Hot!Setting up vlan fortigate 60e

Page: 12 > Showing page 1 of 2
Author
jkchoa
New Member
  • Total Posts : 20
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/03/03 20:15:44
  • Status: offline
2019/03/29 20:12:45 (permalink)
0

Setting up vlan fortigate 60e

Hi,
Can you please refer me a cookbook link, on setting up vlan for 2networks comprising of PCs and cctv ip cameras. The PCs are on 192.168.100.x and have currently gateway to the firewall for internet, while the ipcamera cctv are on different subnet 192.168.200.x, these devices needs to have routing or rather can see the other pc network and initially needs not to have internet. Really could use some examples, to get some knowledge and get started
#1

22 Replies Related Threads

    ede_pfau
    Expert Member
    • Total Posts : 6050
    • Scores: 480
    • Reward points: 0
    • Joined: 2004/03/09 01:20:18
    • Location: Heidelberg, Germany
    • Status: offline
    Re: Setting up vlan fortigate 60e 2019/03/30 11:39:23 (permalink)
    0
    This is so simple you won't need a video on it :-)
     
    In order to have traffic across the firewall, the FGT needs to have one port in the VLAN. So, you create a new virtual port in System>Network>Interface, Create New, type: VLAN. It will be a sub-interface of the LAN port (or LAN switch, depending on your hardware).
    I usually assign the address .1 of the VLAN's address space to the FGT port and use it as the gateway of this VLAN. That means that all devices on the VLAN will have the FGT's port address as the gateway of their default route.
     
    Now, if you need to have VLAN traffic reach the WAN, create a policy from the VLAN interface to the WAN port.
    Same for VLAN to LAN, or VLAN to WiFi or whatever.
     
    I've seen setups where the physical LAN port was not used at all - no IP assigned. All traffic coming to and from the LAN port was VLAN traffic. If you use a lot of VLANs it might be better to create an aggregated port first (LACP), and then create VLAN ports associated with it. This will help to provide more bandwidth.
     
    Note that usually you connect the FGT LAN port to a switch. All VLANs which you intend to route/rule through the FGT need to be tagged VLANs, and the connection itself needs to be a VLAN trunk, not an access port. But if you're working with VLANs you will know that anyway.
     
    As with all ports (physical, SSIDs, VLANs, VPNs), network addresses must be unique for each port. You do not need to create routes for port LANs, this is done automatically.

    Ede

    " Kernel panic: Aiee, killing interrupt handler!"
    #2
    jkchoa
    New Member
    • Total Posts : 20
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/03/03 20:15:44
    • Status: offline
    Re: Setting up vlan fortigate 60e 2019/04/04 01:09:38 (permalink)
    0
    Hi again,
    Thanks for the above response, I tried following your procedure on setting up the VLAN as sub-interface and the policy. (I'll try to upload the screen shots)
    However, upon testing a laptop with IP 192.168.200.11, it cannot see the new VLAN gateway. What am I missing or did wrong?

    Actually am a newbie to VLAN, I tried to test it before on an HP v1910-16G switch but cannot seem to get it to work as expected from a guide I found (vmfocus)
    the guide was expecting that the VLAN should route naturally, but in actual the new interface cannot be PING.

    Attached Image(s)

    #3
    jkchoa
    New Member
    • Total Posts : 20
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/03/03 20:15:44
    • Status: offline
    Re: Setting up vlan fortigate 60e 2019/04/04 01:16:21 (permalink)
    0
    sending screen shots....

    Attached Image(s)

    #4
    mahesh secure
    Silver Member
    • Total Posts : 83
    • Scores: 1
    • Reward points: 0
    • Joined: 2015/12/10 01:04:48
    • Status: offline
    Re: Setting up vlan fortigate 60e 2019/04/04 01:22:19 (permalink)
    0
    Hi 
     what about the switch side configuration. you have to create the data and cctv vlan in switch and make the uplink port to fortigate as tagged / trunk. 
     
    Regards
    Mahesh
    #5
    jkchoa
    New Member
    • Total Posts : 20
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/03/03 20:15:44
    • Status: offline
    Re: Setting up vlan fortigate 60e 2019/04/04 01:24:28 (permalink)
    0
    and the policy....
    in your last paragraph "All VLANs which you intend to route/rule through the FGT need to be tagged VLANs, and the connection itself needs to be a VLAN trunk, not an access port. " Are you referring to the connecting switch that goes to the FGT? This switch must have VLAN tagging?

