I am new to Fortinet but I have a strong Cisco background. We are looking at replacing our Cisco 891W with a Fortigate 60D. I am working in a lab trying to get the device configured. In Cisco I can set the DHCP on the VLAN and all devices being tagged for that VLAN can gets its IP from the VLAN DHCP, this does not seem to work on the 60D. I have attached a screenshot of the interfaces. When the DHCP is configured on the interface I can get an IP on a connected PC but the VLAN tag is not added to the packets. When I configure the DHCP on the VLAN the PC cannot get an IP. I can see the DHCP request from the PC, using WireShark, and the 60D shows the DHCP request on it, but the DHCP packet is not tagged with the VLAN and there is no IP return. Looking at the picture of the interfaces, I have attached, it shows that the Voice VLAN is a subinterface to the internal2 interface. Should the DHCP packet get the VLAN tag added to it since the PC is connected to the internal2 port?
I am assuming that the 60D works like Cisco in that it tags all the traffic on internal2 port with the voice VLAN. Have I missed something?
Thank You,
David
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Wifi clients pull an IP (broadcast DHCP request) via SSID on vlan 100 or 200, while your DHCP is configured on the softswitch interface, which is non-tagged. You have to have DHCP server configure on each vlan 100 and 200 subinterfaces to provide IPs to the clients.
AP's management IPs are separated from SSIDs. That's why your APs currently get an IP from the DHCP you configured on non-tagged interface as well as the controller. You want to keep it as is while each SSID need to be on different subnets/DHCP servers because they're on different vlan interfaces.
Hi
From the excibit i see you have only one configured vlan the voice vlan. But you didnt append the configuration on this interface concerning the DHCP config.
Additionally my opinion is that due this system is in Dev mode I suppose , it would be a good idea
a. To upgrade from 5.2 (which you are now) to 5.4.x
b. Delete the virtual switch and use separetly those interfaces.
PS: FGT as layer 3 device can change VLAN tag but cannot add or delete one, switches do that.
--------------------------------------------
If all else fails, use the force !
hm,
did you set up a dhcp server on the vlan interface?
On your screen I see that internal2 is not connected. As long as the physical interface is not connected and the vlan being a subinterface of this no vlan packets will reach the FGT here.
Also you need to to vlan tagging on your clients or have a switch that can tag the packets between FGT and Clients.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Thank you for your help, I am starting to think that I do not have the correct understanding of how a Fortigate works. In Cisco I have the VLAN do the DHCP so that when I have wireless clients they get the same IP space as the LAN clients in that VLAN. Since I have only been able to get the PC to get and IP from the Fortigate is when I have the DHCP on the interface that seems to point to Fortigate requires the DHCP on the interface not the VLAN so clients on different interface will have different IP space. That is what you see with the Voice VLAN in my picture. It also shows that the Data VLAN does assign the DHCP on the interface and not the VLAN and that is why those clients can get an IP. Currently the Data, Voice, and Guest VLANs are sub-interfaces of the actual switch port (internal1, internal2, and internal3) so I am not sure that you mean by deleting the virtual switch since I did not configure them as a switch (software or hardware). I do have a 5.4 which I was going to upgrade too, but I wanted to make sure of my understanding of how VLANs and DHCP works first. It also seems that on a Fortigate the VLAN assigned to an interface will not specifically tag the packets as that VLAN, so packets on that interface will have to be handle as if it is the interface and not the VLAN. Do I have this correct?
Tagged vlans are tagged separate logical interfaces. We used a lot this including non-tagged/parent interface on the same physical "trunk" interface, and hand them over to a Cisco SG300 or Juniper EX2300 or whatever L2 switch to break and deliver them separately to each switch port.
If you want to combine some of interfaces together to share the same subnet (and the same DHCP scope) beyond the hard-switch ports (port #1 - 7 on 60D) including wifi SSIDs/interfaces, you can use soft-switch interface (config sys switch-interface) at least with 60D/60E, but I believe you can do the same with upper models too. But once you do it, you can't use individual interfaces separately with policies any more.
Just be aware that soft-switch interfaces are switched by CPU/software. It might slow-down the switching process quite a bit.
Please forgive me for sounding like I do not understand, but my background is from a Cisco view and I tend to look at the configuration from that view, which may be incorrect. My network architecture looks like:
Phone ISP Data ISP
| | SSID: Guest
| | VLAN 30
| | |
˅ ˅ |
|---------60D ------------| <------- AP <---+
| | |
| | ˅
˅ ˅ SSID: Internal
Switch Switch VLAN 20
| |
| |
Internal VoIP
Data Phones
Systems
The current network uses a Cisco 891W and I want to replace it with the 60D. The Cisco has the AP built in whereas I am now using a separate AP device since the 60D does not have wireless built in.
