Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
robdog
New Contributor

Intervlan routing core > fortigate help

Hi. I will try to be as detailed as possible. Currently we have our network configuration as the draft below. I'm trying to migrate from VLAN1 to a server vlan but when i enable vlan100 no VLAN traffic is routed through the firewall. 1. Removed x.x.x.x/255.255.0.0 from Internal 2. Create Servers VLAN and add x.x.x.x/255.255.0.0  3. Remove x.x.x.x 255.255.0.0 from vlan 1 svi on core network 4. Add x.x.x.x 255.255.0.0 to VLAN100 svi on core network

 

Existing config

 

edit "Internal" set vdom "root"

set ip x.x.x.x 255.255.0.0

set allowaccess ping https ssh snmp set type aggregate set netflow-sampler both set member "port1" "port2" set device-identification enable set role lan set snmp-index 12 next

config proposal...

 

edit "Internal" set vdom "root" set allowaccess ping https ssh snmp set type aggregate set netflow-sampler both set member "port1" "port2" set device-identification enable set role lan set snmp-index 12 next edit "Servers" set vdom "root" set ip x.x.x.x 255.255.0.0 set allowaccess ping https ssh snmp set device-identification enable set role lan set snmp-index 24 set interface "Internal" set vlanid 100 next end

Once this was applied, the following log message is provided. Now I know I can create a rule with the Servers interface and that will route through the firewall but I want to route all VLAN's comming from the core network to the internet using the Internal aggregate interface that we currently have.

id=20085 trace_id=36 func=print_pkt_detail line=4903 msg="vd-root received a packet(proto=1, x.x.x.x:18->8.8.8.8:2048) from Servers. type=8, code=0, id=18, seq=4." id=20085 trace_id=36 func=init_ip_session_common line=5047 msg="allocate a new session-001deb00" id=20085 trace_id=36 func=vf_ip_route_input_common line=2583 msg="find a route: flag=04000000 gw-x.x.x.x via Internet" id=20085 trace_id=36 func=fw_forward_handler line=577 msg="Denied by forward policy check (policy 0)"           Fortigate       Aggregated Internal Port             x.x.x.x                | 802.1q LACP etherchannel      -- Core Layer ---- Vlan 1SVI | Vlan 100 SVI VLAN 200 SVI                |                |      -- Access layer ---- Vlan 1 Vlan 100 Vlan 200 etc

 

Just looking for some guidence really on whats the best way forward. I want to keep our existing setup as far as the Internal aggregate interface passing all vlan traffic from the core but i dont want to do that through VLAN SVI as the point to point.

 

Cheers RD

1 Solution
oheigl
Contributor II

Well you can just put all vlan subinterfaces to a zone, and create a policy from Zone > External. If you don't want to control traffic between the vlans, untick the block intra zone traffic, that's the most simple way to configure it.

It's not in my personal favor to design it like this, but if you want to keep it simple I think this is the easiest way

View solution in original post

3 REPLIES 3
oheigl
Contributor II

The log message means you didn't have a firewall policy in place for this traffic. In your debug flow you can see that the packet arrives correctly through the VLAN interface, so the configuration works fine.

Can you explain further what you mean with your last paragraph? 

robdog
New Contributor

Yeah sure, so i created a rule to allow this traffic as you say and vola.

 

id=20085 trace_id=79 func=resolve_ip_tuple_fast line=4967 msg="Find an existing session, id-001e9e41, original direction" id=20085 trace_id=79 func=__ip_session_run_tuple line=2880 msg="SNAT x.x.x.x->x.x.x.x:60418" id=20085 trace_id=80 func=print_pkt_detail line=4903 msg="vd-root received a packet(proto=1, x.x.x.x:28->8.8.8.8:2048) from Servers. type=8, code=0, id=28, seq=2."

 

So our existing setup, is as follows

 

172.x.x.x address configured on the Internal interface, No VLANS configured under this. 

 

Default route on core

 

Gateway of last resort is 172.x.x.x to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 172.x.x.x

 

All VLAN traffic is passed through policies on the Aggregate interface.

 

so for example

 

set name "TESTPolicy" set uuid 0f825434-8298-51e7-5070-61c202da70ab set srcintf "Internal" set dstintf "External1" set srcaddr "grp.intl.clients set dstaddr "all" set action accept set schedule "always" set service "Web Access" set utm-status enable set profile-protocol-options "default" set ssl-ssh-profile "deep-inspection-policy" set nat enable

 

When the vlan100 sub int is configured, the Internal aggregate does not route any traffic. If i configure an ip on the Internal interface (as shown in existing config) in the same subnet of VLAN 1 svi all vlan traffic routes correctly to the internet.

 

I dont want to have to configure each vlan subinterface on the rule sets. just over complicates our design.

 

oheigl
Contributor II

Well you can just put all vlan subinterfaces to a zone, and create a policy from Zone > External. If you don't want to control traffic between the vlans, untick the block intra zone traffic, that's the most simple way to configure it.

It's not in my personal favor to design it like this, but if you want to keep it simple I think this is the easiest way