Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ragno
New Contributor

Created on ‎01-09-2015 02:49 PM

VLAN network computers don´t go out to WAN

Hi,

 

I am needing help to set the fortigate 50-B (4.0 MR3) to connect differents vlans devices to internet.

 

In this case I have 2 wireless routers, one for the employees laptops and the other for the guests laptops.

All the employees networks (wifi+lan) m ust be in the same vlan 10 and for the guest I want to be in the vlan 50 to contain the risk of virus proliferation and security.

What I did in the switch is to set the vlan ports as "access" with the following tags:

 

Port 1,2,3 - vlan 10 for the employee desktops Port 10 - vlan 10 for the employees wireless router Port 11 - vlan 50 for the guest wireless router PORT 23 - is connected to the firewall, port set to vlan 10 PORT 24 - is connected to the firewall, port set to vlan 50

 

The switch is already set do have DHCP for each VLAN and is working fine.

 

I tried than to access the internet but is not working...What I made wrong in fortigate? 

Please see the attachments.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

VLANS.jpg
Preview file
88 KB
Labels:
13558
0 Kudos
6 REPLIES 6
emnoc
Esteemed Contributor III

Created on ‎01-09-2015 04:07 PM

diagram looks good :)

 

Let's start with some basic diagnostic & t-shoot

 

1: you have wan1+wan2 in the destinations are either of these 2 uplinks to the internet working?

 

2: are the next-hop gw reachable

 

3: can the guest/employee lans ping the  fortigate interfaces ( ensure  ping is enabled )

 

4: do they have there next-hop gateways via  dhcp set to the fotigates inside interface address

 

5: did you  run diag debug flow ? and if yes what was the outcome? Did the expect fwpolicy-id was matched?

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
3411
0 Kudos
rwpatterson
Valued Contributor III
In response to emnoc

Created on ‎01-09-2015 07:22 PM

6) Did you enable NAT on the policies that face the Internet?

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
3411
0 Kudos
Dave_Hall
Honored Contributor

Created on ‎01-09-2015 09:35 PM

Glancing over Eduardo's pics (specifically the firewall policy list), it shows traffic going through the internal interface to WAN1+2, so I'm guessing there is just a problem with the guest wifi network?

 

Second, the firewall policy list shows firewall policies for what appears to be the main internal interface and the guest vlan interface (VLAN 50).  Where is the the interface for VLAN 10? Could it have the same interface name as the main interface? Are the internal ports on the 50B placed into interface mode?

 

Technically, tagged VLAN traffic from the Dell switch hitting the Fortigate only needs to go over one port.  That being said, if we are only talking about two separate networks (internal and guest) I would consider just placing the 50B into interface mode (if all possible) and untag the traffic leaving ports 23 and 24 (on the Dell switch) leading to the 50B and not have to deal with VLANS altogether (on the 50B).

 

7) confirm proper gateway/routing is in place.

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
3411
0 Kudos
ede_pfau
SuperUser
SuperUser

Created on ‎01-10-2015 06:14 AM

Dave, I doubt the 50B is capable of splitting up the 'internal' switch into single ports. VLANs were the only way to have more ports in those days.

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
3411
0 Kudos
Dave_Hall
Honored Contributor
In response to ede_pfau

Created on ‎01-10-2015 06:31 AM

Thought as much.

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
3411
0 Kudos
SCSIraidGURU
Contributor

Created on ‎01-15-2015 06:29 AM

I had to do several things to properly route VLAN traffic through my 800C.

 

1.) HP 5800 Layer 3 switch:  I setup a policy based route for each VLAN.  The PBR gave each VLAN a gateway of last resort that pointed to the 800C VLAN address for that VLAN

 

These rules were need so the VLAN traffic leaving the switch for the internet does not violate reserve packet rules on any firewall.  My previous firewall was Cisco.  We switched to Fortinet last month.  I kept the same rules.   This method fixed HP and Cisco's problem with reverse packets.   Most firewalls will not allow VLAN traffic to come in or out on a different VLAN.  It is considered VLAN spoofing and usually gets blocked.  So you need to use PBR to route the traffic to the firewall. 

 

2.) 800C:  I setup a policy for each VLAN to go the link balanced connections.  You need outbound rules for each VLAN on the Fortinet.

 

VLAN 8, 24, and 192 were registered subnets from the ISPs.  I still needed to enable NAT

VLAN 10,20,30 are NAT VLANs.

 

The incoming interface is the VLAN ###

Outgoing interface is Wan-Load-Balance, if you have one connection it would be WAN1 or WAN2.

 

3411
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.