Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ragno
New Contributor

Setting Fortinet 60D interface ports for Trunk and Access VLANs

Hello!

 

I have a Fortinet 60D on a multi-VLAN network environment. Is it possible to make the bellow settings, where port 1 is for all VLANs trunk, and the others ports I can choose what vlan to assign?

PORT 2 (vlan 10)-----DESKTOPS | | PORT 3 (vlan 20) ------SECURITY CAMERA | | | | PORT 4 (vlan 20)------SECURITY CAMERA | | | | | | PORT 5 (vlan 50) ------WIFI | | | | ::::::::::::::::::::::::::::::::::::::::::::::::::::: :::::::::: FORTINET FIREWALL :::::::::: ::::::::::::::::::::::::::::::::::::::::::::::::::::: | PORT 1 of Fortinet (TRUNK PORT) | | | <<< TRUNK CHANNEL (with all vlans passing throught 10,20,50) | | SWITCH (L3, ROUTING ENABLED) | | ...rest of the network...

16 REPLIES 16
emnoc
Esteemed Contributor III

I highly doubt that, the device is not a real l2 802.1q switch. You can terminate vlans 10,20,30,40,50 etc... on a sub-interface bound to a port, but to pass all vlan collectively out a trunk port is not plausible

 

is this firewall running transparent mode?

 

 

 

PCNSE 

NSE 

StrongSwan  

ragno
New Contributor

emnoc wrote:

I highly doubt that, the device is not a real l2 802.1q switch. You can terminate vlans 10,20,30,40,50 etc... on a sub-interface bound to a port, but to pass all vlan collectively out a trunk port is not plausible

is this firewall running transparent mode?

 

Yes it is in Transparent Mode since the switch is doing the vlan Routing.

 

I am able to create on interface1 multiple subinterfaces and assign IPs like 192.168.10.254 / 192.168.20.254 /192.168.50.254. Then I changed the switch port to trunk mode and connected to the interface1 with that subinterfaces. It worked well for those machines connected to switch who are in the same vlan, they can ping the subinterfaces. But I don´t know what a have to set on interface2 to interface7 to place the end devices on any of the 3 VLANs created before. 

Jeff_FTNT
Staff
Staff

From your topology. You may try to setup like below:

Enable VDOM and create  VDOM, same number as your VLAN number.

For example,

Create Vdom1 , change to TP mode , Create VLAN 10 interface on port1 (trunk port ), assign to Vdom1

assign port2 to Vdom1. Create policy on Vdom1 , permit traffic port2->VLAN10.

Thanks.

 

 

 

 

ragno
New Contributor

Trying to make the thing more simple, I followed this tutorial from Fortinet for at last the diferente vlans can access the internet: http://docs-legacy.fortinet.com/fos50hlp/50/index.html#page/FortiOS%205.0%20Help/VLANs.103.17.html

 

But even making the procedures it is not possible to go out to internet. I took some prints of my Fortigate and my HP switch that has the VLANs and the routes pointing to Fortigate.

 

(I made a more simple lab with just Vlan 10 and Vlan 20)

 

 

 

 

 

emnoc
Esteemed Contributor III

Suggestion

 

Try drawing a topology sheet with the ports and vlans that you are using between the in/out members. This might give use a better example of what your doing or trying to do.

 

PCNSE 

NSE 

StrongSwan  

ragno
New Contributor

emnoc wrote:

Suggestion

 

Try drawing a topology sheet with the ports and vlans that you are using between the in/out members. This might give use a better example of what your doing or trying to do.

First objective:

- PCs on VLAN 10 and 20 use the ISP A

ON HP SWITCH:

- I created VLAN 10 with IP 192.168.10.1 - I created VLAN 20 with IP 192.168.20.1 - Assigned port 10,14 to VLAN 10 - Assigned port 20,24 to VLAN 20 - Assigned port 1 to trunk, tagged VLAN 10 and 20

[The switch created the vlans routes itself after that]

 

- Then I created two default routes, poiting to fortigate subinterfaces, one for each VLAN: 0.0.0.0 0.0.0.0 192.168.10.254 0.0.0.0 0.0.0.0 192.168.20.254

[For some reason the route 0.0.0.0 0.0.0.0 192.168.20.254 does not appear in the routing page..but is really set on it]

ON FORTIGATE:

- Created two subinterfaces vlan: Vlan 10 = 192.168.10.254 and Vlan 20 = 192.168.20.254 - Created the address for 192.168.10.0/24 and 192.168.20.0/24 - Set the WAN1 with ISP A PPPoE settings - I did´t touch at the Static Routes options - Created Policy for VLAN 10 and 20 go out to internet by ISP A with NAT enabled

Jeff_FTNT
Staff
Staff

Try to set up VLAN interface on FGT's DMZ port, it should works.

