Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
santunez_cl
New Contributor

LACP VLAN

Hello Guys

 

I am starting to study fortigate and I have simulated some labs in GNS3 with good results, but now I am trying the following configuration

  • 1 FW
  • 2 Switch core connected by LACP to the FW. The core switches are in L3.
  • 1 ToR switch
  • 1 PC connected to Tor to vlan 101

From the Core I have a response from the IP 192.168.0.17 of vlan 117 and vice versa.

 

From the PC the IP 192.168.0.17 of the FW responds, so add the segment 10.214.1.0/24 192.168.0.18 as a static route in the FW.

 

My problem is that the PC does not have internet access, the FW only has vlan 117 because I want to test if it is possible to go to the Internet with this configuration, because in another laboratory I had no problems when I created vlan and dhcp in fortinet, they went to internet without errors, but in this case I have not been able to achieve it

 

I have tried creating the segment 10.214.1.0/24 in fortigate, created a policy that everything that comes from vlan 117 goes out and still the same problem of not being able to access the wan from the lan.

 

LAB Fortigate.png

 

Thanks for your comment

2 Solutions
naibaho
New Contributor III

Hi santunez_cl

is your vlan 117 attached to aggragte interface?

if no, first you have to attach vlan 117 to aggregate interface

than, you can create policy from vlan 117 interface to internet interface, add 10.214.1.0/24 as source.

 

best regard

best regard

View solution in original post

Toshi_Esumi
Esteemed Contributor II

You need to run:
diag sniffer packet any 'host 8.8.8.8 and icmp' 4

instead. Otherwise, the source IP 10.214.1.10 is SNATed before hitting port1. So you can't see if it's hit port1 or not.

But these "unreachable" messages mean the FGT can't reach 8.8.8.8 and either the destination, which is unlikely, or something inbetween is returning "ICMP unreachable" packets back to the FGT. When you adjust the sniffing filter, you can see what (IP) is returning the messages.

 

<edit>

Actually it's right there 192.168.0.17, which is the FGT returning them. Does the default route exist on the FGT? When you run flow debuging you can see the reason.

 

Toshi

View solution in original post

5 REPLIES 5
naibaho
New Contributor III

Hi santunez_cl

is your vlan 117 attached to aggragte interface?

if no, first you have to attach vlan 117 to aggregate interface

than, you can create policy from vlan 117 interface to internet interface, add 10.214.1.0/24 as source.

 

best regard

best regard
santunez_cl
New Contributor

Hello

 

Thanks for your comment

 

The vlan is attached in aggregate

 

Now I create Network called VLAN 101 and add the segment with interface vlan117

Create a policy

Incoming - VLAN 117

Outgoing - Port1 (Port to Internet)

Source - AddressVLAN101

Destination: All

Schedule: Always

Service: All

NAT: Enable

 

But the issue persist :(

 

Thanks

Toshi_Esumi
Esteemed Contributor II

Before messing up your config, you need to isolate where the problem lies.

First I would run sniffing with "any" interface and Level "4" option and start sending ping packets to a specific Internet IP, like 1.1.1.1, 8.8.8.8, etc., which you should set the filter in sniffing.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Packet-capture-sniffer/ta-p/198313

 

If you see it's coming in VLAN117 but not going out Port1, that's when switching the debug method to "flow debugging":
https://docs.fortinet.com/document/fortigate/6.2.3/cookbook/54688/debugging-the-packet-flow

 

Toshi

 

santunez_cl
New Contributor

Hello

 

This the message when running

 

diagnose sniffer packet any "host 10.214.1.10 and icmp" 4

 

170.353201 lacp-core out 192.168.0.17 -> 10.214.1.10: icmp: net 8.8.8.8 unreachable
170.353202 port7 out 192.168.0.17 -> 10.214.161.10: icmp: net 8.8.8.8 unreachable
171.353106 vlan117 in 10.214.161.10 -> 8.8.8.8: icmp: echo request
171.353203 vlan117 out 192.168.0.17 -> 10.214.1.10: icmp: net 8.8.8.8 unreachable

 

The port7 is the fortinet port connected to Switch LACP Port 21

 

Thanks


Sebastian

Toshi_Esumi
Esteemed Contributor II

You need to run:
diag sniffer packet any 'host 8.8.8.8 and icmp' 4

instead. Otherwise, the source IP 10.214.1.10 is SNATed before hitting port1. So you can't see if it's hit port1 or not.

But these "unreachable" messages mean the FGT can't reach 8.8.8.8 and either the destination, which is unlikely, or something inbetween is returning "ICMP unreachable" packets back to the FGT. When you adjust the sniffing filter, you can see what (IP) is returning the messages.

 

<edit>

Actually it's right there 192.168.0.17, which is the FGT returning them. Does the default route exist on the FGT? When you run flow debuging you can see the reason.

 

Toshi