    Attached Image(s)

    #6
    jkchoa
    New Member
    • Total Posts : 20
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/03/03 20:15:44
    • Status: offline
    Re: Setting up vlan fortigate 60e 2019/04/04 01:31:57 (permalink)
    0
    Mahesh,
    On the switch side there no VLAN configured yet, all VLAN are configure on the FGT.
    #7
    mahesh secure
    Silver Member
    • Total Posts : 83
    • Scores: 1
    • Reward points: 0
    • Joined: 2015/12/10 01:04:48
    • Status: offline
    Re: Setting up vlan fortigate 60e 2019/04/04 01:49:00 (permalink)
    0
    Hi,
     
    You have to create the same vlan in switch with same vlan id and make the port that connected to fortigate as tagged port.
     
    example :
     
    VLAN 2 - Voip
    VLAN 3 - Data
    Switch port 24 is connected to fortigate port
    switch port 1 connected to PC
    switch port 2 connected to CCTV
     
    create above vlan in switch
    set switch port24  mode tagged and set allowed vlan 2 and 3
    set switch port1 mode as access / untagged and allow vlan 3
    set switch port2 mode as access/untagged and allow vlan 2
     
     
    Regards
    Mahesh
     
     
    #8
    ede_pfau
    Expert Member
    • Total Posts : 6050
    • Scores: 480
    • Reward points: 0
    • Joined: 2004/03/09 01:20:18
    • Location: Heidelberg, Germany
    • Status: offline
    Re: Setting up vlan fortigate 60e 2019/04/04 02:05:47 (permalink)
    0
    A VLAN is a "LAN on a LAN". As such, you need to create it on your switch(es) as well, just as @Mahesh posted.
     
    BTW, disable FMG and CAPWAP access on all port where you don't use it, e.g. the WAN ports. Unnecessary security hole.

    Ede

    " Kernel panic: Aiee, killing interrupt handler!"
    #9
    jkchoa
    New Member
    • Total Posts : 20
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/03/03 20:15:44
    • Status: offline
    Re: Setting up vlan fortigate 60e 2019/04/04 07:39:51 (permalink)
    0
    Hi Mahesh,
    Need some clarifications, using the hp 1910-16g switch,
    I've setup vlan id 10 with interface ip 192.168.200.253
    Then selected ports 9 to 15 as untagged for vlan: 10.
    Next made port 16 tagged for vlan id 1 and 10, and connect this to the fortigate60e

    To test I'll use a laptop with ip 192.168.200.12 with gtway 192.168.200.253 and connect this to port 9 on the hp1910 switch. The problem with hp1910 is that laptop cannot ping the gateway of vlan10.
    Only vlan1 is working, it can see the other vlan interfaces or gateways. I tried posting on hp forums but no avail, even updated the firmware. Sorry this hp switch should not be under your scope, but maybe hoping you can tell me what's wrong with my procedure.
    Regards...
    #10
    mahesh secure
    Silver Member
    • Total Posts : 83
    • Scores: 1
    • Reward points: 0
    • Joined: 2015/12/10 01:04:48
    • Status: offline
    Re: Setting up vlan fortigate 60e 2019/04/05 03:40:19 (permalink)
    0
    Hi,
     
    please do the below setup
     
    1. open CMD in laptop and type arp -a  ( share log)
    2. in fortigate open cli and type get system arp (share log)
    3. try connect another laptop in switch and set ip address as 192.168.200.13 and try to ping the 192.168.200.12
     
    ""I've setup vlan id 10 with interface ip 192.168.200.253"" where you set this in fortigate or switch ?
     
     
    Regards
    Mahesh
    #11
    mahesh secure
    Silver Member
    • Total Posts : 83
    • Scores: 1
    • Reward points: 0
    • Joined: 2015/12/10 01:04:48
    • Status: offline
    Re: Setting up vlan fortigate 60e 2019/04/05 04:05:23 (permalink)
    0
    Hi ,
     
    if you added 192.168.200.253 with subnet 24 in switch vlan 10 interface then it will create a route table on switch.
    try remove the ip from switch interface and check the same.
     
