- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- (Basic?) VLAN Issues!
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
(Basic?) VLAN Issues!
I have read a lot of the articles relating to this, watched videos, and talked with support but still can't get to the bottom of this problem.
I have a FortiGate-30E (running 6.0.2) and a Netgear Switch (GS724TPv2 ProSAFE 24-Port Gigabit Smart Managed Switch) Both are supposedly 802.1q compliant. (?)
I am trying to setup 4 simple VLANs.
These 3:
10 - Main (main network, data, printers)
DHCP: 192.168.10.1 /24
20 - Guest (just for the Guest SSID network, FortiAP)
DHCP: 192.168.20.1 / 24
30 - Voice (for the Polycomm VoIP phones)
DHCP: 192.168.30.1 / 24
and this 1 just in case the Netgear switch needs this to function (?)
1 - Management
DHCP: 192.168.100.1 / 24
None of the VLAN networks need to talk to eachother (no inter-VLAN routing needed) just need to go out to the WAN/Internet.
The main LAN/Hardware switch interface in the Fortigate has all 4 ports as members. It has the address 192.168.1.1
Underneath are the 4 VLAN interfaces, with their DHCP enabled.
Under IPv4 Policy, I have simple policies for each one that allow them to go out to the WAN.
I have port 1 of the Fortigate connected to port 1 of the Netgear switch. I would like this to be the Trunk port and have all VLAN traffic go through this one cable.
On the Netgear switch, I created the exact same VLAN IDs. I have port 1 tagged for all of them (10, 20, 30) and 1 as untagged, otherwise I lose communication.
Everything plugged into the router or switch gets an IP of 192.168.1.x (LAN interface) - I don't even wan to use that subnet. I started off with that LAN interface DHCP disabled, thinking everything plugged in would be a member either VLAN 10, 20, or 30. But then nothing was getting an IP, and to communicate with anything I had to type in Manual IPs that LAN range, so I enabled DHCP and the switch gets 192.168.1.2, and anything plugged in anywhere is on that subnet.
As a simple test, I plugged in a Mac Mini (VLAN unaware) to port 24 of the Netgear switch. I would like to be on VLAN 10, and get a .10.x IP (not .1.x) I made port 24 a member of VLAN 10 / untagged. And I set the PVID from 1 to 10 to force incoming data on the switch to get tagged with 10. As soon as I change the PVID from 1 to anything else I lose communication. That Mac Mini ethernet port goes red and eventually gets a 169 self assigned IP. If I switch the PVID back to 1, it gets the LAN interface IP. I've tried a lot of combinations but nothing works. It's either 192.168.1.x or no communication.
I have been on the phone with Fortinet support, screenshared in, and they said everything looks good it must be the switch.
I have been on the phone with Netgear support (for hours, experimenting), screenshared in, and they said everything looks good it must be the router.
Ahhh!
1) How the hell can I get this working? What am I doing wrong?
2) Should I have created that Managment VLAN #1 ?
3) Do I need to use a VDOM? (not really sure what that is)
As you may notice, I'm not a VLAN expert and I don't really use the CLI.
The forti support did a sniff cmd on 67 and 68 and the traffic was not a part of any VLAN.
Please let me know if you need any other details in order to solve this. I am hoping to get this working today and will reply quickly.
Many thanks for the help!
Tom
2 REPLIES 2
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I see one questionable part in this description. You said for vlans (1, 10, 20, 30) in addition to 192.168.1.0/24 (FGT's default untagged subnet) but also said vlan1 (192.168.100.0/24) is untagged, which is not possible.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FGT 192.168.1.0/24 untagged per default.
FGT does not change your vlan tagging at all (i.e. FGT Vlan Ports/INterface are always tagged).
You wrote your ports on the netgear switch are tagged too.
This means all traffic that does not already have vlan tag and comes to the netgear will get vlan tag 1 and "fall" into the FGT's default subnet. That I suppose is why you are getting 192.168.1.x dhcp ips.
If you want to connect to one vlan either your client has to do the tagging or the port must be untagged in that vlan on the switch or you would have some device between client and switch which does that (this is what my accesspoints do here e.g.).
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
--
"It is a mistake to think you can solve any major problems just with
potatoes." - Douglas Adams
Related Posts
- Moving away from Software Switches -... 198 Views
- SSH Session Time Out 154 Views
- Wifi-Bridge with FortiWifi as controller in... 313 Views
- Fortimanager API (7.4.2) 146 Views
- How does intra-switch-policy explicit work? 474 Views
Labels
-
FortiGate
6,538 -
FortiClient
1,304 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
414 -
5.6
362 -
FortiSwitch
333 -
FortiAP
333 -
FortiClient EMS
263 -
6.2
251 -
FortiMail
242 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
150 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
88 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
Customer Service
70 -
FortiToken
69 -
4.0MR3
64 -
SSL-VPN
60 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
Firewall policy
24 -
SD-WAN
24 -
FortiConnect
23 -
FortiWAN
22 -
FortiConverter
21 -
VLAN
20 -
High Availability
20 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiAuthenticator
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
LDAP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
SSL SSH inspection
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
Security profile
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Automation
3 -
Intrusion prevention
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
Schedule
1 -
4.0MR1
1 -
SDN connector
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
FortiPAM
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
FortiManager-VM
1 -
Zone
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.