Solved

Routing Traffic from INTERNAL to a VLAN on Fortigate 100A

Posted on 2013-05-28
8
5,191 Views
Last Modified: 2014-03-07
Hello,

I'm having a problem with setting up a new test lab with a new VLAN.

We have a Fortigate 100A, an internal interface of 192.168.15.0/24.

The new VLAN ID is 50 and the subnet is 192.168.50.0/24 and i've set it up as a new vlan interface

Policy routes were setup to go from one to the other, and vice versa. Policy routes were setup as well to go from one to the other.

There is a Cisco switch in between which was setup with a VLAN50, and one port was setup as an access port for VLAN50.

I can ping TO the INTERNAL network from the new VLAN50, but I cannot print FROM the INTERNAL network to the new VLAN50, no matter what device, nor can I ping the 192.168.50.1 gateway from the internal network.

I've tried playing with the different settings, etc, but can't figure it out.
0
Comment
Question by:CORPORAT
  • 4
  • 3
8 Comments
 
LVL 20

Assisted Solution

by:rauenpc
rauenpc earned 375 total points
Comment Utility
and one port was setup as an access port for VLAN50.

Which port on which device? Also, wouldn't you need multiple ports in vlan 50 on the switch to make this work? Perhaps more details on what ports are configured on vlan 50 would help.

Another troubleshooting step you could do would be a connect a laptop directly to the port on the fortigate that is configured for vlan 50. Then you don't need to worry about a switch config. If things work great, then it's a matter of looking at the switch's config, if it still doesn't work there is an issue on the fortigate.
0
 

Author Comment

by:CORPORAT
Comment Utility
Sorry!

A port on the Cisco switch was set as an access port for vlan 50, that is where i'm connecting the laptop into.

The cisco switch is uplinked to the fortigate 100A's internal switch port#2 via a trunk port on the cisco switch. Other VLAN traffic passes fine directly to the internet, but this is the first time i've needed to do interVLAN traffic (that's not VPN related).
0
 
LVL 20

Assisted Solution

by:rauenpc
rauenpc earned 375 total points
Comment Utility
Is vlan 50 allowed on the trunk? Use a "show int trunk" and you will be able to see which vlans are forwarding and NOT pruned. If you see it in the allowed list but not in the forwarding list, I would first guess that the vlan wasn't defined on the switch (even though it was added to the trunk). A simple "vlan 50" from config mode will get the vlan added to the switch.
0
 

Author Comment

by:CORPORAT
Comment Utility
Rausenpc,

- The fortigate is setup with an internal interface, that's 192.168.15.0/24. The VLAN is VLAN 50, 192.168.50.0/24.
- Firewall policy rules allowing all traffic from 192.168.15.0 to 192.168.50.0 and vice versa setup.

- Yes, VLAN 50 was added to the Cisco 3560 with the VLAN 50 command, I even had labeled it with a name
- Yes, VLAN50 is allowed on the trunk between the fortigate 100A and the cisco 3560 switch.

- We can ping from the a device on the 192.168.50.0 network TO the 192.168.15.0, but cannot ping in reverse.

- We ran pings and did two packet sniffers on the fortigate, and can see the fortigate getting the ping traffic from the 192.168.15.0 side hitting the fortigate @ 192.168.15.1, but it doesn't make it to the 192.168.50.0 side.

It looks like it's the fortigate that's the issue here, i'm just wondering what is wrong or if we're doing something wrong.

Fortigate 100A
- Added VLAN interface of 192.168.50.0/24
- Setup DHCP server for 192.168.50.100 - 150
- Setup firewall policy to allow traffic between existing "INTERNAL" network and the new 192.168.50.0 network, in both directions
- Tried policy routes, tried static routes, the router monitor shows the 192.168.50.0 network as directly connected, just can't understand why traffic isn't routing from 192.168.15.0 to 192.168.50.0 network.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 20

Assisted Solution

by:rauenpc
rauenpc earned 375 total points
Comment Utility
Does the device on the 50 subnet have a software firewall that is blocking ping? By chance is there a possibly asymmetric routing situation going on (are both devices using the firewall as a gateway directly or is there a layer 3 device between)?

I'm just asking the dumb questions because nothing else comes to mind at the moment. I'm not sure what devices you're using, but is it possible to configure L3 interfaces on the switch to allow them to communicate directly temporarily? I realize there will be no firewall in place, but this will at least verify that there is or is not any problem pinging between the two while on the subnets in question. Once you know for sure that they can ping, then move things back through the firewall and we can assume any issues are going to be on the fortigate.
0
 

Author Comment

by:CORPORAT
Comment Utility
I had thought that might be the case, but no, I completely disabled the software firewalls, and even tried a second machine.

Also, another strange behavior, I can ping 192.168.50.1 from the 192.168.15.0 network, but not any other IP on the 192.168.50.0 network!

Windows clients don't get the 192.168.50.0 network route advertised automatically either.

We tested with another VLAN, and if we set it all up exclusively on the switch. Once the fortigate gets introduced as the router, it becomes a problem.

The 3560 is not doing any routing whatsoever, it's just being used as a switch.
0
 
LVL 5

Accepted Solution

by:
megaman5 earned 125 total points
Comment Utility
I just had a problem where a vlan interface on the internal wouldnt work on my fortigate, I had to remove it, and build the vlan interface as another interface facing an access interface on my switch so the fortigate didnt need to do vlanning.

Also, try this:

config system settings
set asymroute enable
end
0
 

Author Closing Comment

by:CORPORAT
Comment Utility
Thanks guys, I got it working with Fortigate support but the correct solution is to create a new VLAN and migrate everything from INTERNAL to it, then this would have been easy.
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

This is the first one of a series of articles I’ll be writing to address technical issues that are always referred to as network problems. The network boundaries have changed, therefore having an understanding of how each piece in the network  puzzl…
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now