- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- FortiGate E100 and Aruba 2930F L3 switch VLAN rout...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FortiGate E100 and Aruba 2930F L3 switch VLAN routing issue in FortiGate
Hi All,
Good Day,
Thank you in advance for your time to read this and helping me to solve this problem.
Currently I have a setup like this
On Fortigate I remove port 2 and port 3 on the lan profile and configured as VLAN's each assigned to VLAN10 and VLAN20
ON VLAN10 --- > 10.10.0.1/24 - Untagged (Internet Access Hosts)
ON VLAN20 --- > 192.168.0.1/24 - Untagged (LAN Only)
Port 1-10 - VLAN10
Port 11-20 - VLAN20
Now my issue is this,
I've created the profile and rules as well as IP address that will be used by the VLANS in NAT/Route Mode in Fortinet
But My hosts that needs internet can't seem to route them.
Should I configure the VLAN's ports to be trunked so fortigate sees all ports as one? I want fortigate to do the routing so it makes sense that i will not define a default gateway in my vlans.
I'm new to Fortinet and I've seen a lot of guides but no solid answer and I'm hoping if anyone here can give me one. Any help or advise is appreciated.
Regards,
Ian
Solved! Go to Solution.
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hard to say with such few details.
On a FGT you usually have a vlan as virtual interface that is bound to a physical one.
And then you have to have polices to allow your traffic that have the vlan interface as destination or source.
That's the way I do it here on our FGTs.
e.g
FGT Port1 (=physical interface) (static ip of our default subnet) - connected to switch
+ vlan1 (virtual vlan interface) VID 11 (static ip of vlan 11 subnet) [on FGT this will always be untagged!]
Switch: Uplink Port (physical interface connected to FGT Port1) is untagged in VID 1 (default vlan) [because HP switches want to have every port untagged in one vlan] AND tagged in VID 11.
Ports that have to access (ONLY) VID 11 are Untagged in VID11 and not in any other VID.
Ports that have to access more VIDs have to be tagged in all of them. In this case the device connected to those has to do the correct vlan tagging on packets.
Then on FGT e.g. have Policy:
Source Interface: vlan 11
Destination Interface: WAN (Internet)
Source: vlan 11 subnet
Destination: any
Service: all
NAT: enabled (use ip of Destination Interface) [dnat]
Clients in vlan11 must have the vlan 11 subnet ip of the virtual interface as default gw!
To clarify:
Untagged: Switch considers packets that come in on this port not to be vlan tagged and will then tag all packets with the vlan the port is untagged in. If a packet does have a vlan tagging it will be overwritten unless the port is als tagged in this vlan.
tagged: Switch will not touch vlan tagging on packets on this port at all. If the port is not untagged in one vlan it will then only accept packets with vids the port is tagged in.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
--
"It is a mistake to think you can solve any major problems just with
potatoes." - Douglas Adams
2 REPLIES 2
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hard to say with such few details.
On a FGT you usually have a vlan as virtual interface that is bound to a physical one.
And then you have to have polices to allow your traffic that have the vlan interface as destination or source.
That's the way I do it here on our FGTs.
e.g
FGT Port1 (=physical interface) (static ip of our default subnet) - connected to switch
+ vlan1 (virtual vlan interface) VID 11 (static ip of vlan 11 subnet) [on FGT this will always be untagged!]
Switch: Uplink Port (physical interface connected to FGT Port1) is untagged in VID 1 (default vlan) [because HP switches want to have every port untagged in one vlan] AND tagged in VID 11.
Ports that have to access (ONLY) VID 11 are Untagged in VID11 and not in any other VID.
Ports that have to access more VIDs have to be tagged in all of them. In this case the device connected to those has to do the correct vlan tagging on packets.
Then on FGT e.g. have Policy:
Source Interface: vlan 11
Destination Interface: WAN (Internet)
Source: vlan 11 subnet
Destination: any
Service: all
NAT: enabled (use ip of Destination Interface) [dnat]
Clients in vlan11 must have the vlan 11 subnet ip of the virtual interface as default gw!
To clarify:
Untagged: Switch considers packets that come in on this port not to be vlan tagged and will then tag all packets with the vlan the port is untagged in. If a packet does have a vlan tagging it will be overwritten unless the port is als tagged in this vlan.
tagged: Switch will not touch vlan tagging on packets on this port at all. If the port is not untagged in one vlan it will then only accept packets with vids the port is tagged in.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
--
"It is a mistake to think you can solve any major problems just with
potatoes." - Douglas Adams
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi sw2090,
Good Day,
I've managed to solve this issue last week and sorry for late response.
What I did was, to connect my switch to FGT and disably aruba2930f layer3 on those VLAN's i need and tagged an uplink port to FGT and untagged to those of VLANS switches.
Appreciate your response and it was also helpful for future reference.
Thank you and Regards,
Ian
Related Posts
- Akira Ransomware 36 Views
- can not config anti-repay in fortigate... 121 Views
- VLan fortigate 123 Views
- Question about Fortigate license 61 Views
- Import MAC address list into address... 83 Views
Labels
-
FortiGate
6,500 -
FortiClient
1,298 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
413 -
5.6
362 -
FortiAP
333 -
FortiSwitch
332 -
FortiClient EMS
261 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
149 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiGateCloud
87 -
FortiSIEM
86 -
FortiCloud Products
82 -
IPsec
70 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
58 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
19 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
FortiAuthenticator
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
NAT
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Security profile
5 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.