Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
chethan
Contributor

Created on ‎05-11-2022 05:07 AM Edited on ‎05-12-2022 05:23 AM

Inter-VLAN routing issues - FortiGate

Hello everyone,

 

Before implementing the following configuration in production I'm testing it out in GNS3 and I'm facing issues with Inter-VLAN routing. I have configured FortiGate to act as router-on-a-stick.

 

  1. I have created VLAN 100 and VLAN 200 on the switch and allowed it over the trunk interface that is connected to the FortiGate. Configured the ports connecting the end devices as access ports.
  2. Created same VLANs on the FortiGate and attached it to the interfaces that is connected to the switch.
  3. Created the required Firewall polices, VLAN 100 -> VLAN 200 and VLAN 200 -> VLAN 100.
  4. From device in VLAN 100, I'm able to ping the VLAN 100 SVI IP address and the SVI IP address on VLAN 200. But unable to reach the other device in VLAN 200 and vice-versa.
  5. Packet sniffer on FortiGate shows that It is receiving the packet on VLAN 100 interface but it is not sending it out of VLAN 200 interface. 

Please, find the attached images for the reference. I believe I'm not missing anything here. Any suggestions would be helpful.

 

 

Network Diagram:

 

chethan_1-1652270777734.png

 

Firewall Polices:

 

chethan_2-1652270777739.png

 

VLAN Interface details:

 

chethan_3-1652270777742.png

 

Sniffer Output:

 

chethan_4-1652270777744.png

 

Thank you

 

 

 

IMPORTANT UPDATE: 

 

Hey everyone,

 

This is important I guess,

 

I just replaced the new FortiGate running FortiOS 7.2 with ForiOS 6.4.9. And, Inter-VLAN routing is happening now without any problem.

 

I have same configuration in place like the one that I had earlier.

 

Is this a bug or anything in 7.2 release? Can the Fortinet staff confirm this please?

 

Please find my updated screenshots:

 

chethan_0-1652357915030.png

 

PC1 to PC2:

chethan_1-1652357937273.png

 

PC2 to PC1:

chethan_2-1652357956362.png

 

Thank you

 

 

 

 

Chethan
NSE 4
ChethanNSE 4
Labels:
25389
0 Kudos
1 Solution
jintrah_FTNT
Staff
Staff
In response to chethan

Created on ‎05-13-2022 01:08 AM

Hi Chethan,

 

I tested this on a 7.2 device and it is found to work, so issue should be local to your environment only.

 

jintrah_FTNT_0-1652428999364.pngjintrah_FTNT_1-1652429192067.png

 

jintrah_FTNT_2-1652429279470.png

 

best regards,

Jin

 

View solution in original post

24534
40 REPLIES 40
chethan
Contributor
In response to jintrah_FTNT

Created on ‎05-12-2022 05:41 AM

Hi, 

 

I'm testing in a lab environment. I directly download 7.2 and 6.4.9. and running it individually.

I did not upgrade it from previous version.

 

 

Chethan
NSE 4
ChethanNSE 4
5319
0 Kudos
jintrah_FTNT
Staff
Staff
In response to chethan

Created on ‎05-12-2022 05:47 AM

thats understood....But i am checking with you that If you upgrade the working FortiGate following the upgrade paths, are  you seeing same behavior? Also, if issue persist, could you fetch the debug flow commands posted in my initial response, I am eager to look what policy id is it matching among other info as well.

 

Best regards,

Jin

5318
0 Kudos
jintrah_FTNT
Staff
Staff
In response to jintrah_FTNT

Created on ‎05-12-2022 05:55 AM

Chethan,

 

Is there any vpn configuration on the non working FortiGate? From earlier flows, I notice tun_id=0.0.0.0 info in the lines.

 

Best regards,

Jin

5314
0 Kudos
chethan
Contributor
In response to jintrah_FTNT

Created on ‎05-12-2022 08:57 AM

No, VPN is not configured. It was a fresh configuration. I just configured what I need for testing that's it.

Chethan
NSE 4
ChethanNSE 4
5297
0 Kudos
chethan
Contributor

Created on ‎05-12-2022 05:54 AM

Sure, I'll test that out soon and keep you posted.

Chethan
NSE 4
ChethanNSE 4
5314
0 Kudos
sw2090
SuperUser
SuperUser

Created on ‎05-12-2022 06:55 AM

hm I tested it on my lab fgt60 that runs 7.0.3. 

Hooked an old hp procurve 2524 to it and created vid 100 and 200 on it and made on port untagged in 100 and one untagged in 200 on it.

Created both vlans on a port of the fgt. Created Policies and Services for ping as there as none per default and it works fine.

 

Maybe in 6.4.9 there still is a working factory ping service once can chose in a police which does not exist in 7.x anymore?

Basically you need two services for ping:

 

ICMP Echo (ICMP Protocol #8 with no code)

ICMP Echo Reply (ICMP Protocol #0 with no code)

 

with adding both to the policies I can ping from my laptop which is on the 2524 on the port untagged in vlan 100 to the rpi400 which is on the 2524 on the port in vlan 200 and vice versa. I can also ping the FGT in both vlans from both vlans.

 

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
5303
chethan
Contributor
In response to sw2090

Created on ‎05-12-2022 10:04 PM

Hi, I tested by allowing all services as well just to make sure. But no luck.

It is working on 7.0.x versions but not on 7.2.

May its happening only with me. Don't know.

Chethan
NSE 4
ChethanNSE 4
5292
0 Kudos
jintrah_FTNT
Staff
Staff
In response to chethan

Created on ‎05-13-2022 01:08 AM

Hi Chethan,

 

I tested this on a 7.2 device and it is found to work, so issue should be local to your environment only.

 

jintrah_FTNT_0-1652428999364.pngjintrah_FTNT_1-1652429192067.png

 

jintrah_FTNT_2-1652429279470.png

 

best regards,

Jin

 

24535
chethan
Contributor
In response to jintrah_FTNT

Created on ‎05-14-2022 02:03 AM Edited on ‎05-14-2022 02:04 AM

Might be.

 

I'm still figuring it out why. I even tried by downloading the image again from the support portal. 

 

Chethan
NSE 4
ChethanNSE 4
5267
0 Kudos
binover
New Contributor

Created on ‎05-30-2022 08:30 AM

Hi, did you have any update? I reached this board looking for a similar issue. What we noteced is only happened with ICMP, TCP and UDP is routed fine but is impossible to reach the hosts with ping. We also hace FortiOS 7.x on a stack with Fortiswitches. Any idea?

5048
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.