     
    Regards
    Mahesh
    #12
    jkchoa
    New Member
    • Total Posts : 20
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/03/03 20:15:44
    • Status: offline
    Re: Setting up vlan fortigate 60e 2019/04/08 01:08:27 (permalink)
    0
    Sorry for the delay, i left the switch at my client but anyway here's the output
    for #1 sending arp output

    Attached Image(s)

    #13
    jkchoa
    New Member
    • Total Posts : 20
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/03/03 20:15:44
    • Status: offline
    Re: Setting up vlan fortigate 60e 2019/04/08 01:09:35 (permalink)
    0
    here's arp output when setting IP of laptop to 192.168.200.12

    Attached Image(s)

    #14
    jkchoa
    New Member
    • Total Posts : 20
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/03/03 20:15:44
    • Status: offline
    Re: Setting up vlan fortigate 60e 2019/04/08 01:10:47 (permalink)
    0
    while the arp output of the fortigate, thought the hp1910 switch has not been integrated yet on the network.

    FGT60E4Q16070804 # get system arp

    Address Age(min) Hardware Addr Interface

    192.168.100.25 0 74:46:a0:bd:95:3d internal
    192.168.1.1 0 00:13:33:f5:6c:09 wan1
    192.168.100.82 0 10:60:4b:8e:7e:6b internal
    192.168.100.70 0 10:e7:c6:4a:0a:b7 internal
    192.168.100.8 0 e4:1f:13:3f:12:80 internal
    192.168.100.83 0 f4:4d:30:67:39:24 internal
    192.168.100.21 0 2c:44:fd:1d:a4:15 internal
    192.168.100.84 0 f4:4d:30:67:55:b6 internal
    192.168.100.22 0 6c:62:6d:e7:8f:63 internal
    192.168.100.116 2 00:16:3e:50:5c:43 internal
    192.168.100.85 0 f4:4d:30:67:58:ee internal
    192.168.100.23 0 6c:62:6d:e7:8f:5d internal
    192.168.100.24 0 6c:62:6d:e7:8f:67 internal
    192.168.254.254 0 18:c5:01:b0:9e:e8 wan2
    192.168.100.68 2 10:e7:c6:4a:09:a8 internal
    192.168.100.81 0 f4:4d:30:69:52:59 internal
    #15
    jkchoa
    New Member
    • Total Posts : 20
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/03/03 20:15:44
    • Status: offline
    Re: Setting up vlan fortigate 60e 2019/04/08 01:14:09 (permalink)
    0
    and lastly,
    ""I've setup vlan id 10 with interface ip 192.168.200.253"" where you set this in fortigate or switch ?
    this is setup on the Switch HP1910-16G
    #16
    jkchoa
    New Member
    • Total Posts : 20
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/03/03 20:15:44
    • Status: offline
    Re: Setting up vlan fortigate 60e 2019/04/08 01:16:10 (permalink)
    0
    here's the route ip4 of the switch...
    strange that when using VLAN10 the gateway cannot be seen,
    I'll get another cable to simulate laptop to PC local network test and post the output.
    thanks for your patience.

    Attached Image(s)

    #17
    mahesh secure
    Silver Member
    • Total Posts : 83
    • Scores: 1
    • Reward points: 0
    • Joined: 2015/12/10 01:04:48
    • Status: offline
    Re: Setting up vlan fortigate 60e 2019/04/08 01:21:55 (permalink)
    0
    Hi,
     
    could you please share the SS or show running config output of the switch configuration. i think there is no proper layer 2 established
    #18
    jkchoa
    New Member
    • Total Posts : 20
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/03/03 20:15:44
    • Status: offline
    Re: Setting up vlan fortigate 60e 2019/04/08 02:26:53 (permalink)
    0
    Mahesh,
     
    Please find attached file I got on the switch CLI.
    #19
    mahesh secure
    Silver Member
    • Total Posts : 83
    • Scores: 1
    • Reward points: 0
    • Joined: 2015/12/10 01:04:48
    • Status: offline
    Re: Setting up vlan fortigate 60e 2019/04/08 02:51:06 (permalink)
    0
    Hi,
    my understanding is that you are creating 192.168.200.x, in fortigate and the gateway for the network in firewall only.
     
    try removing the ip address from below interface and try to connect.
     
    interface Vlan-interface10
    ip address 192.168.200.253 255.255.255.0
     
    Regards
    Mahesh
    #20
    Page: 12 > Showing page 1 of 2
    Jump to:
    © 2019 APG vNext Commercial Version 5.5