Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ageorgescu
New Contributor

Fortigate and Unifi USW-Pro configuration

Hello,

Beginner here looking for help. Thanks!

 

Does anyone know what configuration is needed on the Fortigate to be able to connect the VLANs on the Unifi L3 Switch to the Internet?

I am only able to reach the internet on the default VLAN.

I've seen dozens on posts online of people struggling with the same issue.

 

Here's my configuration:

 

Configuration:

Fortigate with LAN Port 20 - IP 10.24.0.1 + Static route (destination: 10.24.0.0/16 -> Gateway 10.24.02 (USW-Pro);

Gen2 Plus Controller (10.24.0.4)

USW-Pro (10.24.0.2) with default subnet: 10.24.0.0/24 and VLAN 3 with subnet 10.24.3.0/24 and VLAN 2 with subnet 10.24.2.0/24; Firewall Policies are also correct (checked with Fortigate engineer);

The PCs in VLAN 2 and 3 can reach each other all right. The USW-Pro is also DHCP server for each VLAN. That works as well.

 

USW-Pro automatically Created Inter-VLAN routing Network with VLAN ID 4040 and interface IP: 10.255.253.2

 

Interface  State IP Address   IP Mask     TYPE      Method

----------- ----- --------------- --------------- --------------- ---------------

vlan 4040  Up   10.255.253.2  255.255.255.0  Primary     Manual

vlan 2    Up   10.24.2.1    255.255.255.0  Primary     Manual

vlan 3    Up   10.24.3.1    255.255.255.0  Primary     Manual

 

(UBNT) #show ip route

Route Codes: C - Connected, S - Static

C   10.24.2.0/24 [0/0] directly connected,  4/2

C   10.24.3.0/24 [0/0] directly connected,  4/3

 

Forti Lan Interface.pngForti Static routes.pngUnifi Network tab.pngVlan 3.png

3 REPLIES 3
xshkurti
Staff
Staff

@ageorgescu 

First thing I notice is that you are using an unsupported SFP module on FortiGate.
That can cause different and unexpected issues.


Second is testing connectivity.
Are you able to ping from fortigate vlan interface to USW vlan interface?

To test it please execute:
exe ping-options source 10.255.253.1

exe ping 10.255.253.2

If that works then from FortiGate side all should be fine.

ageorgescu

I have tested as you advised. it works fine.

 

Fortigate # exe ping-options source 10.255.253.1

Fortigate # exe ping 10.255.253.2
PING 10.255.253.2 (10.255.253.2): 56 data bytes
64 bytes from 10.255.253.2: icmp_seq=0 ttl=64 time=1.7 ms
64 bytes from 10.255.253.2: icmp_seq=1 ttl=64 time=0.6 ms
64 bytes from 10.255.253.2: icmp_seq=2 ttl=64 time=0.6 ms
64 bytes from 10.255.253.2: icmp_seq=3 ttl=64 time=0.6 ms
64 bytes from 10.255.253.2: icmp_seq=4 ttl=64 time=0.6 ms

--- 10.255.253.2 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.6/0.8/1.7 ms

xshkurti

@ageorgescu 

This means that vlan is configured properly and there is communication.

Routing also seem to be fine.
Now you may try to do a packet sniffer from fortigate to 10.24.3.0/24 subnet.

Do the same as above
exe ping-options source 10.255.253.1
exe ping x.x.x.x
x.x.x.x is an ip address located on 10.24.3.0 subnet

on another CLI in fortigate execute
diag sniffer packet any "host x.x.x.x and icmp" 4
again do replace x.x.x.x with IP that you are trying to ping.

While ping is going-on, check sniffer if packets are leaving fortigate. You should see in output something like "vlan 4040 out " and "port20 out".
This output will indicate that packet is leaving fortigate to ubiquity, and you have to check on that device what is happening with packets.

 

Regards,

@xshkurti 

Top Kudoed Authors