Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Fortigate 100D OS 5.4.3, VLANs access to internet

Hi Guys,

I need help for configuring vlans access to internet on fortigate 100d.

ISP>>>Fortigate 100D>>>Alcatel OS6860E-24>>>Access SW 

-VLAN 1(internal LAN, interface default of FG100D, management vlan):  with DHCP Server and SNMP Server OmniVista 2500NMS for deploy Stellar Access Point

-VLAN 10( Office):

-VLAN 40( Guest):

I need 3 vlans can access to internet .

-Config on FG100D:

1/Create 2 sub interface on Lan interface: sub-interface vlan10 and vlan 40

2/Create Policy:

   a/Policy vlan 10 to internet: interface vlan10 to wan 1

   b/Policy vlan 40 to internet: interface vlan40 to wan 1

   c/Policy vlan 10 to vlan 1: interface vlan 10 to lan

   d/Policy vlan 40 to vlan 1: interface vlan 40 to lan

3/Create Static route:

   a/Default route:  Dest:, Device Type: Wan 1, ISP Default GW 

   b/Vlan 10 to Vlan 1:  Dest:, Device Type: LAN, Default GW: IP interface vlan 10

   c/Vlan 40 to vlan 1:  Dest:, Device Type: LAN, Default GW: IP interface vlan 40


Please tell me what wrong in my configuration

Valued Contributor III

Have you gotten the trunking configured correctly yet on the Alcatel? Can you PING the default gateways on the Fortigate from those VLANs?

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at:


@rwpatterson: hi, sorry for late reply.

Tomorrow i will deploy fortigate 100D for my customer follow above steps, and just be sure to doing .



Hi OP,

Since you said all 3 vlans should have Internet access, I didn't see any policy allowing vlan1 to the wan interface. Either no policy allowing vlan1 to other vlans. So how could your devices in initiate outbound traffic?


Keep in touch. Thanks!



Since All 3 Vlans are directly connected to Fortigate .You don't need to define any route .Please share the fortigate Conf to validate your configuration .Also is there any subnets behind Vlan1 which require static route pointing to Lan next hop.Hope this clears your doubt .








Hi guys,

I had configured for my customer fortigate 100D and 3 vlans access to internet.

1/ Interfaces:

    -sub interface lan:    type:hardware switch

    -sub interface vl10:        type:vlan

    -sub int vl40:     type:vlan 

2/ IPv4 Policy:

    a/lan to wan1

    b/vlan10 to wan1

    c/vlan40 to wan1


    d/lan to vlan10

    e/vlan10 to lan


    f/lan to vlan40

    g/vlan40 to lan

   DHCP server and SNMP server on Lan network:  so i need policy d,e,f,g. Is that right ?

3/ Default Route:  wan1  



Hi Hung,

That configure is not bad. But I guess your traffic between Vlan40 and Vlan10 would be blocked. Is that by designed?


Hi ericli,

Yes, this is diagram for hotel, vlan 10 is guest network, vlan 40 is office network.


That's great. Thanks!


I have on L3 avaya switch  switch have 2 vlans  vlan 10 with ip address vlan 20 with ip address intervlan routing is activated on both and ip routing is ON on all eth  vlan 10 have ports 11-24 vlan 20 have ports 2-10 on vlan 20 i am connecting fortigate firewall 60c interface ip address is and connecting 1 pc that got ip from fortigate DHCP pool  on vlan 10 pc is connected ip address  on firewall side i have cable to WAN 1 with ip and my firewall got ip address  internet on firewall is working also on pc on vlan 20 (same firewall's vlan ) but on vlan 10 i have no internet access even know pc on vlan 10 can ping firewall and access GUI and firewall can ping it also  as per static route i have to wan 1 and default gateway is internal  gateway   policy is set all to all , Nat is activated on all interfaces  how can I allow pc on  vlan 10 to access internet