Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
chethan
Contributor

Inter-VLAN routing issues - FortiGate

Hello everyone,

 

Before implementing the following configuration in production I'm testing it out in GNS3 and I'm facing issues with Inter-VLAN routing. I have configured FortiGate to act as router-on-a-stick.

 

  1. I have created VLAN 100 and VLAN 200 on the switch and allowed it over the trunk interface that is connected to the FortiGate. Configured the ports connecting the end devices as access ports.
  2. Created same VLANs on the FortiGate and attached it to the interfaces that is connected to the switch.
  3. Created the required Firewall polices, VLAN 100 -> VLAN 200 and VLAN 200 -> VLAN 100.
  4. From device in VLAN 100, I'm able to ping the VLAN 100 SVI IP address and the SVI IP address on VLAN 200. But unable to reach the other device in VLAN 200 and vice-versa.
  5. Packet sniffer on FortiGate shows that It is receiving the packet on VLAN 100 interface but it is not sending it out of VLAN 200 interface. 

Please, find the attached images for the reference. I believe I'm not missing anything here. Any suggestions would be helpful.

 

 

Network Diagram:

 

chethan_1-1652270777734.png

 

Firewall Polices:

 

chethan_2-1652270777739.png

 

VLAN Interface details:

 

chethan_3-1652270777742.png

 

Sniffer Output:

 

chethan_4-1652270777744.png

 

Thank you

 

 

 

IMPORTANT UPDATE: 

 

Hey everyone,

 

This is important I guess,

 

I just replaced the new FortiGate running FortiOS 7.2 with ForiOS 6.4.9. And, Inter-VLAN routing is happening now without any problem.

 

I have same configuration in place like the one that I had earlier.

 

Is this a bug or anything in 7.2 release? Can the Fortinet staff confirm this please?

 

Please find my updated screenshots:

 

chethan_0-1652357915030.png

 

PC1 to PC2:

chethan_1-1652357937273.png

 

PC2 to PC1:

chethan_2-1652357956362.png

 

Thank you

 

 

 

 

Chethan
NSE 4
ChethanNSE 4
1 Solution
jintrah_FTNT

Hi Chethan,

 

I tested this on a 7.2 device and it is found to work, so issue should be local to your environment only.

 

jintrah_FTNT_0-1652428999364.pngjintrah_FTNT_1-1652429192067.png

 

jintrah_FTNT_2-1652429279470.png

 

best regards,

Jin

 

View solution in original post

40 REPLIES 40
chethan

Hi seshuganesh,

 

It can ping.

chethan_4-1652347922391.png

 

Thank you

Chethan
NSE 4
ChethanNSE 4
seshuganesh

In this case, is it possible to take packet capture in switch to check what is happening with this traffic?

I believe firewall is forwarding the packets

chethan

@seshuganesh @sw2090  

 

No, switch is not creating any problem.

 

I replaced the FortiGate with a router (created sub-interfaces) and now PC1 can ping PC2 and PC2 can ping PC1.

 

I am sure, I'm not missing anything on FortiGate. Am I?

 

chethan_0-1652348556953.png

 

chethan_1-1652348569403.png

 

chethan_2-1652348628130.png

 

Thank you.

 

Chethan
NSE 4
ChethanNSE 4
chethan

Hi Ganesh,

 

I have updated my original post. Kindly, check!

 

Thank you

Chethan
NSE 4
ChethanNSE 4
sw2090
Honored Contributor

hm what is in the addressobjects (vlan 100 adress, vlan 200 address). To reach the whole subnet it has to be a subnet or ip range.

 

Also do PC1 and PC2 have static route to the "opposite" vla with the FGT as gateway? Or do they have the FGT as default gw? If neither is the case the traffic from client to client in other vlan will never hit the FGT hence it would take the wrong route.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
chethan

Hi,

Thank you for responding.

 

The address objects are subnets not individual IP addresses.

chethan_1-1652347382369.png

 

chethan_0-1652347354427.png

 

Yes, The PCs are configured with default gateway on each VLAN.

 

If it were not configured, the device in VLAN 100 would not be able to ping VLAN 200 interface IP and vice versa.

 

PC1 output:

chethan_2-1652347693992.png

 

PC2 Output:

chethan_3-1652347718918.png

 

 

 

 

Chethan
NSE 4
ChethanNSE 4
seshuganesh

@chethan 

Ignore: no out packets in sniffer, so this reply wont help

Hi chetan,

 

can you get this output:

execute ping-options source 10.0.100.254

execute ping 10.0.200.10

 

execute ping-options reset

execute ping-options source 10.0.200.254

execute ping 10.0.200.10

 

Please get both these outputs

chethan

@seshuganesh I have attached the output to your original reply.

 

Thank you.

Chethan
NSE 4
ChethanNSE 4
chethan

Hey sw2090,

 

I have updated my original post. Kindly, check!

 

Thank you

Chethan
NSE 4
ChethanNSE 4
sw2090
Honored Contributor

hm ok so you can ping the FGT in vlan 200 from the Pc1 in vlan 100 and the FGt in vlan 100 from the PC2 in vlan 200. So that means the routing on the pc is good (if not that wouldn't work) and traffic does hit the fgt with correct vid. 

Sounds more like if some kind of isolation is enabled on the vlans somewhere. I never had that on our FGT though. So maybe your L2 Switch is causing this?

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Top Kudoed Authors