FG60D "internal" combined port1/port2... as switch port by default.

Or you can remove default policy/dhcp server /static routes associated with "internal" interface, change to "interface " mode, then set up port1 as you mentions. Thanks.

 

emnoc
Esteemed Contributor III

 

[The switch created the vlans routes itself after that]   - Then I created two default routes, poiting to fortigate subinterfaces, one for each VLAN: 0.0.0.0 0.0.0.0 192.168.10.254 0.0.0.0 0.0.0.0 192.168.20.254

 

I wouldn't do  this but that's your call. I would just pass the vlans 10/20 thru to the HP and use the HP switch as a layer2 switch. The reason why one of the 2 is in your HP route table is probably due to it doesn't have ECMP function and the lower_ip_address gw of 192.168.10.254 is the preferred route.

 

now back to your diagram, on  the wan port to ISPA is your goal is to pass these 2 vlans 10/20 out thru that port?

 

you answered my 1st question of this is a layer2 transparent firewall?

 

Yes it is in Transparent Mode since the switch is doing the vlan Routing.  

 

Is this not the case?

 

Emnoc is really confused ;) If this is a layer2 transparent firewall design, your device would not be using "routing" for carrying customer traffic.

 

Want I would do if vlans 10/20/40/50 are to being carried, is to

 

1: trunk them on your HP SWITCH PORT #1

 

2: Pass these out to  WAN1 port

 

 

now if your really needing  NAT/ROUTED mode, which I think that's what you really need. Than do what you have done already on  the HP, terminate your SVI Layer3 interfaces for vlan 10/20/40/50

 

And then place a /30 or whatever between the HP port1 to FGT PORT1. Assign the FGT a address and the HP will use that as it's next-hop gateway to the ISPA. Than you can perform SNAT and controls from the HP internal LANs out to the internet ( your FGT is the gatekeep per se ).

 

This will not allow for filtering between VLANs localize to the HP. If you need filtering between vlans defined on the HP

 

e.g

 

allow wifi to desktop

 

allow desktop out to wan

 

but deny camaras to the wan

 

and allow wifi to the wan only

 

than you probably want the Layer3  interfaces nailed down on the FGT. You can do this with subinterfaces and vlans tags

 

e.g ( using port #1 on the FGT )

 

 

config sys int

   edit L3-10

      set vdom root

      set alias DESKTOP

      set vanid 10

      set ip 192.168.10.254/24

      set type vlan

      set interface  port1

  next

    edit L3-20

      set vdom root

      set alias SEC_CAMS

      set vanid 20

      set ip 192.168.20.254/24

      set type vlan

      set interface  port1

  next

  edit L3-50

      set vdom root

      set alias WIFI

      set vanid 50

      set ip 192.168.50.254/24

      set type vlan

      set interface  port1

  next

end

 

 

And on the WAN you config your current l3 address that you posted earlier in the diagram. Than apply the correct firewall policies to allow traffic from vlan2vlan or vlan2 wan

 

Please advise if this makes any sense and what mode your are deploying routed or transparent. I think you really trying todo routed mode

 

PCNSE 

NSE 

StrongSwan  

ragno
New Contributor

Yes, the firewall is in NAT mode, sorry.

 

First I want to be able to do a really simple thing: just vlan 10 and 20 go to internet. See my tests:

 

- I set the HP with just one Default Route: 0.0.0.0 / 0.0.0.0 / 192.168.10.3 where this 10.3 is my wireless router that is connected to ISP A. Than I connected the port 10 (is vlan 10 untagged) to the wireless router. What happened? the internet worked perfect for machines on vlan 10 and vlan 20.

 

So what I did after that result: changed the fortinet interface INTERNAL to 192.168.10.254 and removed all vlans.

Than I connected the firewall to port 10 (vlan 10 untagged) on switch. I removed from HP the previously default route and added a new one pointing to the firewall 192.168.10.254.

 

I tryed to add a route on Fortigate > 192.168.10.0 /24 to 192.168.10.1, not worked.

Created a policy "any any any any permit NAT", not worked.

Created address 192.168.10.0/24, not worked.

 

Using the Fortigate CLI and execute ping google.com, it pings normally, so the WAN interface is working good. Using ping from HP Swtch to 8.8.8.8, not works.

 

Making all this settings don´t works yet :(

 

I have to be able to at least try to connect t something to internet passing by the firewall to than be able to do the other things that I asked on the first post...