Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
shaan129
New Contributor

Vlan-Routing on Fortigate60E

Dear All , Hello , I have Vlan 100 which is management ips for all the devices in network so i do have core switch & FW connected on Vlan 100 as well FW - 192.168.255.1 , Core Switch 192.168.255.11 & on core switch the port is untagged with Vlan 100 & on FW side its configured as hardware switch with ip as mentioned above. I have VLANs which are defined on the core switch & are with different subnets as well , now i want not all but only some to have internet access on them so i have pointed on the core switch default route to 192.168.255.1 and on the Fw i have pointed the route to be 192.168.255.11 because the gateway for these vlans are defined on the Core switch but the thins is i am not able to reach the internet from these vlans Kindly help Regards Shaan

Regards

Shaan

 

Regards Shaan
5 REPLIES 5
coolbreeze
New Contributor

You set the default gateway on the Fortigate to your Internet provider (or use a Dynamic Gateway route). You would then create static routes for your internal subnets to point to your core router. It would not be a default route. 

 

On policies, then you would create outbound rules with source addresses to include the subnets you want to be able to access the Internet. 

 

Without that policy on the Fortigate you won't reach anything. It blocks everything by default.

Travis Newshott, CISSP [JobTitle] GDT
Travis Newshott, CISSP [JobTitle] GDT
sw2090
Honored Contributor

in addition to coolbreeze:

 

youo have to make sure that all vlan traffic reaches the fortigate on one Port and that on the Fortigate this one port carries all the vlans. Then every vlan needs a policy for the internet. Clients in the vlan should then have the vlan IP of the Fortigate als default gw (or you would also need ap policy for every vlan that allows vlan clients to reach the management ip and interface of the fortigate.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
shaan129

Thank you coolbreeze ,sw2090 for your comments .

 

I did the same and the internet is working now but with juniper we did not use to do this instead we had untagged port on the core switch connecting to FW & the subnets which has to reach the internet we use to have the gateway defined for them on the core switch itself with a default route pointing to FW & on firewall no interfaces either but just a default route pointing to Core switch and internet use to work for those subnets.

 

The way i have configured is that the only way how internet will for subnets on lan i.e. to have gateway on Fortigate instead of core switch , will it not work with gateways being on the Core Switch ?

 

 

Regards

Shaan

Regards

Shaan

 

Regards Shaan
sw2090
Honored Contributor

yeah that's a limitation in FortiOS. It can only handle vlan traffic that is tagged. It would accept traffic from untagged switchport but would then not be able to route the answer back to the correct vlan.

If you have a Layer 2 core switch you might be able to do NAT on the uplinkport with untagged in one vlan. This might then work too.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
shaan129

Thank You SW2090 for prompt reply

 

Regards

Shaan

Regards

Shaan

 

Regards Shaan
Top Kudoed Authors