I am unable to get communications to work properly between interfaces. Here's the setup. I purchased the Fortigate 200D and two Adtran PoE switches as part of a system upgrade to support new VoIP phones. On the Fortigate, I have three interfaces (really four but one has nothing to do with this problem). The first interface is WAN1 to the internet. The second is a single port configured independently to connect to the Mitel PBX, I'll call Voice. The third is a hardware switch interface that takes up the remaining ports, called Switch. Switch is addressed at 192.168.2.1, Voice is addressed at 192.168.10.1. The Mitel PBX itself is connected to a simple non-managed switch provided by the phone company, then to the Fortigate. The PBX is addressed at 192.168.10.2. On that unmanaged switch I have a computer addressed at 192.168.10.6, called the voice computer. Off each Adtran I have phone-computer connections, Adtran to phone, phone to computer, the phones acting as switches internally. Each Adtran is configured to carry 192.168.2.x and 192.168.10.x traffic on the ports. the connection to the Fortigate is through a trunk port. The PBX does NOT tag packets, so I have not configured a VLAN on the voice port. There is no VLAN configured on the switch interface. There are no VLAN subinterfaces configured on the Fortigate.
Here's what happens. If I connect the Voice switch to an Adtran port, all the phones on both Adtran switches will see the PBX and configure and operate. However, nothing connected to the voice switch can see the internet. Using the voice computer, I can access the PBX as expected, but cannot access the internet. Accessing the internet is important for remote support of the phone system. If I connect the voice switch to the voice interface on the Fortinet, the voice computer can access the internet, but none of the phones can see the PBX, and remain offline.
I have checked the route table and see a route for each of the interfaces. I have policies in place to pass all traffic from each interface to each other, in both directions. Data passes properly between computers on the switch interface, and computers on both Adtran switches, and all computers can see the internet. Computers on the voice interface can see the internet. Computers on the voice interface cannot pass packets to the switch interface belonging to 192.168.10.x. When I capture packets on the switch interface, I can see packets from the voice computer when I ping 192.168.10.10 (one of the phones). When I capture packets on the switch interface, those packets do not appear. The voice computer used to be part of the AD, and that configuration hasn't been removed yet, so I can see packets from the voice computer in the switch interface on the 192.168.2.x address range looking for AD. Packets from 192.68.2.x pass to the switch interface, packets from 192.168.10.x do not. All packet regardless of source pass to the WAN1. Again, I have policies to pass all packets between voice and switch in both directions.
I'm stumped. I can either have phones with no internet for voice, or internet for voice with no phones. I need both! The only thing I can see is that packets from the Adtran switches are tagged, packets from voice switch are not. Plugging the PBX into an Adtran tags the voice packets, plugging the PBX into the Fortigate does not tag the packets. But not passing untagged packets doesn't make sense, since that would mean creating two interfaces, one each for two computers would not allow packets to pass between the two computers, unless each computer was interfaced to the Fortigate through a managed switch that could tag the packets. That can't be right?
Help!
You neglected to mention what policies you have in place to permit traffic between interfaces. (or the version of firmware for that matter...)
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Here is a snapshot of the two policies involved in PBX to Switch. Due to size limitations of the attachment these are all I could fit, but the WAN policies are standard and seem to work for all other interfaces. These policies aren't fully developed as they have been created to try and get communications to work. Parts of the policies such as VoIP etc haven't been reviewed and will probably need updating once I have policies I am sure of.
The OS is 5.2.4 Build 688.
Here is a snapshot of the interface list and the policy list. Ignore all the extra interfaces and policies, most are remnants of testing and aren't in use. Cleanup follows after fixing the problem.
Sorry - forgot to attach the image. It's a little fuzzy because I had to downgrade the quality to get under the file size limit.
Most phone installs I deal with have the phones tagged and the PCs that plug into the back are untagged. If this is the way your system is to operate, then you need to create those VLANs on the switch segment accordingly and create the necessary policies to match.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1743 | |
1114 | |
760 | |
447 | |
241 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.