Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
carlaranzaso
New Contributor

Created on ‎01-08-2025 03:54 AM Edited on ‎01-08-2025 03:55 AM

VIP for PLC and a Data collector that are in different VLANs

Hi,

 

I was wondering if someone can help me on this. I am very new to networking and would like to check if I can do IP address translation on a layer 2 device with address 192.168.199.2 on my VLAN2 going to VLAN 1 with subnet 10.156.116.0/22. My intended translated address is 10.156.119.2 for this layer 2 device and will be using a kepserver ex v6 device from the vlan 1. Hope someone can assist me. Thanks

Labels:
827
0 Kudos
1 Solution
saleha
Staff
Staff

Created on ‎01-10-2025 06:42 AM

Hi,

Technically according to the information about vlan1 the PLC device is on subnet 10.156.116.0/22 which means its gateway should be the vlan1 interface ip address. IF the PLC device truely have no gateway configured there is no way for it to know where to send packets. As far as the fortigate goes the configuration recommendations shared previously should offer NATing the source address 192.168.199.2/32 to be 10.156.119.2 before the traffic goes out to destination however that destination device need to have it is address and gateway setup otherwise that packet would never get reply. I recommend checking with the vendor of the PLC device what is the proper network setup and requirement. Remember also that you are using VLAN configuration here that means that device have to have a vlan setup as well as the switch that connects that subnet to the firewall.

 

Thank you,

saleha

View solution in original post

465
0 Kudos
12 REPLIES 12
dingjerry_FTNT
Staff
Staff
In response to carlaranzaso

Created on ‎01-09-2025 09:00 PM

Hi @carlaranzaso ,

 

If the PLC has no GW configured, I am not sure whether it can talk to other networks or not.

 

You have to run the following command on FGT to confirm:

 

diag sniffer packet any 'icmp and host 192.168.199.2' 4

 

Then run Ping to 10.156.116.1 on the PLC device. If you can see the Ping packets coming to FGT, it should be working for your case.  It doesn't matter if Ping does not work. We just want to see whether the Ping packets (ICMP Request) coming to FGT or not.

 

BTW, in your scenario, you have to use VIP, not IP pool.

Regards,

Jerry
191
0 Kudos
saleha
Staff
Staff

Created on ‎01-10-2025 06:42 AM

Hi,

Technically according to the information about vlan1 the PLC device is on subnet 10.156.116.0/22 which means its gateway should be the vlan1 interface ip address. IF the PLC device truely have no gateway configured there is no way for it to know where to send packets. As far as the fortigate goes the configuration recommendations shared previously should offer NATing the source address 192.168.199.2/32 to be 10.156.119.2 before the traffic goes out to destination however that destination device need to have it is address and gateway setup otherwise that packet would never get reply. I recommend checking with the vendor of the PLC device what is the proper network setup and requirement. Remember also that you are using VLAN configuration here that means that device have to have a vlan setup as well as the switch that connects that subnet to the firewall.

 

Thank you,

saleha

466
0 Kudos
carlaranzaso
New Contributor
In response to saleha

Created on ‎01-13-2025 05:10 PM

Thanks Saleha, i followed your recommendation and did NAT on the device with gateway configuration instead of the PLC and it worked.

124
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.