Once I apply a VLAN to an interface, in Cisco, the packets are tagged and I can use the VLAN as part of the Zone Based Firewall for access control, this is why I have three VLANs (data, voice, and guest). I used this idea when configuring the 60D and created a VLAN for the interfaces, but it seems that the packets are not getting tagged as I expected. Since the current architecture has the router doing the routing to single port for the VLAN the switch attached to each port is only for that single VLAN so the switch does no tagging of the packets. This behavior is what I was hoping to achieve with the 60D. Also using an AP for the wireless connections, I assumed that the AP VLAN tagging would just pass through to the internal interface and be routed accordingly.
My confusion is, it seems that I cannot VLAN tag packets with the 60D so I have been able to get routing to work using only the interfaces; overall not an issue. This would be fine and I would just remove all the VLANs. The problem is that I do not see a way to create a VLAN without it being associated to an interface on the 60D. This becomes a problem for the AP. I need to base the routing of the traffic of the AP port on VLANs that I cannot define separately. So, it would seem that I now have a trunk port (the AP port) but no way to create a VLAN definition, so I cannot create and routing based off the VLAN as I was expecting I could.
I know I am missing something in this configuration, but I am not sure what it is. Can I, in fact, use this architecture for the network? If so, how do I create the VLANs and route the packets properly. I am also trying to avoid using a software switch so I can have better performance, however, if that is the only way to get this to work I would use a software switch.
You have to have interfaces for all 4 (Internal Data, VoIP, Vlan20, and Vlan30) sub-networks and an IP for each. FTNT is NOT L2-L3 router. L2 handling part is limited. A Vlan logical interface is ALWAYS tagged. It doesn't support "access port" unlike Cisco, Juniper or other L2-L3 router/switch.
Since your AP is not coming through the switch unlike data/VoIP LAN, you have to have a separate interface (you seem to have created "WLAN" hard-switch interface includes multiple physical interfaces like internal4-7) from those internal LAN connections to the switch. Then you have to create Vlan20 and 30 sub/logical tagged interface on the WLAN. While WLAN is non-tagged interface and won't have any IP because you don't need it, Vlan20 and Vlan30 are tagged and have an IP on each.
I think that's what you're missing.
I cannot thank you enough, I have it finally working. You got me on the right track.
No problem. Virtually everybody is "been there, done that" including myself.
Hi all,
I'm having quite a similar problem and I can't get it working.
I have 40 APs connected to switch1 and switch2 ( 20 AP's / switch)
Both switches are connected to Fortigate 1500D into 2 physical ports , port1 and port2
On Fortigate I created a soft-switch made of port1 , port2, port 3 ( port3 on Fortigate connects the controller for the APs)
On the soft-switch I enabled DHCP, class 172.16.x.x, that assigns IP addresses for WiFi Clients and APs
On Fortigate port 5 is used as WAN port ( a static route from interface 172.16.x.x to WAN port was created )
Also inside the soft switch I created 2 VLAN interfaces ( VLAN 100 and VLAN 200) each assigned to a different SSID inside the wifi controller. The VLAN interfaces have static 0.0.0.0/0.0.0.0 address
My understanding is :
-on Fortigate ports 1,2,3 are tagged with VLAN 100 and 200
-on switch_1 the uplink port - trunk port- ( port 25) is tagged with VLAN 100 and 200
-on switch_2 the uplink port - trunk port - (port25) is tagged wit VLAN 100 and 200
-all ports on switch_1 ( port1-port24) are trunk ports tagged with VLAN 100 and 200
-all ports on switch_2 ( port1-port24) are trunk ports tagged with VLAN 100 and 200
For the 2 VLAN interfaces I have created 2 policies :
Policy1:
Incoming interface : VLAN100 Source address : all Outgoig interface : WAN-interface Destination address: All Service : All Action : ACCEPT Firewall : NAT (Use outgoing interface address)
Policy2:
Incoming interface : VLAN200 Source address : all Outgoig interface : WAN-interface Destination address: All Service : All Action : ACCEPT Firewall : NAT (Use outgoing interface address)
I can get clients connected on AP ( authetication) but no IP address is assigned to WiFi clients.
Have I missed something? Thank You,
Dragos
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1720 | |
1095 | |
752 | |
447 | |
234 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.