still a little vague, but I'm not overly familiar with these firewalls, so any advice on how to troubleshoot would be amazing! I'm no longer onsite, which makes it more difficult to troubleshoot too.
The issue you've described is a common one when dealing with VLANs, DHCP, and networking in general. Here are some troubleshooting steps and considerations you can take to help diagnose and possibly resolve the problem:
1. **DHCP Service**: - Verify that the DHCP service for VLAN 241 is still running on the Fortigate. - Ensure that the DHCP range and settings for VLAN 241 are correctly configured.
2. **Interface Configuration**: - Double-check the virtual interface configuration for VLAN 241. Make sure the IP and subnet are correct. - Ensure that the VLAN interface is up and running.
3. **Switch Configuration**: - Ensure that the switch ports connecting to devices needing access to VLAN 241 are correctly tagged/untagged. - If you have managed switches, check if there's any VLAN-related misconfiguration or changes made recently.
4. **Firewall Policies**: - Ensure that there's an appropriate firewall policy allowing traffic from the VLAN 241 subnet to reach the Fortigate's DHCP server. - Check if there are any policies that might be blocking DHCP requests or responses.
5. **Logs and Diagnostics**: - Check the Fortigate logs for any related entries or errors regarding DHCP for VLAN 241. - Use diagnostic commands to check the DHCP status: ``` diagnose ip dhcp relay list diagnose ip dhcp server list ``` - These commands will show you the current DHCP relays and leases, which can help identify if the Fortigate is receiving DHCP requests and if it's providing leases.
6. **Physical Connections**: - Ensure that all cables and connections are secure. A loose cable can sometimes be the culprit. - Ensure that the connection between the Fortigate and the switch is correctly configured for VLAN tagging.
7. **Reboots and Restarts**: - As a last resort, consider rebooting the Fortigate. Sometimes, certain services can get stuck and a reboot might resolve the issue. - Restart the DHCP service on the Fortigate.
8. **Other Considerations**: - If someone on your team made changes, it's possible that a change might have been overlooked when reverting. It might be beneficial to compare the current configuration with a backup (if available). - Ensure that there aren't any other DHCP servers active on VLAN 241. Another active DHCP server can cause conflicts.
Lastly, if you're not on-site, you might need assistance from someone who is, especially if physical checks or reboots are required. If the issue remains unresolved, consider reaching out to Fortinet support or consulting with a Fortinet expert.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.