Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
vynx
New Contributor

vlan to internal / lan

Hi,

 

i use fortigate 60d, version 5.2

 

topology:

internet <-> wan1 - fortigate - internal <-> switch L3

 

i create fortigate configuration like below :

 

internal in switch mode 

ip range let say 10.3.10.1-10.3.10.255

subnet 255.255.255.0

 

vlan 10 as sub interface in internal

ip range let say 192.168.50.1-192.168.50.255

subnet 255.255.255.0

 

vlan 20 as sub interface in internal

ip range let say 192.168.60.1-192.168.60.255

subnet 255.255.255.0

 

i already create access with policy from vlan 10 to wan1 and can access internet 

 

how to give access from vlan 10 to internal ?

i try to give policy from vlan 10 to internal with:

source vlan 10,

source address any to

destination internal,

destination address any.

it doesn't work.

 

is there anything that i need to add ?

 

 

3 REPLIES 3
kknuckles
New Contributor

You would need a policy that allows VL10 to 20 and another with the inverse 20 to 10.

If you have it set to allow multiple interfaces to be selected in your policy then you can accomplish this in one policy by selecting both VL10 and VL20 as the source and VL10 VL20 as the destination. When you do it this way, your policy view is restricted to Sequence view and not interface pair view. 

 

Alternately you can create a Zone that has both Vlans in it, then define your policy that allows ZoneName to ZoneName. FYI, not my original idea. Look at Mike's Zone Deployment video at http://www.fortinetguru.com/2017/01/basic-zone-deployment/ 

 

Mike is the man!

Thank you for your time,

 

Kevin W. Knuckles

Thank you for your time, Kevin W. Knuckles
vynx
New Contributor

Hi,

 

Thanks for the reply,

however i didnt want to open access between vlan 10 to vlan 20 and vice versa.

it is mandatory when i just want to access the internal area from vlan 10?

i mean i just need to access IP range 10.3.10.1-10.3.10.255 from 192.168.50.1-192.168.50.255

but not from 192.168.50.1-192.168.50.255 to  192.168.60.1-192.168.60.255 and vice versa

dennisv
New Contributor III

Hi,

set up ICMP/PING on the internal interface (default).

Can you ping the IP adress of the internal interface (10.3.10.1) from vlan10 (192.168.50.x)?

If not , are you using any routing on the L3 switch, check that.

If you are not using routing on the L3 switch, check the policies.

 

 

Consultant @ Exclusive Networks BV

Datacenter Networking and Security

NSE4 6.0

Fortinet, HPe/Aruba, Arista, Juniper and many more

Consultant @ Exclusive Networks BV Datacenter Networking and Security NSE4 6.0 Fortinet, HPe/Aruba, Arista, Juniper and many more
Labels
Top Kudoed Authors