Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
chethan
Contributor

Created on ‎05-11-2022 05:07 AM Edited on ‎05-12-2022 05:23 AM

Inter-VLAN routing issues - FortiGate

Hello everyone,

 

Before implementing the following configuration in production I'm testing it out in GNS3 and I'm facing issues with Inter-VLAN routing. I have configured FortiGate to act as router-on-a-stick.

 

  1. I have created VLAN 100 and VLAN 200 on the switch and allowed it over the trunk interface that is connected to the FortiGate. Configured the ports connecting the end devices as access ports.
  2. Created same VLANs on the FortiGate and attached it to the interfaces that is connected to the switch.
  3. Created the required Firewall polices, VLAN 100 -> VLAN 200 and VLAN 200 -> VLAN 100.
  4. From device in VLAN 100, I'm able to ping the VLAN 100 SVI IP address and the SVI IP address on VLAN 200. But unable to reach the other device in VLAN 200 and vice-versa.
  5. Packet sniffer on FortiGate shows that It is receiving the packet on VLAN 100 interface but it is not sending it out of VLAN 200 interface. 

Please, find the attached images for the reference. I believe I'm not missing anything here. Any suggestions would be helpful.

 

 

Network Diagram:

 

chethan_1-1652270777734.png

 

Firewall Polices:

 

chethan_2-1652270777739.png

 

VLAN Interface details:

 

chethan_3-1652270777742.png

 

Sniffer Output:

 

chethan_4-1652270777744.png

 

Thank you

 

 

 

IMPORTANT UPDATE: 

 

Hey everyone,

 

This is important I guess,

 

I just replaced the new FortiGate running FortiOS 7.2 with ForiOS 6.4.9. And, Inter-VLAN routing is happening now without any problem.

 

I have same configuration in place like the one that I had earlier.

 

Is this a bug or anything in 7.2 release? Can the Fortinet staff confirm this please?

 

Please find my updated screenshots:

 

chethan_0-1652357915030.png

 

PC1 to PC2:

chethan_1-1652357937273.png

 

PC2 to PC1:

chethan_2-1652357956362.png

 

Thank you

 

 

 

 

Chethan
NSE 4
ChethanNSE 4
Labels:
21502
0 Kudos
1 Solution
jintrah_FTNT
Staff
Staff
In response to chethan

Created on ‎05-13-2022 01:08 AM

Hi Chethan,

 

I tested this on a 7.2 device and it is found to work, so issue should be local to your environment only.

 

jintrah_FTNT_0-1652428999364.pngjintrah_FTNT_1-1652429192067.png

 

jintrah_FTNT_2-1652429279470.png

 

best regards,

Jin

 

View solution in original post

20647
40 REPLIES 40
chethan
Contributor
In response to seshuganesh

Created on ‎05-12-2022 02:32 AM

Hi seshuganesh,

 

It can ping.

chethan_4-1652347922391.png

 

Thank you

Chethan
NSE 4
ChethanNSE 4
3887
0 Kudos
seshuganesh
Staff
Staff
In response to chethan

Created on ‎05-12-2022 02:34 AM

In this case, is it possible to take packet capture in switch to check what is happening with this traffic?

I believe firewall is forwarding the packets

3881
0 Kudos
chethan
Contributor
In response to seshuganesh

Created on ‎05-12-2022 02:44 AM Edited on ‎05-12-2022 03:00 AM

@seshuganesh @sw2090  

 

No, switch is not creating any problem.

 

I replaced the FortiGate with a router (created sub-interfaces) and now PC1 can ping PC2 and PC2 can ping PC1.

 

I am sure, I'm not missing anything on FortiGate. Am I?

 

chethan_0-1652348556953.png

 

chethan_1-1652348569403.png

 

chethan_2-1652348628130.png

 

Thank you.

 

Chethan
NSE 4
ChethanNSE 4
3885
0 Kudos
chethan
Contributor
In response to seshuganesh

Created on ‎05-12-2022 05:27 AM

Hi Ganesh,

 

I have updated my original post. Kindly, check!

 

Thank you

Chethan
NSE 4
ChethanNSE 4
3837
0 Kudos
sw2090
SuperUser
SuperUser

Created on ‎05-12-2022 02:13 AM

hm what is in the addressobjects (vlan 100 adress, vlan 200 address). To reach the whole subnet it has to be a subnet or ip range.

 

Also do PC1 and PC2 have static route to the "opposite" vla with the FGT as gateway? Or do they have the FGT as default gw? If neither is the case the traffic from client to client in other vlan will never hit the FGT hence it would take the wrong route.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
3902
0 Kudos
chethan
Contributor
In response to sw2090

Created on ‎05-12-2022 02:29 AM

Hi,

Thank you for responding.

 

The address objects are subnets not individual IP addresses.

chethan_1-1652347382369.png

 

chethan_0-1652347354427.png

 

Yes, The PCs are configured with default gateway on each VLAN.

 

If it were not configured, the device in VLAN 100 would not be able to ping VLAN 200 interface IP and vice versa.

 

PC1 output:

chethan_2-1652347693992.png

 

PC2 Output:

chethan_3-1652347718918.png

 

 

 

 

Chethan
NSE 4
ChethanNSE 4
3891
0 Kudos
seshuganesh
Staff
Staff
In response to chethan

Created on ‎05-12-2022 02:31 AM Edited on ‎05-12-2022 02:51 AM

@chethan 

Ignore: no out packets in sniffer, so this reply wont help

Hi chetan,

 

can you get this output:

execute ping-options source 10.0.100.254

execute ping 10.0.200.10

 

execute ping-options reset

execute ping-options source 10.0.200.254

execute ping 10.0.200.10

 

Please get both these outputs

3889
0 Kudos
chethan
Contributor
In response to seshuganesh

Created on ‎05-12-2022 02:33 AM

@seshuganesh I have attached the output to your original reply.

 

Thank you.

Chethan
NSE 4
ChethanNSE 4
3888
chethan
Contributor
In response to sw2090

Created on ‎05-12-2022 05:27 AM

Hey sw2090,

 

I have updated my original post. Kindly, check!

 

Thank you

Chethan
NSE 4
ChethanNSE 4
3836
0 Kudos
sw2090
SuperUser
SuperUser

Created on ‎05-12-2022 02:27 AM

hm ok so you can ping the FGT in vlan 200 from the Pc1 in vlan 100 and the FGt in vlan 100 from the PC2 in vlan 200. So that means the routing on the pc is good (if not that wouldn't work) and traffic does hit the fgt with correct vid. 

Sounds more like if some kind of isolation is enabled on the vlans somewhere. I never had that on our FGT though. So maybe your L2 Switch is causing this?

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
3891
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.