Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Anatoli
New Contributor II

Created on ‎04-24-2024 01:15 AM

VLan fortigate

The goal is to pass vlan 8 and vlan 40 MGMNT without tagging. how i can do it?

The configuration inside internal port 1, but my suggestion is to be able to use vlan 40, similar to native mgmnt ap, and the vlan 8 pass for the trunk as well.

Vlan 8 is currently fconfigured it on the internal VLAN switch for the purpose of connecting the printer so that port 3 is connected.

There is a conflict if I try to add vlan 8 (such as 8021.q) to port 1 and I wish to provide an IP address because vlan 8 is assigned to an internal vlan switch.

how I am able to accomplish it Connect port 1 to meraki, untag vlan 40 MGMT, and pass vlan 8.

 

maybe the setup it is not  correct. The AP dosen´t  come up

 

Meraki ap is now like dhcp

 

AP_meraki.png

 

 

 

 
Labels:
355
0 Kudos
8 REPLIES 8
AEK
SuperUser
SuperUser

Created on ‎04-24-2024 04:50 AM

Hi Anatoli

Can you share the following command?

show system interface internal

 

AEK
AEK
315
Anatoli
New Contributor II
In response to AEK

Created on ‎04-24-2024 05:39 AM

Hi @AEK 

 

show system interface internal
config system interface
edit "internal"
set vdom "root"
set ip 10.27.8.1 255.255.254.0
set allowaccess ping
set type hard-switch
set stp enable
set role lan
set snmp-index 15
next

302
0 Kudos
hbac
Staff
Staff

Created on ‎04-24-2024 05:05 AM

Hi @Anatoli,

 

What do you mean without tagging? tagging is done by the switch and not FortiGate. To allow traffic between VLANs, you need to create firewall policies. It would be easier to put internal1 under the same VLAN switch as internal3 and put everything in the same VLAN if you don't wan to create a firewall policy. 

 

Regards, 

311
0 Kudos
Anatoli
New Contributor II
In response to hbac

Created on ‎04-24-2024 05:46 AM

hi @

Similar to native vlan . I want to utilise vlan 40 for AP management and vlan 8 for users/ printres  when they  user connect to the AP get range vlan 8 

 

 

300
0 Kudos
AEK
SuperUser
SuperUser

Created on ‎04-24-2024 01:34 PM Edited on ‎04-24-2024 01:34 PM

Hi Anatoli

Tagging VLANs in FortiGate is useful if you want to pass multiple VLANs from a switch to FortiGate via a single link (trunk).

Can you please elaborate more what you want to accomplish?

Why do you need the VLAN to be untagged?

Where do you need it untagged? (at FG hardware switch level? at L2 switch level? ...)

AEK
AEK
244
Anatoli
New Contributor II

Created on ‎04-24-2024 02:43 PM

Hi @AEK 


The purpose is the Meraki AP and printer works .
The management vlan is often similar to native except that the AP is registered under this mgmn vlan in my case (40).For this reason I need to pass both vlan 8 and vlan 40 . 

 

Iin this instance, I have two devices connected to fortigate ports: a printer connected to port 3 and a Meraki AP connected to port 1, .
If i attemp to put the port 1 like trunk and pass vlan 40 and vlan 8 i have a conflict because i set up the internal 3 for printer in vlan switch with ip .

how i can to put the vlan 8 in two ports ?  for the printers works and the ap works .

 

229
0 Kudos
AEK
SuperUser
SuperUser
In response to Anatoli

Created on ‎04-24-2024 02:54 PM

Hi Anatoli

If I understand well you are connecting devices directly to your firewall and want to put some of these connected devices in the same VLAN, right?

First I don't think this is a good practice, since FortiGate ports are considered expensive comparing with switch ports, so first I'd use an external manageable L2 switch, with a trunk to FortiGate, and connect all needed devices to the switch.

On the other hand if we suppose you don't have a L2 switch, I don't know a way to do this with a FortiGate's hardware switch interface, except if your devices can do VLAN tagging (which is not so sure for a printer), and still this seems not like a good practice.

So if you don't have a L2 switch I think your solution is not to use the same VLAN for printer and user, like you can just plug your printer to some FG port without trying to tag the port. This will still allow users to access the printer but through a firewall policy.

Hope this helps.

AEK
AEK
226
0 Kudos
AEK
SuperUser
SuperUser
In response to AEK

Created on ‎04-24-2024 03:11 PM

After thinking twice, in case the above solution doesn't suit you then I think you can do with this workaround:

  1. On FG, create a hardware switch of two interfaces
  2. Create a VLAN interface (VLAN 40) inside the hardware switch
  3. In your Meraki AP, set your management VLAN as tagged and user VLAN as untagged
  4. Connect your Maraki AP to the first HW switch port and your printer to your second HW switch port

This way your users can communicate with the printer through the same untagged VLAN.

AEK
AEK
219
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.