Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Domsi
New Contributor

LAN to VLAN

Hi!

 

I know there are many threads on this topic, but no recommentation was helpful.

 

Network:

[ul]
  • LAN with PC's: 192.168.0.0/24
  • VLAN with Security-Cam's: 192.168.1.0/24[/ul]

    I want to access from PC's (192.168.0.X) the Security Cam's (192.168.1.X). I have created policies to allow traffic between LAN and VLAN. Because this is not working I have also created static routes.

     

    You can see my network-configuration (Fortigate 60D):

     

    config system interface
        edit "lan"
            set vdom "root"
            set ip 192.168.0.1 255.255.255.0
            set allowaccess ping https http
            set type switch
            set snmp-index 10
        next
        edit "internal"
            set vdom "root"
            set type hard-switch
            set role lan
            set snmp-index 8
        next

        edit "Test"
            set vdom "root"
            set ip 192.168.1.1 255.255.255.0
            set allowaccess ping https http
            set alias "Test"
            set device-identification enable
            set role lan
            set snmp-index 5
            set interface "lan"
            set vlanid 100
        next
    end

     

    config system virtual-switch
        edit "internal"
            set physical-switch "sw0"
            config port
                edit "internal1"
                next
                edit "internal2"
                next
                edit "internal3"
                next
                edit "internal4"
                next
                edit "internal5"
                next
                edit "internal6"
                next
                edit "internal7"
                next
            end
        next
    end

     

    config firewall address
        edit "local_lan"
            set uuid 566fe8c6-5184-51e5-affc-8b01de3981a7
            set associated-interface "lan"
            set subnet 192.168.0.0 255.255.255.0
        next

        edit "Test_Address"
            set uuid 87235306-5512-51e8-c84e-2115e954c9fe
            set subnet 192.168.1.0 255.255.255.0
        next
    end

    config firewall policy
        edit 6
            set name "Test_1"
            set uuid b011cb80-5512-51e8-e91a-636992d4b20e
            set srcintf "lan"
            set dstintf "Test"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set logtraffic all
            set nat enable
        next
        edit 7
            set name "test2"
            set uuid d39ea21c-5512-51e8-94e2-999aa8d06ef5
            set srcintf "Test"
            set dstintf "lan"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set nat enable
        next
    end

    config router static
        edit 3
            set dst 192.168.1.0 255.255.255.0
            set gateway 192.168.1.1
            set device "lan"
        next
        edit 4
            set dst 192.168.0.0 255.255.255.0
            set gateway 192.168.0.1
            set device "Test"
        next
    end

     

    With this it is possible to ping 192.168.1.1 from PC (LAN - 192.168.0.2) and from FortiGate-CLI. But I can not ping device 192.168.1.2. If I assign a PC the IP 192.168.1.3 it is also not possible to ping 192.168.0.1. Can anyone help me to get this working? If you need any more information / configuration, please let me know.

     

    Thank you

  • 2 REPLIES 2
    Toshi_Esumi
    Esteemed Contributor III

    I don't think you can set a vlan on soft-switch (switch-interface). You wouldn't see the vlan interface's IP in the routing-table. It has to be at least hard-switch (virtual-switch), in your case "internal", or an individual physical interface. Then you should see it in the routing-table as "C" - Connected. You don't need any routes for connected destinations.

    Domsi

    Thank you for the quick response. You are completely right, it is only working with the hard-switch. I have removed the soft-switch completely and then used the hard-switch, now everything is working.

     

     

    Labels
    Top Kudoed Authors