VLAN Routing to external gateway

rickarderiksson · ‎02-19-2025

Hi.

I have a Cisco switch configured with gateway IP at 10.24.111.65. The switch is connected to the fortigate through a trunk with VLAN 101 tagged. Im trying to do vlan-routing from my VLAN1 which is configured with gateway in the fortigate to VLAN101 with the Cisco Switch as gateway.

I have created VLAN101 in the fortigate without address.

Firewall policies from-to VLAN1-VLAN101.

Static route Destination 10.24.111.64/255.255.255.192, Gateway 10.24.111.65 and Interface VLAN101

I cannot ping the gateway or any devices on vlan 101 from vlan 1. (Reply from 192.168.80.254: Destination host unreachable.)

The devices on VLAN101 are showing up in the fortigate users & devices under VLAN101.

What am I doing wrong?

The cisco and all devices connected to that is supplied by a third-party supplier and I cannot do any configuration on that network.

Toshi_Esumi · ‎02-19-2025

Check the routing table now, then configure IP like 10.24.111.66/26 on VLAN101 interface then check the routing table again with "get router info routing-t all. You should be able ping the GW IP at that time.

Static routes (and any other routes provided via routing protocols) are providing instructions how to reach those destination subnets that are NOT on the router, in your case your FGT, by instructing it to send those packets to the GW IP, which has to be reachable.
This is the very basic of "routing" or router.

Toshi

View solution in original post

Toshi_Esumi · ‎02-19-2025

Why you decided not to configure IP on VLAN101 interface on the FGT? Just like any other routers, like Cisco, without the IP with a proper subnet mask, that GW subnet wouldn't be in the routing table so the GW is not reachable from the FGT. The static route as the result wouldn't show in the routing table either.

Check with "get router info routing-table all" to see the routing table.

Toshi

rickarderiksson · ‎02-19-2025

Hi,

Wouldn't that create a new gateway on that subnet?

Thanks,

Toshi_Esumi · ‎02-19-2025

Check the routing table now, then configure IP like 10.24.111.66/26 on VLAN101 interface then check the routing table again with "get router info routing-t all. You should be able ping the GW IP at that time.

Static routes (and any other routes provided via routing protocols) are providing instructions how to reach those destination subnets that are NOT on the router, in your case your FGT, by instructing it to send those packets to the GW IP, which has to be reachable.
This is the very basic of "routing" or router.

Toshi

rickarderiksson · ‎02-19-2025

Hi, i tried this. I got one successful ping after setting the IP to 10.24.111.66/26 on VLAN101:

Reply from 192.168.80.254: Destination host unreachable.
Reply from 192.168.80.254: Destination host unreachable.
Reply from 10.24.111.65: bytes=32 time=2006ms TTL=253
Request timed out.
Request timed out.

But it works to ping other devices on that subnet/vlan.

Thank you!

Toshi_Esumi · ‎02-19-2025

show us the result of traceroute (tracert for Windows, traceroute for Mac/Linux) first. Also the source IP of the machine you're pinging from.
Then output of "get router info routing-table" including the part for 192.168.80 and 10.24.111.

Toshi

rickarderiksson · ‎02-19-2025

Hi,

I just did as you said and removed the static routes and I think everything works as intended. Thank you,

dingjerry_FTNT · ‎02-19-2025

Hi @rickarderiksson ,

The VLAN ID 1 is reserved on FGT, so if you configure a VLAN interface with ID 1, it may not work.

Please try another VLAN ID.

Regards,

Jerry

VLAN Routing to external gateway

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website