Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- VLAN handling and DHCP - FTG 61E with UniFi Switch...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
VLAN handling and DHCP - FTG 61E with UniFi Switch (no USG)
Hi All,
I'm building the test lab for an upcoming network for new project, who require FTG and UniFi. This is my first fresh build in 6 years, and indeed first Fortigate and UniFi experience, so please bear with me as I'm learning the nuances.
Diagram shows a stripped out version of what I'm building. My issue was originally that clients connecting to the WAP do not receive any IP address at all, despite the UniFi SSID specifiying the correct VLAN ID for VLAN OTHER as clients join.
If I remove the VLAN specification from the SSID, the clients can connect, but instead pickup DHCP from the FTG INT1 DHCP range (which I would eventually want to to turn off. If I use a static IP on the client, I still can't ping anything (all interfaces set to allow ping etc. during test build).
I've tried skipping the UnFi switch and creating another test VLAN subinterface on the 61E with DHCP, connected to INT 6. I see the same behavior there - a wired client can only get DHCP from the INT1 range and only if I add the policy. DHCP from the VLAN66 interface is ignored/doesn't work. I did read this might be because the FTG needs an L2 device in front of it to assign the VLAN tag ID though - the VLAN subinterface on the FTG port cannot do this - is that correct?
STP is enabled on the interfaces and subs, NAT disabled on the INT to INT/VLAN policies, and can't think what else I'm doing wrong... seems to me the core issue is my VLANs not talking between interfaces correctly?
Once I can get the VLANS assigning DHCP correctly, I'd like to move the UniFi controller and hardware onto the Management VLAN.
Thanks for any help in advance.
-
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I wouldn't do it so complicated.
The easiest way would be to create vlans on int1 with the correct vid and ip setting.
you switch already has al vids tagged on all ports so should be fine.
Then you just need policies to allow the traffic between the interfaces.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
--
"It is a mistake to think you can solve any major problems just with
potatoes." - Douglas Adams
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry, might not be clear from diagram, but that's how I believe I have it.
All the VLANs are subinterfaces on INT1.
The VLANs are also grouped together in a Zone.
Then the policies are between the Zone and the INT1.
Does the fact the INT1 is on a hardware switch with INT 1-5 have a bearing?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The bottom line is it's most unlikely FGT config issue. But the switch config issue, which is connecting those ports to wrong vlans at the trunk port.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The switch port profile "TRUNK" to INT1 has all VLANS and the same 10.10.1.1/24 "core" subnet specified on it, so it should be sending all tagged VLAN traffic to the FTG. I've also tried setting the UniFi Switch port profile to "All".
The UniFi switch is only a layer 2 switch, so can't really think of anything else we can alter there?
Connecting to any trunk on the UniFi switch without VLAN being tagged on ingress, works fine with both switch port profiles of TRUNK and ALL, and traffic goes out through FTG to web, with DHCP obtained directly from the root INT1 interface.
It's only when clients connect via an SSID and area allotted VLAN ID that it breaks, which makes me think the FTG is dropping or changing the packets being the L3 capable device. NAT is disabled on the INT1 to ZONE rules though...
FTG Log does show non VLAN stuff coming through, but should I expect to see VLAN traffic tagged as such after the source IP in the log? I see a lot of local IPV6 traffic.
How can I test the FTG's handling of the incoming tagged VLAN traffic sent from the UniFi switch and see where it goes/gets dropped?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To me only way to figure out is to run packet capture on each vlan interface and non vlan parent interface to see where those DCHP requests are coming to.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the advice - and apologies, it turns out your first reply was correct :thumbs_up::beaming_face_with_smiling_eyes:
I was caught out by my unfamiliarity with UniFi, so leaving this one here for anyone else that comes across it.
My issue turned out to be that the UniFi switch wasnt saving the config. The controller was telling me it was saving settings, but these weren't being applied to the switch.
The switch had been stuck in an adoption loop. Because I had already factory reset it, and all the physical routing and config was working fine after resetting, and picking up correct IP etc. which I could ping, I assumed the switch was actually OK and this was just a handshaking issue to sort out between switch and controller. I thought the reporting in to the UniFi controller had been getting broken once the config was taken.
Wrong - what was actually happening was the switch was working after reset in its' default state of unmanaged/native VLAN 1 only...
The adoption failure was caused by a mixture of my moving the controller IP, and the switch not picking up my new controller admin pwd (apparently UniFi admins will be familiar with this little trap).
To resolve i had to 'forget' switch config from controller, SSH in and reset, follow by a re-inform command to the switch of new controller IP.
It then picked up my correct config from the controller and everything sprang to life, correct DHCP ranges from the FTG being alloted to correct SSID client VLAN IDs
The FTG was configured and working perfectly all along :thumbs_up:
Thanks for all help.
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,686 -
FortiClient
1,758 -
5.2
801 -
FortiManager
727 -
5.4
639 -
FortiAnalyzer
556 -
FortiSwitch
475 -
FortiAP
471 -
FortiClient EMS
430 -
6.0
416 -
5.6
362 -
FortiMail
318 -
6.2
251 -
SSL-VPN
244 -
FortiAuthenticator v5.5
234 -
IPsec
208 -
FortiWeb
205 -
5.0
196 -
FortiNAC
189 -
FortiGuard
139 -
6.4
128 -
SD-WAN
115 -
FortiGateCloud
102 -
FortiAuthenticator
102 -
FortiSIEM
99 -
FortiCloud Products
96 -
FortiToken
91 -
Firewall policy
82 -
Customer Service
79 -
Wireless Controller
79 -
4.0MR3
64 -
FortiProxy
60 -
High Availability
56 -
FortiADC
54 -
Fortivoice
53 -
FortiEDR
51 -
vlan
51 -
ZTNA
49 -
Routing
46 -
FortiExtender
45 -
FortiSandbox
44 -
DNS
43 -
FortiDNS
42 -
LDAP
41 -
BGP
40 -
Authentication
38 -
FortiGate v5.4
35 -
SAML
35 -
NAT
35 -
FortiSwitch v6.4
34 -
RADIUS
34 -
Certificate
34 -
SSO
33 -
Interface
31 -
VDOM
30 -
FortiConnect
29 -
FortiLink
29 -
FortiWAN
27 -
Web profile
27 -
Application control
26 -
FortiConverter
25 -
Logging
25 -
FortiGate v5.2
24 -
Virtual IP
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
Fortigate Cloud
20 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
FortiMonitor
18 -
Traffic shaping
17 -
WAN optimization
16 -
FortiDDoS
15 -
OSPF
15 -
SSID
15 -
Automation
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
Static route
14 -
System settings
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
SNMP
13 -
FortiGate-VM
12 -
FortiCASB
12 -
Admin
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
Security profile
11 -
FortiManager v4.0
10 -
IPS signature
10 -
FortiAP profile
10 -
Proxy policy
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
Web rating
6 -
Fortinet Engage Partner Program
6 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
API
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
TACACS
3 -
SDN connector
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1711 | |
| 1093 | |
| 752 | |
| 447 | |
| 231 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.