Fortigate + Juniper Vlan issues

blong · ‎09-10-2014

First off here is a nice paint drawing of what the topology looks like http://imgur.com/omZpczi Currently The fortigate which is an 800c is running in Transparent so the routing and vlans work fine. We are switching our internet to ethernet circuit so we are wanting to switch the Nat to the fortigate to remove one device. The problem I am having when you switch to Nat/Routing mode you have to configure the vlans in the fortigate. In the picture I posted I can Make Vlan101 work it can dhcp reach the internet and ping just fine. I am having trouble making the rest of the vlans work. The way its configured now is v101 v103 are the only vlan on the trunks and the switch takes care of all the inter vlan routing. The dynamic routing is taken care of by rip as that is what the ex2200 support. Ive setup rip on the fortigate and can see all the networks. It gets the proper gateway to reach them. I can ping the gateways of the other networks from the fortigate. I can even ping a static assigned box from the fortigate although i cannot ping into it. I also cannot dhcp from the other networks. I have tried adding rules for the networks ip addresses. Adding the vlans to the interfaces they come in on. Im not sure what im missing first time ive tried to setup this fortigate this way. If i left out any important info let me know its early trying to rack my brain with everything ive done. Thanks

emnoc · ‎09-10-2014

So is this vlan over the wireless bridge? and tagged? It looks like the trunking needs to be enabled on the wireless bridges for vlan 101 and 103 and then you need setup address for routing.

PCNSE

NSE

StrongSwan

blong · ‎09-10-2014

The bridges act the same as a cable link and just pass data in bridge mode. I had routes setup and can ping the gateways of the other clans from the fortigate.

emnoc · ‎09-11-2014

Good , than just setup a 802.1q sub-interface referencing the fortigate port and connect the bridges. Match the same vlan tag on the juniper EXs. config system interface edit " v103" set vdom " root" set interface " port3" set vlanid 103 set ip 10.103.0.1/24 <---insert fgt inter address next edit " v104" set vdom " root" set interface " port4" set vlanid 104 set ip 10.104.0.1/24 <---insert fgt inter address next end Than apply routing between the EX and FGT. Keep in mind to apply the fwpolicies for the access lan subnets. BTW, your topology diagram was excellent, clear, and provided great details on what your trying todo

I wisj others would do likw you and add a photo, drawing, or sketch. A photo says a thousand words sometimes and it will help eliminate any confusion. What wireless bridge manufacture are your using if you don' t mind me asking ? And do they have the means to rate-limit if you apply various tags across it? And is this WiFI or WiMAX?

PCNSE

NSE

StrongSwan

blong · ‎09-11-2014

I have the routing set up and all looks good there can ping the gateways of the other networks that reside on the switch. So i guess i just need to add policies to allow those subnets? I tried allowing from all addresses thinking that would work. My boss taught me well he is always drawing pictures. it does help a ton even when trying to explain something to myself. We use solektek excel-250 bridges not sure what the consider them. More of a PTP link.

blong · ‎09-11-2014

Ive messed with it a little more. still cannot dhcp from the access vlans that reside on the switches. If i give a box a static i can ping the gateway that resides on the fortigate, but cannot ping from the fortigate to it.

emnoc · ‎09-11-2014

What' s your route-table look like? I would assume all the access subnets should be in that table with a next-hop = a JUNIPER EX. Is that not the case?

PCNSE

NSE

StrongSwan

blong · ‎09-11-2014

yes that is the case i just have a small test bed setup right now. http://imgur.com/ndXa2os Think of the 10.107.x.x network as the school 2 in the first picture If i have a static on a box plugged into a 107 access port I can ping 10.101.0.1 which is the address on the fortigate.

blong · ‎09-12-2014

The only thing i cant get to work now is DHCP from the other access vlans. If i give a box a v102 static such as 10.102.0.50 I can ping the dhcp server from the box can ping from the dhcp server to the box can ping all the gateways for the networks. I Have tried putting in all kinds of policies and from the port the vlan is on to the port for the dhcp. Tried enabling dhcp relay on everything possible nothing seems to work. Not sure what im missing.

emnoc · ‎09-12-2014

Okay so if I follow you correctly, a static addressed host works? In all vlans for the schools and access-post ( v103,203,1000,101,201,202 ) And the problems are DHCP related only? And the EX2200 are doing routing? have defaut via the vlan101/103 trunks? So is the DHCP-server setup for handling dhcp-relay-agents ? Do you have dhcp-relay enabled on the EX2200s i.e set forwarding-options helpers bootp interface vlan 201 set forwarding-options helpers bootp interface vlan 202 set forwarding-options helpers bootp interface vlan 203 set forwarding-options helpers bootp server 10.10.10.4 What does a packet capture show for a client machine subscribing for an address? What do you have inter-trunks vlan 101 and 103 and firewall policies? Did you run any diag debug flow diagnostics?

PCNSE

NSE

StrongSwan

Fortigate + Juniper Vlan issues

Nominate a Forum Post for Knowledge Article Creation