- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Help with Setting Up VLANs
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Help with Setting Up VLANs
Hello,
I work at a school, primarily as a teacher, but handle the tech for the building as well. I am very new to enterprise networking, and I am hitting a brick wall with setting up vlans. This seems like it should be pretty simple from what I have read, but I can't seem to make it work.
We have a Fortinet 100E Firewall that goes out to Aruba switch A. Aruba Switch A goes out to Aruba Switch B and two Ubiquiti wireless access points. Aruba Switch B goes out to 5 wireless access points. The goal is to create three wireless networks-- one for staff, one for students, and one for guests.
I created the VLAN IDs on the Fortinet and the Aruba switches. I associated a wireless network SSID on the Ubiquiti controller with each vlan ID.
I am still not 100% sure on the right combination of tagged/untagged/trunk ports-- but I think I have tried every possible combination. The closest I have gotten to things working as intended is tagging all ports involved on the Arubas. That leaves me with working DHCP handling (in the proper VLAN IP range), but no internet access.
Sorry if my terminology doesn't quite make sense... I'm definitely learning all this as I go! If anyone needs clarification, just ask. Thank you in advance for your help.
10 REPLIES 10
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you're unsure about this, I'd recommend seeing if the school can bring in a consultant to bring you up to speed, or find a parent with a networking background who can volunteer their time. Might save you and the school a lot of trouble in the end.
Besides looking through the main manuals and admin guides, check the cookbook articles at https://cookbook.fortinet.com/ and especially https://cookbook.fortinet.com/getting-started/ for your appropriate FortiOS version (which is?). You might need to look at recipes from 5.4 as not all recipes have been ported to 5.6.
A really good (though getting out of date) book on working with FortiGates is UTM Security with Fortinet: Mastering FortiOS: https://www.amazon.com/UTM-Security-Fortinet-Mastering-FortiOS/dp/1597497479
FortiGate vlan interfaces, created on top of its physical interfaces, are tagged only. The FortiGate doesn't work with untagged (native) vlans. So make sure your switches are using tagged trunk ports in their communication with each other, the FortiGate, and the Ubiquiti controllers.
I assume you've got the FortiGate working as the DHCP server for each vlan? Or are you serving them from the Ubiquiti APs? Unrelated notes: You'll need to make sure your APs are managed in a way that lets them hand off connections as users move around the building. And you'll need to think about how you authenticate users.
It sounds like your users are connecting to wifi and getting IPs, but can't get out to the internet.
Do they have local connectivity? For example, if you enable PING on the vlan interface of the FortiGate, can they ping that IP?
For getting access to the internet, you need both a default route to your wan interface, and appropriate security policies allowing traffic from the specific vlans to the wan interface. I would recommend that you put your various interfaces into zones (create zones on the interface page and add interfaces to them). Then create your security policies using the zones instead of the interfaces. This makes changing around interfaces later much easier.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Create thress VLAN let say 400,401 and 402
on Aruba you can do vlan 400-402 and it will create VLAN.
Trunk the ports between Aruba A and Aruba as your access points are connected to it.
you need to allow these three vlans on trunk between switches.
Then create a trunk port that will connect from Switch A to Fortigate.
on Fortigate gate select one interface -> Create New -> interface -> Student
-> type VLAN -> interface select the Port number that is connected to Aruba switch.
VLAN ID: 400 - Role LAN
Address: Take any address range that is not in use. Let see 10.10.10.1/24
Administrative Access -> select ping to test connectivity.
Repeat the same step to create different VLAN number like 401 and 403 and take different address range.
Vlan 400: 10.10.10.1/24
Vlan 401: 10.10.10.1/24
Vlan 402: 10.10.10.1/24
On switch port that is connected to Aruba. Tagged vlan 400,401 and 402 and untagged managed VLAN for AP.
Create Zone in Firewall with name Wireless and Add all these three virtual interfaces in it. This way you will just create one policy to give internet access to all SSID.
Let me know if you need more info
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I read your last comment now. BTW why you want to use three different public IP for three SSID?
You can use the NAT option under IPV4 Policy.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey Capticorn80.
I am using Blocksi, a DNS based web filtering service. The goal is to have each interface isolated to a public IP. Each public IP entered in Blocksi can have a different web filtering policy in place.
I follow what you are saying, but haven't been able to get it to work thus far.... I created an IP pool with one external IP in it and set it to one to one. Then I set that IP pool for the NAT section of my policy. When I do that, I no longer have internet access.
Am I doing something wrong?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
what outgoing interface are you using in your policy?
can you write your policy here like
incoming interface
outgoing interface
you dont need to write your exact Public IP.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sounds very exciting for your new assignment. You must be a science or math teacher.
