Allowing traffic between 2 Vlan switches

Xaak · ‎12-04-2023

Device is FG-60f running the latest 7.4 firmware.

I have 2 vlan switches set up. One routs traffic to wan1 and the other to wan2. I set up policies and routing policies for them and both are working fine.

Vlan switch 1 services subnet 192.168.2.0/24 and vlan switch 2 services subnet 192.168.3.0/24.

What I need to do is allow traffic between the two subnets.

When I set up firewall policies to allow traffic between source vlan switch 2 destination vlan switch 1, I can ping and access 192.168.2.1 from the 192.168.3.0/24 subnet, but I can't see any of the other devices/ips on the 192.168.2.0/24 subnet. Same thing with firewall policy source vlan switch 1 destination vlan switch 2.

Firewall policies:

Fortinet_Gateway (14) # show
config firewall policy
edit 14
set name "Vlan1"
set uuid 3961879a-900e-51ee-e003-307188be460d
set srcintf "internal"
set dstintf "Internal wan2"
set action accept
set srcaddr "internal"
set dstaddr "Internal wan2 address"
set schedule "always"
set service "ALL"
set profile-protocol-options "test"
set nat enable
next
end

Fortinet_Gateway # config firewall policy

Fortinet_Gateway (policy) # edit 15

Fortinet_Gateway (15) # show
config firewall policy
edit 15
set name "Vlan2"
set uuid 6964594a-900e-51ee-fb76-e2b129d79f1e
set srcintf "Internal wan2"
set dstintf "internal"
set action accept
set srcaddr "Internal wan2 address"
set dstaddr "internal"
set schedule "always"
set service "ALL"
set profile-protocol-options "test"
set comments " (Copy of InterVlan)"
next
end

Ok, so what am I doing wrong here?

TIA

ndumaj · ‎12-04-2023

Hello Xaak,

What is this interface "internal" ?
What is the sub interface for Vlan switch 1 services subnet 192.168.2.0/24 ?

Do you see if the traffic is hitting the policy 14, or not?
-BR*

- Happy to help, hit like and accept the solution -

ndumaj · ‎12-04-2023

Additionally is there any reason using NAT in policy 14 :
set nat enable

-BR-

- Happy to help, hit like and accept the solution -

Xaak · ‎12-04-2023

No particular reason for using nat. I tried it both with nat on and nat off, and when I captured the config it happed to be on.

Xaak · ‎12-04-2023

I don't have any sub interfaces on vlan switch 1 or switch 2. internal is the actual interface name for what I called vlan switch 1.

ndumaj · ‎12-04-2023

So interface "internal" = Vlan switch 1 services subnet 192.168.2.0/24

Why are you using NAT in policy 14 :
set nat enable

-BR-

- Happy to help, hit like and accept the solution -

Xaak · ‎12-04-2023

@ndumaj

Correct

"internal" = vlan switch 1 services 192.168.2.0/24

"Internal wan2" = vlan switch 2 services 192.168.3.0/24

I set nat disable initially, when it didn't work as expected, I set nat enable to try. I just happend to capture the config while it was set to enable.

Toshi_Esumi · ‎12-04-2023

Not sure how your "Vlan1" is configured, but vlan tag 1 is reserved in FortiOS.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Reserved-VLAN-ID-1/ta-p/270111

Toshi

Xaak · ‎12-04-2023

Hi @Toshi_Esumi,

Coming to the rescue again :)

Both vlan switches have vlan id = 0 and have no vlans underneath them.

ndumaj · ‎12-04-2023

Hi,
What is "internal" interface configuration?
Do you have configured route?
BR

- Happy to help, hit like and accept the solution -

Allowing traffic between 2 Vlan switches

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website