Hello,
Beginner here looking for help. Thanks!
Does anyone know what configuration is needed on the Fortigate to be able to connect the VLANs on the Unifi L3 Switch to the Internet?
I am only able to reach the internet on the default VLAN.
I've seen dozens on posts online of people struggling with the same issue.
Here's my configuration:
Configuration:
Fortigate with LAN Port 20 - IP 10.24.0.1 + Static route (destination: 10.24.0.0/16 -> Gateway 10.24.02 (USW-Pro);
Gen2 Plus Controller (10.24.0.4)
USW-Pro (10.24.0.2) with default subnet: 10.24.0.0/24 and VLAN 3 with subnet 10.24.3.0/24 and VLAN 2 with subnet 10.24.2.0/24; Firewall Policies are also correct (checked with Fortigate engineer);
The PCs in VLAN 2 and 3 can reach each other all right. The USW-Pro is also DHCP server for each VLAN. That works as well.
USW-Pro automatically Created Inter-VLAN routing Network with VLAN ID 4040 and interface IP: 10.255.253.2
Interface State IP Address IP Mask TYPE Method
----------- ----- --------------- --------------- --------------- ---------------
vlan 4040 Up 10.255.253.2 255.255.255.0 Primary Manual
vlan 2 Up 10.24.2.1 255.255.255.0 Primary Manual
vlan 3 Up 10.24.3.1 255.255.255.0 Primary Manual
(UBNT) #show ip route
Route Codes: C - Connected, S - Static
C 10.24.2.0/24 [0/0] directly connected, 4/2
C 10.24.3.0/24 [0/0] directly connected, 4/3
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
@ageorgescu
First thing I notice is that you are using an unsupported SFP module on FortiGate.
That can cause different and unexpected issues.
Second is testing connectivity.
Are you able to ping from fortigate vlan interface to USW vlan interface?
To test it please execute:
exe ping-options source 10.255.253.1
exe ping 10.255.253.2
If that works then from FortiGate side all should be fine.
I have tested as you advised. it works fine.
Fortigate # exe ping-options source 10.255.253.1
Fortigate # exe ping 10.255.253.2
PING 10.255.253.2 (10.255.253.2): 56 data bytes
64 bytes from 10.255.253.2: icmp_seq=0 ttl=64 time=1.7 ms
64 bytes from 10.255.253.2: icmp_seq=1 ttl=64 time=0.6 ms
64 bytes from 10.255.253.2: icmp_seq=2 ttl=64 time=0.6 ms
64 bytes from 10.255.253.2: icmp_seq=3 ttl=64 time=0.6 ms
64 bytes from 10.255.253.2: icmp_seq=4 ttl=64 time=0.6 ms
--- 10.255.253.2 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.6/0.8/1.7 ms
Created on 11-01-2023 09:02 AM Edited on 11-01-2023 09:02 AM
@ageorgescu
This means that vlan is configured properly and there is communication.
Routing also seem to be fine.
Now you may try to do a packet sniffer from fortigate to 10.24.3.0/24 subnet.
Do the same as above
exe ping-options source 10.255.253.1
exe ping x.x.x.x
x.x.x.x is an ip address located on 10.24.3.0 subnet
on another CLI in fortigate execute
diag sniffer packet any "host x.x.x.x and icmp" 4
again do replace x.x.x.x with IP that you are trying to ping.
While ping is going-on, check sniffer if packets are leaving fortigate. You should see in output something like "vlan 4040 out " and "port20 out".
This output will indicate that packet is leaving fortigate to ubiquity, and you have to check on that device what is happening with packets.
Regards,
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1643 | |
1069 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.