Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
chethan
Contributor

Created on ‎05-11-2022 05:07 AM Edited on ‎05-12-2022 05:23 AM

Inter-VLAN routing issues - FortiGate

Hello everyone,

 

Before implementing the following configuration in production I'm testing it out in GNS3 and I'm facing issues with Inter-VLAN routing. I have configured FortiGate to act as router-on-a-stick.

 

  1. I have created VLAN 100 and VLAN 200 on the switch and allowed it over the trunk interface that is connected to the FortiGate. Configured the ports connecting the end devices as access ports.
  2. Created same VLANs on the FortiGate and attached it to the interfaces that is connected to the switch.
  3. Created the required Firewall polices, VLAN 100 -> VLAN 200 and VLAN 200 -> VLAN 100.
  4. From device in VLAN 100, I'm able to ping the VLAN 100 SVI IP address and the SVI IP address on VLAN 200. But unable to reach the other device in VLAN 200 and vice-versa.
  5. Packet sniffer on FortiGate shows that It is receiving the packet on VLAN 100 interface but it is not sending it out of VLAN 200 interface. 

Please, find the attached images for the reference. I believe I'm not missing anything here. Any suggestions would be helpful.

 

 

Network Diagram:

 

chethan_1-1652270777734.png

 

Firewall Polices:

 

chethan_2-1652270777739.png

 

VLAN Interface details:

 

chethan_3-1652270777742.png

 

Sniffer Output:

 

chethan_4-1652270777744.png

 

Thank you

 

 

 

IMPORTANT UPDATE: 

 

Hey everyone,

 

This is important I guess,

 

I just replaced the new FortiGate running FortiOS 7.2 with ForiOS 6.4.9. And, Inter-VLAN routing is happening now without any problem.

 

I have same configuration in place like the one that I had earlier.

 

Is this a bug or anything in 7.2 release? Can the Fortinet staff confirm this please?

 

Please find my updated screenshots:

 

chethan_0-1652357915030.png

 

PC1 to PC2:

chethan_1-1652357937273.png

 

PC2 to PC1:

chethan_2-1652357956362.png

 

Thank you

 

 

 

 

Chethan
NSE 4
ChethanNSE 4
Labels:
24407
0 Kudos
1 Solution
jintrah_FTNT
Staff
Staff
In response to chethan

Created on ‎05-13-2022 01:08 AM

Hi Chethan,

 

I tested this on a 7.2 device and it is found to work, so issue should be local to your environment only.

 

jintrah_FTNT_0-1652428999364.pngjintrah_FTNT_1-1652429192067.png

 

jintrah_FTNT_2-1652429279470.png

 

best regards,

Jin

 

View solution in original post

23552
40 REPLIES 40
chethan
Contributor
In response to sw2090

Created on ‎05-12-2022 02:49 AM

Hi, I have mentioned you in another similar reply. 

 

Thank you

Chethan
NSE 4
ChethanNSE 4
2938
0 Kudos
SveN2
New Contributor

Created on ‎05-12-2022 04:01 AM

Hi,

looking at the sniffer echo request reaches the firewall but did not leave it.
Form my experience, 99% I had a similar issue it was either routing or firewall policy.
I understand no routing is required as both vlans are directly connected.
And from the other screenshot firewall policy looks good, too.
But have you checked the logs on the Fortigate, anyway? Does the log is showing any denies?
Are you sure the objects used in the policy have the correct IP configured?
Because that has happened to me multiple time. Object name looks good but the IP configured in that object had an error like two digits in the wrong order or something.

 

2916
0 Kudos
chethan
Contributor
In response to SveN2

Created on ‎05-12-2022 04:41 AM Edited on ‎05-12-2022 04:48 AM

Hello, 

 

I have enabled all logs, but I do not see any violation logs there. 

Yes, The objects are configured correctly. Those are subnet address type. I have attached the screenshot in my previous replies.

 

 

Chethan
NSE 4
ChethanNSE 4
2908
0 Kudos
chethan
Contributor
In response to SveN2

Created on ‎05-12-2022 05:28 AM

Hi SveN2,

 

I have updated my original post. Kindly, check!

 

Thank you

Chethan
NSE 4
ChethanNSE 4
2894
0 Kudos
jintrah_FTNT
Staff
Staff

Created on ‎05-12-2022 05:03 AM Edited on ‎05-12-2022 05:24 AM

Hi Chethan,

 

It appears like FortiGate itself not able to reach 10.0.200.10 in first place, did you check?  Is it possible to gather the below debug flows while pinging 10.0.200.10,

 

#diag deb reset

#diag deb flow filter trace start 5

#diag deb flow filter proto 1

#diag deb flow filter add 10.0.100.10

#diag deb flow show con en

#diag deb flow show fun en

#diag deb con time en

#diag deb en

 

Best regards,

Jin

 

2908
0 Kudos
sw2090
SuperUser
SuperUser
In response to jintrah_FTNT

Created on ‎05-12-2022 05:12 AM

but 10.0.200.254 is a vlan interface on the FortiGate - how can the FGT not reach its own interfaces?

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
2903
0 Kudos
jintrah_FTNT
Staff
Staff
In response to sw2090

Created on ‎05-12-2022 05:16 AM

edited the original post, it was meant to be 10.0.200.10 instead.

 

Best regards,

Jin

2901
0 Kudos
chethan
Contributor
In response to jintrah_FTNT

Created on ‎05-12-2022 05:28 AM

Hi,

 

I have updated my original post. Kindly, check!

 

Thank you

Chethan
NSE 4
ChethanNSE 4
2893
0 Kudos
chethan
Contributor
In response to jintrah_FTNT

Created on ‎05-12-2022 05:32 AM

FortiGate is able to reach both the end devices in both VLANs.

I have replaced FortiGate 7.2 with FortiGate 6.4.9 and it is working.

I have updated my original post. please check.

 

Thank you

Chethan
NSE 4
ChethanNSE 4
2891
0 Kudos
jintrah_FTNT
Staff
Staff

Created on ‎05-12-2022 05:32 AM

Hi Chethan,

 

If you upgrade the new FortiGate 6.4.9 to 7.2 following upgrade paths, are you hitting the same issue?

 

Best regards,

Jin

2891
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.