Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
BKR
New Contributor II

Issue with VLANs created on Fortigate firewall can't communicate with subnets on switch

First my environment is on Huawei cloud, I have fortigate FW connected to VPC1, and VPC2 connected VPC1.

VPC's subnets:
VPC1: 10.0.0.0/16
VPV2: 10.1.0.0/16

I have created VLANs on firewall that matches each subnet on VPC2, for example I have a server connected to VPC2 with IP address 10.1.1.100, so in firewall under my LAN interface I created VLAN interface with subnet 10.1.1.0/24

static routes have been created on Huawei from VPC1 to VPC2, and vise versa.
static routes have been created on Firewall to communicate with VPC2 through VPC1.

With my current configuration:

  • I have access to server connected to VPC1 through VPN, but not to VPC2 server (note that I only have access to VPC2 servers using VPC1 server).

  • I don't have ping to servers on VPC2 from firewall.

  • I can access FW from VPC1 and VPC2.

  • Both VPCs have access to internet (traffic is passing through firewall)

Screenshot 2024-10-10 005337.png

What do I need to let the VLANs communicate with the subnets on the switch?

BKR
BKR
1 Solution
AEK
SuperUser
SuperUser

If there is a router between FGT and VPC2 10.1.0.0/16, the why did you create a VLAN on FGT with subnet 10.1.0.0/16? In such case FGT will not use the router to reach your VPC2, but for FGT the subnet is directly connected.

AEK

View solution in original post

AEK
3 REPLIES 3
AEK
SuperUser
SuperUser

If there is a router between FGT and VPC2 10.1.0.0/16, the why did you create a VLAN on FGT with subnet 10.1.0.0/16? In such case FGT will not use the router to reach your VPC2, but for FGT the subnet is directly connected.

AEK
AEK
BKR
New Contributor II

Yes you are absolutely right! .. I fixed it

BKR
BKR
ebilcari
Staff
Staff

I think you need to create a better network diagram (physical or logical) and specify if the subnets are reached through routing (next hops) or the VLANs (L2 broadcast networks) can be spanned through the VPC like they are done in a physical switch. How is the link between VPCs and FGT-VPC1 working, is it a point to point routed interfaces or like a trunk with multiple tagged VLANs?

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors