Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
gg9
New Contributor

Created on ‎03-16-2025 09:39 AM Edited on ‎03-16-2025 09:40 AM

I cant get inter-vlan routing to work

I have a FortiGate 50E, unlisense, firmware v5.4.1

When try setup 2 vlan, 
vlan10 
ip 192.168.10.1/24

vlan20 

ip 192.168.20.1/24

if I enable DHCP on VLan then it wont give ip to any PC but DHCP on port still work
And no matter how much i try, i cant seam to get Vlan routing to work, i can still route vlan to the internet but vlan to vlan is impossible.

I try create vlan via GUI, CLI (dont think this make much different?),
config ipv4policy so it allow any type to any any destination, for both way, vlan10 to vlan 20 and vice versa
config static route to 192.168.10.0/24 interface vlan20 gateway 192.168.10.1 and to 192.168.20.0/24 interface vlan 10 gateway 192.168.20.1

I try run "show system route" cmd and all netwok is connect normally "c 192.168.10.1 255.255.255.0 is directy connect"-something like this, 
I cant get logging to work, I have enabe logging in policy, log security and log everything,
I try to ping client from fortinet CLI "exec ping 192.168.10(.20).1(.2)" it work, but not from one pc in one vlan to another pc in another vlan.
"tracert 192.168.10.1" on client pc (192.168.20.2) return "destination host unreachable" or "connect time out"

Any help is much appreciated. thanks guys

 

Labels:
112
0 Kudos
3 REPLIES 3
yderek
Staff
Staff

Created on ‎03-18-2025 02:09 PM

Hi, gg9

 

1:Is there any layer 2 switch has involved in this setup ? If so, any vlan tagging ACL has done on downstream switch ? 

2: Get PC  mac address, while you trying to get PC obtain DHCP address, run the sniffer below first based on the PC NIC MAC address, see whether you FortiGate is receiving any packet from PC at all, CLI will be below, for example if you want 

To sniff the MAC Address when it is Source MAC = 00:09:0f:89 :10:ea    
# diagnose sniffer packet <interface> "(ether[6:4]=0x00090f89) and (ether[10:2]=0x10ea)"

3: You can ping between FortiGate VLAN interface this is expected however if your PC is not obtain the IP properly, you won't be able to reach each other hence resolve DHCP address first then go from there 

 

99
gg9
New Contributor
In response to yderek

Created on ‎03-22-2025 07:57 PM

Thanks for the reply,

There is no layer two switch in my setup, just the built-in Lan port from the firewall
The PC obtain IP address like normal if i enable dhcp server on physical or physical interface setting (PC set to dhcp not manual and ipconfig /all show dhcp server is indeed the interface ip) but when i try the sniff cmd it return:
(pc plug into port lan1, i try remove the filter as well, the result are the same)

interfaces=[lan1]
filters=[(ether[6:4]=0x088FC352) and (ether[10:2]=0x005F)]
pcap_lookupnet: lan1: no IPv4 address assigned






 

46
0 Kudos
gg9
New Contributor

Created on ‎03-22-2025 08:11 PM Edited on ‎03-22-2025 08:14 PM

I'll guess i try rip..

40
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.