I don't know how to configure Aruba switch and Ubiquiti APs, but if you want the FG100E to provide DHCP server to each SSID client, you have to have vlan subinterfaces on the 100E. Since everything is coming through Aruba switch, I would connect only one physical interface of 100E to Aruba-A and build all vlans on it (unless combined traffic toes beyond 1Gbps). FortiGate vlan interfaces are always tagged (no untagged vlan is supported), so you need to make Aruba-A side as a "trunk" port and likely need to make the AP side as "trunk" as well to pass the SSID vlan to the AP. I'm assuming the AP has an option to make SSID "bridged" with a vlan tag like many other APs while AP management plane connects to non-tagged interface, probably a part of the physical(parent) interface on the 100E side, which is non-tagged.
Others in this forum might have experience with Aruba SW and/or Ubiquiti AP configuration.
Toshi
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sounds like you are 90% there. On the egress policies, make sure NAT is enabled. Private IPs are terminated at the ISP equipment and are not sent out to the Internet, so without NAT, you get no Internet. From any connected device, run a traceroute and you will see how far your traffic goes before it dies. A very easy way to spot the bump in the road.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm setting up something similar atm :).
I'm not an expert, but I think it should look like this (example ports):
Fortigate 100E -- port 2 to port 1 --> Aruba A -- port 20 to port 1 --> Aruba B -- port 4,5,6 --> APs with multi SSID
VLAN 1,2,3,4
VLAN1,2,3,4 on A should be tagged to port 1 and port 20, if the switch has some APs connected, their ports should be tagged to needed VLANs. So, when you just want to send VLAN traffic to another device you just tag the port, 0 ports should be untagged unless you want to plug for instance 1 PC for VLAN 1, then you untag traffic to proper port to VLAN 1.
On B VLAN 1,2,3,4 should be tagged to port 1 and 4,5,6. You have to add all VLANs with correct IDs and names on every device.
The fun part is setting up Fortigate 100E itself, creating firewall policies and creating flow between the VLANs and WAN, but there are plenty of high quality videos about it provided by Fortigate.
It works for me, maybe it will help you too :)
Goodluck!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey all-- thank you for your help. I am sorry for not replying sooner; it has been a hectic start to the school year. Your advice was helpful. I didn't at all think about poilicy/nats and setting those up was all I needed to do!
This is kind of unrelated, but the next part of this setup is pointing each of these vlans to a different IP address provided by the ISP. I know they are going to give me a /29 block of IP addresses.... what's the best way to add this to my fortigate and point each vlan (staff, student, and guest) at its own IP?
I am using a DNS based web filter (Blocksi) and the plan is to configure different policies there. The Blocksi folks tell me I can point a policy at a specific Public IP.
Related Posts
- Cisco Trunk port to Fortiswitch 372 Views
- Mistake in FCF - Getting Started... 48 Views
- Moving away from Software Switches -... 154 Views
- Adding Standalone FortiSwitch to FortiManager Problem 118 Views
- Connect Fortigate to internet with 2... 202 Views
Labels
-
FortiGate
6,459 -
FortiClient
1,290 -
5.2
801 -
5.4
639 -
FortiManager
562 -
6.0
416 -
FortiAnalyzer
411 -
5.6
362 -
FortiSwitch
331 -
FortiAP
327 -
FortiClient EMS
259 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
148 -
6.4
128 -
FortiNAC
103 -
FortiGuard
102 -
FortiGateCloud
86 -
FortiSIEM
85 -
FortiCloud Products
82 -
FortiToken
69 -
Customer Service
69 -
IPsec
68 -
4.0MR3
64 -
Wireless Controller
58 -
SSL-VPN
54 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
38 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
30 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
High Availability
21 -
FortiConverter
21 -
Firewall policy
20 -
VLAN
18 -
FortiPortal
17 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
SAML
11 -
BGP
11 -
DNS
11 -
Interface
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
Logging
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiAuthenticator
7 -
Admin
7 -
FortiGate v4.0 MR3
7 -
4.0
7 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
SSID
5 -
Security profile
5 -
Traffic shaping policy
5 -
Authentication
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
Static route
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
SSL SSH inspection
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
packet capture
3 -
FortiToken Cloud
3 -
Automation
3 -
Intrusion prevention
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
IPS signature
3 -
FortiDeceptor
2 -
FortiInsight
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
NAC policy
1 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
Zone
1 -
FortiManager-VM
1 -
Fabric connector
1 -
Internet Service Database
1 -
Fortinet Engage Partner Program
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.