Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
MrCrow
New Contributor

Created on ‎04-06-2022 09:50 AM

One port multiple vlans

Hello. I have a FortiGate 60F and I have a layer-2 switch attached to one of the ports. On that nameless L2 switch is my WiFi WAPs (just some old Aruba's we had laying around). I want to have a guest network on those WAP's, but also want to have normal connectivity like I currently have. I'm trying to fumble my way through, but I can't seem to figure out a way to allow multiple IP/VLANs on one port. The L2 switch is on Port3, and I have that as part of the internal VLAN Switch (default setup) as pictured.

 

Port3 > 8-port L2 switch > two Aruba WAPs with 2 VLANs (VLAN 0 and Guest VLAN)diag.JPGmain_int.JPG

Labels:
9781
0 Kudos
1 Solution
Toshi_Esumi
SuperUser
SuperUser

Created on ‎04-06-2022 10:47 AM Edited on ‎04-06-2022 10:50 AM

On the 60F, or any other FGT models, the parent interface like "internal" vlan switch/hard-switch interface, which includes port3/internal3, is non-tagged interface. On the switch it's probably equivalent to VLAN0. So 192.168.50.0/24 needs to be VLAN0 on the switch.

Then Guest VLAN n subinterface needs to be created on the internal interface, then you want to assign a GW IP in 192.168.60.0/24, like .1. Then the port3, as well as port1 and 2, carries both non-tagged/VLAN0 and VLANn traffic. You need to make the switch side port a trunk.

 

BTW, the VLAN switch you're seeing is new with 'F' series FGTs as well as a few 'E' models, which is enabled by default at least with 6.4 or later. But we had some discussion in a different thread about a month ago but nobody seems to know what exactly it does compared to the traditional "hard-switch". So just pretend you're seeing hard-switch interface in the GUI instead of Vlan switch. In CLI, it's configured in hard-switch configuration block under "config system virtual-switch" anyway. 

 

Toshi

View solution in original post

9773
4 REPLIES 4
Toshi_Esumi
SuperUser
SuperUser

Created on ‎04-06-2022 10:47 AM Edited on ‎04-06-2022 10:50 AM

On the 60F, or any other FGT models, the parent interface like "internal" vlan switch/hard-switch interface, which includes port3/internal3, is non-tagged interface. On the switch it's probably equivalent to VLAN0. So 192.168.50.0/24 needs to be VLAN0 on the switch.

Then Guest VLAN n subinterface needs to be created on the internal interface, then you want to assign a GW IP in 192.168.60.0/24, like .1. Then the port3, as well as port1 and 2, carries both non-tagged/VLAN0 and VLANn traffic. You need to make the switch side port a trunk.

 

BTW, the VLAN switch you're seeing is new with 'F' series FGTs as well as a few 'E' models, which is enabled by default at least with 6.4 or later. But we had some discussion in a different thread about a month ago but nobody seems to know what exactly it does compared to the traditional "hard-switch". So just pretend you're seeing hard-switch interface in the GUI instead of Vlan switch. In CLI, it's configured in hard-switch configuration block under "config system virtual-switch" anyway. 

 

Toshi

9774
MrCrow
New Contributor
In response to Toshi_Esumi

Created on ‎04-06-2022 11:03 AM

Thanks for the tips. I was able to connect my phone to the guest network and it got an IP address and was able to connect it to the guest VLAN (192.168.69.2 is the phones IP) but I can't get out to the internet.... I'm assuming because I don't have any firewall rules yet I think?guest.JPG

9722
0 Kudos
Toshi_Esumi
SuperUser
SuperUser

Created on ‎04-06-2022 11:07 AM

Mostlikely. Each VLAN interface is treated as just another interface in the policies. So if you want to connect the Guest VLAN to the internet, you need to have Guest->wan1 or 2 policy with NAT enabled.

 

9720
0 Kudos
MrCrow
New Contributor
In response to Toshi_Esumi

Created on ‎04-06-2022 11:09 AM

Thanks for all your help! I got it to work! Part of it I think was that I had my Aruba WAP's configured wrong....

9718
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.