This is so simple you won't need a video on it :)
In order to have traffic across the firewall, the FGT needs to have one port in the VLAN. So, you create a new virtual port in System>Network>Interface, Create New, type: VLAN. It will be a sub-interface of the LAN port (or LAN switch, depending on your hardware).
I usually assign the address .1 of the VLAN's address space to the FGT port and use it as the gateway of this VLAN. That means that all devices on the VLAN will have the FGT's port address as the gateway of their default route.
Now, if you need to have VLAN traffic reach the WAN, create a policy from the VLAN interface to the WAN port.
Same for VLAN to LAN, or VLAN to WiFi or whatever.
I've seen setups where the physical LAN port was not used at all - no IP assigned. All traffic coming to and from the LAN port was VLAN traffic. If you use a lot of VLANs it might be better to create an aggregated port first (LACP), and then create VLAN ports associated with it. This will help to provide more bandwidth.
Note that usually you connect the FGT LAN port to a switch. All VLANs which you intend to route/rule through the FGT need to be tagged VLANs, and the connection itself needs to be a VLAN trunk, not an access port. But if you're working with VLANs you will know that anyway.
As with all ports (physical, SSIDs, VLANs, VPNs), network addresses must be unique for each port. You do not need to create routes for port LANs, this is done automatically.
Hi
what about the switch side configuration. you have to create the data and cctv vlan in switch and make the uplink port to fortigate as tagged / trunk.
Regards
Mahesh
Hi,
You have to create the same vlan in switch with same vlan id and make the port that connected to fortigate as tagged port.
example :
VLAN 2 - Voip
VLAN 3 - Data
Switch port 24 is connected to fortigate port
switch port 1 connected to PC
switch port 2 connected to CCTV
create above vlan in switch
set switch port24 mode tagged and set allowed vlan 2 and 3
set switch port1 mode as access / untagged and allow vlan 3
set switch port2 mode as access/untagged and allow vlan 2
Regards
Mahesh
A VLAN is a "LAN on a LAN". As such, you need to create it on your switch(es) as well, just as @Mahesh posted.
BTW, disable FMG and CAPWAP access on all port where you don't use it, e.g. the WAN ports. Unnecessary security hole.
Hi,
please do the below setup
1. open CMD in laptop and type arp -a ( share log)
2. in fortigate open cli and type get system arp (share log)
3. try connect another laptop in switch and set ip address as 192.168.200.13 and try to ping the 192.168.200.12
""I've setup vlan id 10 with interface ip 192.168.200.253"" where you set this in fortigate or switch ?
Regards
Mahesh
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.