Hello, I have a Fortigate 100F model 7.2.4 build firewall with two VDSL internet lines that we used with Bridge mode before. Now we use fiber internet with a DMZ connection. Without changing the Virtual Wan Link setting of the device, we made adjustments only on Wan 1, enabled it to exit via DMZ, and deleted the Wan 2 connection. There is no problem with our internet connection, but communication cannot be established between other networks such as the vlan switch lan we created in the interface and the network we actively use, even though we wrote the rules. When we assign a manual IP, we can access the network. Do you want to reset the device or do you know a solution? I tried Asymmetric Route but it didn't work. And in external connections, it cannot access the network without being connected to the network via VPN, RDP, SQL etc. ports. Modem DMZ and firewall settings are correct.
It would be helpful if you draw a schema of the current network and the communication that is failing. As I understood, users in LAN are not reaching the servers in DMZ and the port forwarding/VIP to the servers are not working. Reset the devices will not help in this case, it may be something in the configuration.
Hi @MERCANTEKNIK,
If I understand correctly, VLAN 10.41.41.0 can't access LAN 192.168.1.0 network?
You mentioned that when you assign a manual IP, you can access the network. So it doesn't work with DHCP?
Regards,
Hi Dhcp server all lan open.
How is the uplink port of the Mikrotik switch configured, is it a trunk ( allowing tagged traffic)? Did you configure separate VLAN interfaces for subnet 10.41.41.0 and 192.168.1.0 in FGT?
Since I couldn't solve it with vlan, I tried it with switch lan but it still doesn't work. There is no communication between the two networks. In fact, nothing can be connected from the external network to the internal network without a VPN connection. There may be a problem with the DMZ settings of the fiber modem. But vlan for VPN works. As I said, I activated asymmetric rout and it still didn't work, then I turned it off again. I upgraded to version 7.2.6 and rolled it back to 7.2.4. It didn't happen again.
The software switch with a single interface is not serving any purpose, just use directly port 18 if needed. Currently if you connect something on port 18 it will accept only untagged traffic.
Does the Mikrotik switch supports VLAN tagging? How ,many switches are in this setup and in which port do they connect in FGT?
With your current LAN configuration you are using native/untagged VLAN for the subnet 192.168.1.0 and tagged traffic with ID 30 for the subnet 10.31.31.0.
If the hosts of these subnets are reaching their GW but not each other than you need to create a firewall policy allowing traffic between this interfaces lan - VLAN30 like for ex.:
Regarding the external network to internal network access, based on your schema most probably the public IP address resides in the modem, you have to configure port forwarding (in the modem) from internet to 192.168.2.2 and than create VIP in FGT to forward the request to the real servers 192.168.1.x.
Some rule should already exist in the modem that allows the VPN service in FGT to be accessible from outside.
I set that port for the security cameras and the recorder. Actually, when I connect the camera recorder to the 18th port, it should communicate with the other network and see the cameras at the same time. This is what I am trying to do.
So you have a single mikrotik switch for all the devices and want to connect only the NVR in port 18 of the FGT? You can not span the broadcast domain (VLAN) through the ports of FGT like you do with a normal switch unless this model supports hardware switch. I would suggest to regroup your available ports and also consider creating new subnets for host that don't require L2 communication if you are short on available ports in the physical mikrotik switch.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.