We help IT Professionals succeed at work.
Get Started
To enable Internet on a new VLan from our Fortinet Firewall
Hello:
Originally we had 1 Corporate Data VLan. Now, I have created a new data VLan that is to be used exclusively for Servers. This new VLan is setup and is fully route-able between the Original VLan-1 and VLan-11. I can logon and use internal DNS; but internet is not yet enabled on VLan-11.
VLan-1 = 172.20.1.0/24
VLan-11 = 172.20.11.0/25
One may look at a previous question that I posed regarding this setup: https://www.experts-exchange.com/questions/28870700/Why-will-a-new-VLan-not-work-on-a-specific-HP-Switch.html
My question today is regarding how to enable internet on this new VLan-11? We have an "Internal" Zone/Interface from the Fortigate Firewall. This Internal Interface has ports 1-7 assigned to it on the Firewall. Port#1 on the Firewall is connected to a VLan-1 port one on our Corporate Data Switches. This VLan-1 port is Port#2 on switch .252 (See the attached diagram).
I have created a case with Fortinet to enable internet from the Fortigate Firerwall to VLan-11 on our network. We had some problems executing this task and they are stating that tagged frames are not being routed from the switch to the Firewall. Their exact descriptin is the following:
"The CorpServerVlan Interface, on the Fortigate, is listening to ‘tagged’ traffic on VLan-11. The Corporate Data Switch when pinging the fortigate (172.20.11.125) is not tagged. Pings are coming through the ‘Internal’ interface not the CorpServerVLan Interface. Please see the attached network diagrams and screen shots of what me and the Fortigate Technician have done.
Keep in mind that I can have laptops logon to the AD network and ping everything on VLan-1. Equally important VLan-1 devices can ping VLan-11 devices and copy files back and forth.
I have a theory, to fix this internet problem since Ethernet Port#1 on the Fortigate Firewall is already assigned to the Internal Interface and that same port is already connected to port #2 on a VLan-1. Could "Tagging" VLan-11 on the same port (Port#2 on data switch) enable internet on VLan-11 as well?
From-Corp-Server-Vlan-to-Wan1_edited.doc
1stpage_Public.pdf
Originally we had 1 Corporate Data VLan. Now, I have created a new data VLan that is to be used exclusively for Servers. This new VLan is setup and is fully route-able between the Original VLan-1 and VLan-11. I can logon and use internal DNS; but internet is not yet enabled on VLan-11.
VLan-1 = 172.20.1.0/24
VLan-11 = 172.20.11.0/25
One may look at a previous question that I posed regarding this setup: https://www.experts-exchange.com/questions/28870700/Why-will-a-new-VLan-not-work-on-a-specific-HP-Switch.html
My question today is regarding how to enable internet on this new VLan-11? We have an "Internal" Zone/Interface from the Fortigate Firewall. This Internal Interface has ports 1-7 assigned to it on the Firewall. Port#1 on the Firewall is connected to a VLan-1 port one on our Corporate Data Switches. This VLan-1 port is Port#2 on switch .252 (See the attached diagram).
I have created a case with Fortinet to enable internet from the Fortigate Firerwall to VLan-11 on our network. We had some problems executing this task and they are stating that tagged frames are not being routed from the switch to the Firewall. Their exact descriptin is the following:
"The CorpServerVlan Interface, on the Fortigate, is listening to ‘tagged’ traffic on VLan-11. The Corporate Data Switch when pinging the fortigate (172.20.11.125) is not tagged. Pings are coming through the ‘Internal’ interface not the CorpServerVLan Interface. Please see the attached network diagrams and screen shots of what me and the Fortigate Technician have done.
Keep in mind that I can have laptops logon to the AD network and ping everything on VLan-1. Equally important VLan-1 devices can ping VLan-11 devices and copy files back and forth.
I have a theory, to fix this internet problem since Ethernet Port#1 on the Fortigate Firewall is already assigned to the Internal Interface and that same port is already connected to port #2 on a VLan-1. Could "Tagging" VLan-11 on the same port (Port#2 on data switch) enable internet on VLan-11 as well?
From-Corp-Server-Vlan-to-Wan1_edited.doc
1stpage_Public.pdf
Why Experts Exchange?
Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.
Jim Murphy
Programmer at Smart IT Solutions
When asked, what has been your best career decision?
Deciding to stick with EE.
Mohamed Asif
Technical Department Head
Being involved with EE helped me to grow personally and professionally.
Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question
Connect with Certified Experts to gain insight and support on specific technology challenges including:
- Troubleshooting
- Research
- Professional Opinions
Did You Know?
We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE