Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
boma23
New Contributor

VLAN handling and DHCP - FTG 61E with UniFi Switch (no USG)

Hi All,

 

I'm building the test lab for an upcoming network for new project, who require FTG and UniFi. This is my first fresh build in 6 years, and indeed first Fortigate and UniFi experience, so please bear with me as I'm learning the nuances.

Diagram shows a stripped out version of what I'm building.  My issue was originally that clients connecting to the WAP do not receive any IP address at all, despite the UniFi SSID specifiying the correct VLAN ID for VLAN OTHER as clients join.

If I remove the VLAN specification from the SSID, the clients can connect, but instead pickup DHCP from the FTG INT1 DHCP range (which I would eventually want to to turn off. If I use a static IP on the client, I still can't ping anything (all interfaces set to allow ping etc. during test build).

I've tried skipping the UnFi switch and creating another test VLAN subinterface on the 61E with DHCP, connected to INT 6. I see the same behavior there - a wired client can only get DHCP from the INT1 range and only if I add the policy. DHCP from the VLAN66 interface is ignored/doesn't work.  I did read this might be because the FTG needs an L2 device in front of it to assign the VLAN tag ID though - the VLAN subinterface on the FTG port cannot do this - is that correct?

STP is enabled on the interfaces and subs, NAT disabled on the INT to INT/VLAN policies, and can't think what else I'm doing wrong...  seems to me the core issue is my VLANs not talking between interfaces correctly?

 

Once I can get the VLANS assigning DHCP correctly, I'd like to move the UniFi controller and hardware onto the Management VLAN.

 

Thanks for any help in advance.

 - 

6 REPLIES 6
sw2090
Honored Contributor

I wouldn't do it so complicated.

 

The easiest way would be to create vlans on int1 with the correct vid and ip setting.

you switch already has al vids tagged on all ports so should be fine.

Then you just need policies to allow the traffic between the interfaces.

 

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
boma23
New Contributor

Sorry, might not be clear from diagram, but that's how I believe I have it.

 

All the VLANs are subinterfaces on INT1.

 

The VLANs are also grouped together in a Zone. 

 

Then the policies are between the Zone and the INT1.

 

Does the fact the INT1 is on a hardware switch with INT 1-5 have a bearing?

 

 

Toshi_Esumi
Esteemed Contributor III

The bottom line is it's most unlikely FGT config issue. But the switch config issue, which is connecting those ports to wrong vlans at the trunk port.

boma23

 

The switch port profile "TRUNK" to INT1 has all VLANS and the same 10.10.1.1/24 "core" subnet specified on it, so it should be sending all tagged VLAN traffic to the FTG.   I've also tried setting the UniFi Switch port profile to "All".

 

The UniFi switch is only a layer 2 switch, so can't really think of anything else we can alter there?

 

Connecting to any trunk on the UniFi switch without VLAN being tagged on ingress, works fine with both switch port profiles of TRUNK and ALL, and traffic goes out through FTG to web, with DHCP obtained directly from the root INT1 interface.

 

It's only when clients connect via an SSID and area allotted VLAN ID that it breaks, which makes me think the FTG is dropping or changing the packets being the L3 capable device. NAT is disabled on the INT1 to ZONE rules though...

 

FTG Log does show non VLAN stuff coming through, but should I expect to see VLAN traffic tagged as such after the source IP in the log?   I see a lot of local IPV6 traffic.

 

How can I test the FTG's handling of the incoming tagged VLAN traffic sent from the UniFi switch and see where it goes/gets dropped?

Toshi_Esumi
Esteemed Contributor III

To me only way to figure out is to run packet capture on each vlan interface and non vlan parent interface to see where those DCHP requests are coming to.

boma23

Thanks for the advice - and apologies, it turns out your first reply was correct :thumbs_up::beaming_face_with_smiling_eyes: I was caught out by my unfamiliarity with UniFi, so leaving this one here for anyone else that comes across it. My issue turned out to be that the UniFi switch wasnt saving the config. The controller was telling me it was saving settings, but these weren't being applied to the switch. The switch had been stuck in an adoption loop. Because I had already factory reset it, and all the physical routing and config was working fine after resetting, and picking up correct IP etc. which I could ping, I assumed the switch was actually OK and this was just a handshaking issue to sort out between switch and controller. I thought the reporting in to the UniFi controller had been getting broken once the config was taken. Wrong - what was actually happening was the switch was working after reset in its' default state of unmanaged/native VLAN 1 only... The adoption failure was caused by a mixture of my moving the controller IP, and the switch not picking up my new controller admin pwd (apparently UniFi admins will be familiar with this little trap). To resolve i had to 'forget' switch config from controller, SSH in and reset, follow by a re-inform command to the switch of new controller IP. It then picked up my correct config from the controller and everything sprang to life, correct DHCP ranges from the FTG being alloted to correct SSID client VLAN IDs The FTG was configured and working perfectly all along :thumbs_up: Thanks for all help.
Labels
Top Kudoed Authors