Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
hung_hoang
New Contributor

Fortigate 100D OS 5.4.3, VLANs access to internet

Hi Guys,

I need help for configuring vlans access to internet on fortigate 100d.

ISP>>>Fortigate 100D>>>Alcatel OS6860E-24>>>Access SW 

-VLAN 1(internal LAN, interface default of FG100D, management vlan): 192.168.40.0/22  with DHCP Server and SNMP Server OmniVista 2500NMS for deploy Stellar Access Point

-VLAN 10( Office): 172.16.142.0/24

-VLAN 40( Guest): 10.0.1.0/16

I need 3 vlans can access to internet .

-Config on FG100D:

1/Create 2 sub interface on Lan interface: sub-interface vlan10 and vlan 40

2/Create Policy:

   a/Policy vlan 10 to internet: interface vlan10 to wan 1

   b/Policy vlan 40 to internet: interface vlan40 to wan 1

   c/Policy vlan 10 to vlan 1: interface vlan 10 to lan

   d/Policy vlan 40 to vlan 1: interface vlan 40 to lan

3/Create Static route:

   a/Default route:  Dest:0.0.0.0/0, Device Type: Wan 1, ISP Default GW 

   b/Vlan 10 to Vlan 1:  Dest: 192.168.40.0/22, Device Type: LAN, Default GW: IP interface vlan 10

   c/Vlan 40 to vlan 1:  Dest:  192.168.40.0/22, Device Type: LAN, Default GW: IP interface vlan 40

 

Please tell me what wrong in my configuration

10 REPLIES 10
rwpatterson
Valued Contributor III

Have you gotten the trunking configured correctly yet on the Alcatel? Can you PING the default gateways on the Fortigate from those VLANs?

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

hung_hoang

@rwpatterson: hi, sorry for late reply.

Tomorrow i will deploy fortigate 100D for my customer follow above steps, and just be sure to doing .

 

ericli_FTNT

Hi OP,

Since you said all 3 vlans should have Internet access, I didn't see any policy allowing vlan1 to the wan interface. Either no policy allowing vlan1 to other vlans. So how could your devices in 192.168.40.0/22 initiate outbound traffic?

 

Keep in touch. Thanks!

Ashik_Sheik

Hi

Since All 3 Vlans are directly connected to Fortigate .You don't need to define any route .Please share the fortigate Conf to validate your configuration .Also is there any subnets behind Vlan1 which require static route pointing to Lan next hop.Hope this clears your doubt .

 

Regds

Ashik

 

Ashu 

 

hung_hoang

Hi guys,

I had configured for my customer fortigate 100D and 3 vlans access to internet.

1/ Interfaces:

    -sub interface lan: 192.168.40.1/22    type:hardware switch

    -sub interface vl10:  10.0.1.1/16        type:vlan

    -sub int vl40:     172.168.142.1/24     type:vlan 

2/ IPv4 Policy:

    a/lan to wan1

    b/vlan10 to wan1

    c/vlan40 to wan1

 

    d/lan to vlan10

    e/vlan10 to lan

 

    f/lan to vlan40

    g/vlan40 to lan

   DHCP server and SNMP server on Lan network: 192.168.40.0/22  so i need policy d,e,f,g. Is that right ?

3/ Default Route: 0.0.0.0/0  wan1  

    

ericli_FTNT

Hi Hung,

That configure is not bad. But I guess your traffic between Vlan40 and Vlan10 would be blocked. Is that by designed?

hung_hoang

Hi ericli,

Yes, this is diagram for hotel, vlan 10 is guest network, vlan 40 is office network.

ericli_FTNT

That's great. Thanks!

adham

I have on L3 avaya switch  switch have 2 vlans  vlan 10 with ip address 30.30.30.3 255.255.255.0 vlan 20 with ip address 20.20.20.3 255.255.255.0 intervlan routing is activated on both and ip routing is ON on all eth  vlan 10 have ports 11-24 vlan 20 have ports 2-10 on vlan 20 i am connecting fortigate firewall 60c interface ip address is 20.20.20.4 and connecting 1 pc that got ip from fortigate DHCP pool 20.20.20.6  on vlan 10 pc is connected ip address 30.30.30.4  on firewall side i have cable to WAN 1 with ip 172.16.100.1 and my firewall got ip address 172.16.100.132  internet on firewall is working also on pc on vlan 20 (same firewall's vlan ) but on vlan 10 i have no internet access even know pc on vlan 10 can ping firewall and access GUI and firewall can ping it also  as per static route i have    0.0.0.0/0.0.0.0 to wan 1 and default gateway is 172.16.100.1  30.30.30.0/255.255.255.0 internal  gateway 20.20.20.3   policy is set all to all , Nat is activated on all interfaces  how can I allow pc on  vlan 10 to access internet