Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jkchoa
New Contributor

Setting up vlan fortigate 60e

Hi, Can you please refer me a cookbook link, on setting up vlan for 2networks comprising of PCs and cctv ip cameras. The PCs are on 192.168.100.x and have currently gateway to the firewall for internet, while the ipcamera cctv are on different subnet 192.168.200.x, these devices needs to have routing or rather can see the other pc network and initially needs not to have internet. Really could use some examples, to get some knowledge and get started
22 REPLIES 22
ede_pfau
SuperUser
SuperUser

This is so simple you won't need a video on it :)

 

In order to have traffic across the firewall, the FGT needs to have one port in the VLAN. So, you create a new virtual port in System>Network>Interface, Create New, type: VLAN. It will be a sub-interface of the LAN port (or LAN switch, depending on your hardware).

I usually assign the address .1 of the VLAN's address space to the FGT port and use it as the gateway of this VLAN. That means that all devices on the VLAN will have the FGT's port address as the gateway of their default route.

 

Now, if you need to have VLAN traffic reach the WAN, create a policy from the VLAN interface to the WAN port.

Same for VLAN to LAN, or VLAN to WiFi or whatever.

 

I've seen setups where the physical LAN port was not used at all - no IP assigned. All traffic coming to and from the LAN port was VLAN traffic. If you use a lot of VLANs it might be better to create an aggregated port first (LACP), and then create VLAN ports associated with it. This will help to provide more bandwidth.

 

Note that usually you connect the FGT LAN port to a switch. All VLANs which you intend to route/rule through the FGT need to be tagged VLANs, and the connection itself needs to be a VLAN trunk, not an access port. But if you're working with VLANs you will know that anyway.

 

As with all ports (physical, SSIDs, VLANs, VPNs), network addresses must be unique for each port. You do not need to create routes for port LANs, this is done automatically.

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
jkchoa

Hi again, Thanks for the above response, I tried following your procedure on setting up the VLAN as sub-interface and the policy. (I'll try to upload the screen shots) However, upon testing a laptop with IP 192.168.200.11, it cannot see the new VLAN gateway. What am I missing or did wrong? Actually am a newbie to VLAN, I tried to test it before on an HP v1910-16G switch but cannot seem to get it to work as expected from a guide I found (vmfocus) the guide was expecting that the VLAN should route naturally, but in actual the new interface cannot be PING.
jkchoa
New Contributor

sending screen shots....
mahesh_secure

Hi 

 what about the switch side configuration. you have to create the data and cctv vlan in switch and make the uplink port to fortigate as tagged / trunk. 

 

Regards

Mahesh

jkchoa

Mahesh, On the switch side there no VLAN configured yet, all VLAN are configure on the FGT.
mahesh_secure

Hi,

 

You have to create the same vlan in switch with same vlan id and make the port that connected to fortigate as tagged port.

 

example :

 

VLAN 2 - Voip

VLAN 3 - Data

Switch port 24 is connected to fortigate port

switch port 1 connected to PC

switch port 2 connected to CCTV

 

create above vlan in switch

set switch port24  mode tagged and set allowed vlan 2 and 3

set switch port1 mode as access / untagged and allow vlan 3

set switch port2 mode as access/untagged and allow vlan 2

 

 

Regards

Mahesh

 

 

ede_pfau

A VLAN is a "LAN on a LAN". As such, you need to create it on your switch(es) as well, just as @Mahesh posted.

 

BTW, disable FMG and CAPWAP access on all port where you don't use it, e.g. the WAN ports. Unnecessary security hole.

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
jkchoa

Hi Mahesh, Need some clarifications, using the hp 1910-16g switch, I've setup vlan id 10 with interface ip 192.168.200.253 Then selected ports 9 to 15 as untagged for vlan: 10. Next made port 16 tagged for vlan id 1 and 10, and connect this to the fortigate60e To test I'll use a laptop with ip 192.168.200.12 with gtway 192.168.200.253 and connect this to port 9 on the hp1910 switch. The problem with hp1910 is that laptop cannot ping the gateway of vlan10. Only vlan1 is working, it can see the other vlan interfaces or gateways. I tried posting on hp forums but no avail, even updated the firmware. Sorry this hp switch should not be under your scope, but maybe hoping you can tell me what's wrong with my procedure. Regards...
mahesh_secure

Hi,

 

please do the below setup

 

1. open CMD in laptop and type arp -a  ( share log)

2. in fortigate open cli and type get system arp (share log)

3. try connect another laptop in switch and set ip address as 192.168.200.13 and try to ping the 192.168.200.12

 

""I've setup vlan id 10 with interface ip 192.168.200.253"" where you set this in fortigate or switch ?

 

 

Regards

Mahesh

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors