Hi,
This is my first experience working with VLAN config. on Fortigate Firewall. I am using FGR-60F (FortiOS 6.4.6) Firewall and unable to get it working with VLANs. I have attached high level network architecture where are creating VLANs based on protocols. I created VLANs and rules but firewall is not forwarding the packets. As per manual, same VLAN Tags can be used for both internal and external traffic so I kept some of VLAN same but changed their Aliases and Names but I noticed that FortiOS was not allowing me to assign same subnet on different vlans (required for internal and external network), so I kept 0.0.0.0/32
VLANs created on Firewall:
MGMT_Internal => VLAN 10 assigned on P3 0.0.0.0/32
MGMT_External => VLAN 10 assigned on P1 0.0.0.0/32
DATA_Internal => VLAN 20 assigned on P3 0.0.0.0/32
DATA-A_External => VLAN 20 assigned on P1 0.0.0.0/32
DATA-B External => VLAN 30 assigned on P2 0.0.0.0/32
P4 for PC5, No VLAN, It acts as a DMZ and act as agent between P3 and P5.
P5 for PC6 and SVR2 and requires routing.
Kindly suggests if I need to create Static Routing for the same. I tried it with only one rule but it did not work.
#FortiGate #FGR-60F
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello.
Yes, you can use same vlans on different Interfaces, if you really need. I am not a fan of it, unless you want to connect together port1 and port3 (vlans 10,20) so they will work together as one network, because VLANs gives you enough space for vlans. But nevermind.
Even though you can use same vlans, addressing should be different, except again, if you want to put together Vlan10 and Vlan20, so it will be serving both SVR1 and PC1-4. You can enable this setting:
config system setting
set allow-subnet-overlap enable
end
This will allow you to configure same subnet on multiple interfaces. But I would not recommend it.
In general, vlans are pretty easy. Same principle as router-on-stick.Switch-port connected to FortiGate needs to be trunk with allowed vlans. And your vlans needs to have IP addresses (on FortiGate) and then clients use that IP as default gateway as FortiGate will be now doing inter-vlan routing.
Start simple, create one vlan, with IP address, configure DHCP on that Vlan interface, connect PC, check connectivity. Then create second Vlan, do the same and start creating firewall policies to allow inter-vlan communication.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1713 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.