Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Problem working with VLAN on Fortigate Firewall

This is my first experience working with VLAN config. on Fortigate Firewall. I am using FGR-60F (FortiOS 6.4.6) Firewall and unable to get it working with VLANs. I have attached high level network architecture where are creating VLANs based on protocols. I created VLANs and rules but firewall is not forwarding the packets. As per manual, same VLAN Tags can be used for both internal and external traffic so I kept some of VLAN same but changed their Aliases and Names but I noticed that FortiOS was not allowing me to assign same subnet on different vlans (required for internal and external network), so I kept 

VLANs created on Firewall:

MGMT_Internal => VLAN 10 assigned on P3 

MGMT_External => VLAN 10 assigned on P1 

DATA_Internal => VLAN 20 assigned on P3 

DATA-A_External => VLAN 20 assigned on P1 

DATA-B External => VLAN 30 assigned on P2 

P4 for PC5, No VLAN, It acts as a DMZ and act as agent between P3 and P5.

P5 for PC6 and SVR2 and requires routing.

Kindly suggests if I need to create Static Routing for the same. I tried it with only one rule but it did not work.

Network_Architecture.drawio (1).png

#FortiGate #FGR-60F



Yes, you can use same vlans on different Interfaces, if you really need. I am not a fan of it, unless you want to connect together port1 and port3 (vlans 10,20) so they will work together as one network, because VLANs gives you enough space for vlans. But nevermind.


Even though you can use same vlans, addressing should be different, except again, if you want to put together Vlan10 and Vlan20, so it will be serving both SVR1 and PC1-4. You can enable this setting:

config system setting
set allow-subnet-overlap enable

This will allow you to configure same subnet on multiple interfaces. But I would not recommend it.


In general, vlans are pretty easy. Same principle as router-on-stick.Switch-port connected to FortiGate needs to be trunk with allowed vlans. And your vlans needs to have IP addresses (on FortiGate) and then clients use that IP as default gateway as FortiGate will be now doing inter-vlan routing.


Start simple, create one vlan, with IP address, configure DHCP on that Vlan interface, connect PC, check connectivity. Then create second Vlan, do the same and start creating firewall policies to allow inter-vlan communication.


Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors