Fortigate 110c and HP Procurve Layer 3

I have a network with 5 VLANs. Vlan 1 is configured for one of the ethernets on the fortigate(port7).  The other 4 Vlans or sub interfaces to the port 7.  This is a new client and they were having problems with their voice(Internal Lync server).  After a network study, we found that all routing was taking place on the fortigate instead of the layer 3 switches(HP).  So, the gateway on every vlan was to port 7 for vlan 1 and the sub interfaces for the other vlans.  I have vlan tagging turned on for both the Fortinet as well as the hp.  The problem with the fortigate being the router is we have all the VLAN routing happening on the fortigate 100mb port.  It is maxed at 97%.  This is a huge problem.  So, we wanted to make it so that all the inter vlan routing took place on the hp layer 3 switch instead.  It works fine for VLAN 1.  However, for all other vlans, I can’t get traffic to get out on the internet.  I worked with support until 1230 AM today with no luck.  They had no clue.  They tried to tell me to have multiple default routes on my HP Core switch.  You can’t have multiple default routes.  So, they were clueless.  So, I am trying to figure out a solution here.  Anybody deal with this?
LVL 1
jruskeyAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

StolsieCommented:
Hi

could you post your routing table from your HP?
also have you got OSPF disabled on the Fortigate and static routing tables in there?
let say
vlan 2 is 192.168.2.1 255.255.255.252 is on the HP and 192.168.2.2 255.255.255.252 is on port 7 of the Fortigate
vlan 10 in 192.168.3.0 255.255.255.0 in on the HP then the fortigate needs to say in its routing table
192.168.3.0/24 192.168.2.1 (next hop router, its been a while it might require just the interface like a PC so it might be 192.168.2.2)
0
jruskeyAuthor Commented:
OSPF is disabled on fortigate.  

VLAN 1 on HP - 10.0.0.1 - VLAN 1 on Fortinet - 10.0.0.254(Default gateway for clients on vlan is 10.0.0.1)
Default route on hp 0.0.0.0/0 10.0.0.254

VLAN 20 on HP - 10.0.10.1 - VLAN 20 on Fortinet - 10.0.10.254 - If my clients point to .254 for gateway, all works.  If I point to HP on .1, it doesn't work.  However, I can ping to other vlans, just can't get on the web.  So the HP is routing correctly

Fortigate routing table has tables such as 10.0.10.0/24 directly connected
0
StolsieCommented:
I would remove 10.0.10.254 from the FortiGate and put a routing rule 10.0.0.0/8 10.0.0.1

I have a fair amount of networks, my firewall routing table looks like this
Any going to all private addresses go to 10.200.0.1 (the IP of my HP L3 switch)
Any going to any go to <my next hop router address>

i have no clients on the 10.200.0.1 range it is presented as a vlan untagged going to my firewall and my firewall has only one address for all traffic (LAN side) 10.200.0.2 my HP's default is 0.0.0.0 0.0.0.0 10.200.0.2
0
Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

jruskeyAuthor Commented:
So, right now I have a ton of rules on the fortinet.  It allows vlan 1 to get to 10 and things like that.  When my HP will do the routing, I basically have to ignore the rules on the fortinet and create ACLs on the HP?  Would that be a correct assumption?
0
StolsieCommented:
Well your FortiGate will still handle your internal to external rules and external to internal.
Your HP should be handling the internal routing and if need be VACLs for inter vlan access control.
That was the original problem being your internal inter vlan routing was being done by the firewall
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jruskeyAuthor Commented:
Thanks.  I will give this a try
0
StolsieCommented:
good luck if no joy i'll be here :)
well providing things are still quite my end lol
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.