Fortinet Community

chethan · ‎05-11-2022

Hello everyone,

Before implementing the following configuration in production I'm testing it out in GNS3 and I'm facing issues with Inter-VLAN routing. I have configured FortiGate to act as router-on-a-stick.

I have created VLAN 100 and VLAN 200 on the switch and allowed it over the trunk interface that is connected to the FortiGate. Configured the ports connecting the end devices as access ports.
Created same VLANs on the FortiGate and attached it to the interfaces that is connected to the switch.
Created the required Firewall polices, VLAN 100 -> VLAN 200 and VLAN 200 -> VLAN 100.
From device in VLAN 100, I'm able to ping the VLAN 100 SVI IP address and the SVI IP address on VLAN 200. But unable to reach the other device in VLAN 200 and vice-versa.
Packet sniffer on FortiGate shows that It is receiving the packet on VLAN 100 interface but it is not sending it out of VLAN 200 interface.

Please, find the attached images for the reference. I believe I'm not missing anything here. Any suggestions would be helpful.

Network Diagram:

Firewall Polices:

VLAN Interface details:

Sniffer Output:

Thank you

IMPORTANT UPDATE:

Hey everyone,

This is important I guess,

I just replaced the new FortiGate running FortiOS 7.2 with ForiOS 6.4.9. And, Inter-VLAN routing is happening now without any problem.

I have same configuration in place like the one that I had earlier.

Is this a bug or anything in 7.2 release? Can the Fortinet staff confirm this please?

Please find my updated screenshots:

PC1 to PC2:

PC2 to PC1:

Thank you

Chethan
NSE 4

jintrah_FTNT · ‎05-13-2022

Hi Chethan,

I tested this on a 7.2 device and it is found to work, so issue should be local to your environment only.

best regards,

Jin

View solution in original post

chethan · ‎05-12-2022

Hi,

I'm testing in a lab environment. I directly download 7.2 and 6.4.9. and running it individually.

I did not upgrade it from previous version.

Chethan
NSE 4

jintrah_FTNT · ‎05-12-2022

thats understood....But i am checking with you that If you upgrade the working FortiGate following the upgrade paths, are you seeing same behavior? Also, if issue persist, could you fetch the debug flow commands posted in my initial response, I am eager to look what policy id is it matching among other info as well.

Best regards,

Jin

jintrah_FTNT · ‎05-12-2022

Chethan,

Is there any vpn configuration on the non working FortiGate? From earlier flows, I notice tun_id=0.0.0.0 info in the lines.

Best regards,

Jin

chethan · ‎05-12-2022

No, VPN is not configured. It was a fresh configuration. I just configured what I need for testing that's it.

Chethan
NSE 4

chethan · ‎05-12-2022

Sure, I'll test that out soon and keep you posted.

Chethan
NSE 4

sw2090 · ‎05-12-2022

hm I tested it on my lab fgt60 that runs 7.0.3.

Hooked an old hp procurve 2524 to it and created vid 100 and 200 on it and made on port untagged in 100 and one untagged in 200 on it.

Created both vlans on a port of the fgt. Created Policies and Services for ping as there as none per default and it works fine.

Maybe in 6.4.9 there still is a working factory ping service once can chose in a police which does not exist in 7.x anymore?

Basically you need two services for ping:

ICMP Echo (ICMP Protocol #8 with no code)

ICMP Echo Reply (ICMP Protocol #0 with no code)

with adding both to the policies I can ping from my laptop which is on the 2524 on the port untagged in vlan 100 to the rpi400 which is on the 2524 on the port in vlan 200 and vice versa. I can also ping the FGT in both vlans from both vlans.

--

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

chethan · ‎05-12-2022

Hi, I tested by allowing all services as well just to make sure. But no luck.

It is working on 7.0.x versions but not on 7.2.

May its happening only with me. Don't know.

Chethan
NSE 4

jintrah_FTNT · ‎05-13-2022

Hi Chethan,

I tested this on a 7.2 device and it is found to work, so issue should be local to your environment only.

best regards,

Jin

chethan · ‎05-14-2022

Might be.

I'm still figuring it out why. I even tried by downloading the image again from the support portal.

Chethan
NSE 4

binover · ‎05-30-2022

Hi, did you have any update? I reached this board looking for a similar issue. What we noteced is only happened with ICMP, TCP and UDP is routed fine but is impossible to reach the hosts with ping. We also hace FortiOS 7.x on a stack with Fortiswitches. Any idea?

Fortinet Community

Inter-VLAN routing issues - FortiGate