Pkafkas
asked on
To enable Internet on a new VLan from our Fortinet Firewall
Hello:
Originally we had 1 Corporate Data VLan. Now, I have created a new data VLan that is to be used exclusively for Servers. This new VLan is setup and is fully route-able between the Original VLan-1 and VLan-11. I can logon and use internal DNS; but internet is not yet enabled on VLan-11.
VLan-1 = 172.20.1.0/24
VLan-11 = 172.20.11.0/25
One may look at a previous question that I posed regarding this setup: https://www.experts-exchange.com/questions/28870700/Why-will-a-new-VLan-not-work-on-a-specific-HP-Switch.html
My question today is regarding how to enable internet on this new VLan-11? We have an "Internal" Zone/Interface from the Fortigate Firewall. This Internal Interface has ports 1-7 assigned to it on the Firewall. Port#1 on the Firewall is connected to a VLan-1 port one on our Corporate Data Switches. This VLan-1 port is Port#2 on switch .252 (See the attached diagram).
I have created a case with Fortinet to enable internet from the Fortigate Firerwall to VLan-11 on our network. We had some problems executing this task and they are stating that tagged frames are not being routed from the switch to the Firewall. Their exact descriptin is the following:
"The CorpServerVlan Interface, on the Fortigate, is listening to ‘tagged’ traffic on VLan-11. The Corporate Data Switch when pinging the fortigate (172.20.11.125) is not tagged. Pings are coming through the ‘Internal’ interface not the CorpServerVLan Interface. Please see the attached network diagrams and screen shots of what me and the Fortigate Technician have done.
Keep in mind that I can have laptops logon to the AD network and ping everything on VLan-1. Equally important VLan-1 devices can ping VLan-11 devices and copy files back and forth.
I have a theory, to fix this internet problem since Ethernet Port#1 on the Fortigate Firewall is already assigned to the Internal Interface and that same port is already connected to port #2 on a VLan-1. Could "Tagging" VLan-11 on the same port (Port#2 on data switch) enable internet on VLan-11 as well?
From-Corp-Server-Vlan-to-Wan1_edited.doc
1stpage_Public.pdf
Originally we had 1 Corporate Data VLan. Now, I have created a new data VLan that is to be used exclusively for Servers. This new VLan is setup and is fully route-able between the Original VLan-1 and VLan-11. I can logon and use internal DNS; but internet is not yet enabled on VLan-11.
VLan-1 = 172.20.1.0/24
VLan-11 = 172.20.11.0/25
One may look at a previous question that I posed regarding this setup: https://www.experts-exchange.com/questions/28870700/Why-will-a-new-VLan-not-work-on-a-specific-HP-Switch.html
My question today is regarding how to enable internet on this new VLan-11? We have an "Internal" Zone/Interface from the Fortigate Firewall. This Internal Interface has ports 1-7 assigned to it on the Firewall. Port#1 on the Firewall is connected to a VLan-1 port one on our Corporate Data Switches. This VLan-1 port is Port#2 on switch .252 (See the attached diagram).
I have created a case with Fortinet to enable internet from the Fortigate Firerwall to VLan-11 on our network. We had some problems executing this task and they are stating that tagged frames are not being routed from the switch to the Firewall. Their exact descriptin is the following:
"The CorpServerVlan Interface, on the Fortigate, is listening to ‘tagged’ traffic on VLan-11. The Corporate Data Switch when pinging the fortigate (172.20.11.125) is not tagged. Pings are coming through the ‘Internal’ interface not the CorpServerVLan Interface. Please see the attached network diagrams and screen shots of what me and the Fortigate Technician have done.
Keep in mind that I can have laptops logon to the AD network and ping everything on VLan-1. Equally important VLan-1 devices can ping VLan-11 devices and copy files back and forth.
I have a theory, to fix this internet problem since Ethernet Port#1 on the Fortigate Firewall is already assigned to the Internal Interface and that same port is already connected to port #2 on a VLan-1. Could "Tagging" VLan-11 on the same port (Port#2 on data switch) enable internet on VLan-11 as well?
From-Corp-Server-Vlan-to-Wan1_edited.doc
1stpage_Public.pdf
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Also one may see the zone interface rules that were created from the screen shots: From-Corp-Server-Vlan-to-W
That is attached to this question.
That is attached to this question.
ASKER
Tagging port#2, on switch .252 did not enable internet on Vlan-11. I wonder what is required? Any other ideas?
Agan, Fotinet support stated: '"The CorpServerVlan Interface, on the Fortigate, is listening to ‘tagged’ traffic on VLan-11. The Corporate Data Switch when pinging the fortigate (172.20.11.125) is not tagged. Pings are coming through the ‘Internal’ interface not the CorpServerVLan Interface. "
Any ideas on the next step. I think I may need some assistance from someone who has more experience working with the Fortinet 100D. The basics ideas are covered.
1. Have a fully routable-VLan.
2. Configure an address object to make rule son the FG100D.
3. Make the appropriate Security policies on FG100D.
4. Tag the Ethernet port with the new VLan, that allows Internet to come in from the Internal- Interface/Zone coming from the FG100D.
Agan, Fotinet support stated: '"The CorpServerVlan Interface, on the Fortigate, is listening to ‘tagged’ traffic on VLan-11. The Corporate Data Switch when pinging the fortigate (172.20.11.125) is not tagged. Pings are coming through the ‘Internal’ interface not the CorpServerVLan Interface. "
Any ideas on the next step. I think I may need some assistance from someone who has more experience working with the Fortinet 100D. The basics ideas are covered.
1. Have a fully routable-VLan.
2. Configure an address object to make rule son the FG100D.
3. Make the appropriate Security policies on FG100D.
4. Tag the Ethernet port with the new VLan, that allows Internet to come in from the Internal- Interface/Zone coming from the FG100D.
ASKER
I have a consultant scheduled to assist today in the afternoon.
ASKER
I have a consultant scheduled to assist today in the afternoon.
ASKER
The consultant got Internet enable don that new VLan - 11.
The consultant did the following:
1. Removed the 3 policies on the Firewall related to Vlan-11.
2. Removed the sub - interface on the Firewall.
3. Added a static route on the Firewall to send 172.20.11.0 traffic back to the HP Switch 172.20.1.254.
a. 172.20.1.254 has a default route 0.0.0.0/0.0.0.0 to the Firewall.
This worked. My questions is why?
The consultant did the following:
1. Removed the 3 policies on the Firewall related to Vlan-11.
2. Removed the sub - interface on the Firewall.
3. Added a static route on the Firewall to send 172.20.11.0 traffic back to the HP Switch 172.20.1.254.
a. 172.20.1.254 has a default route 0.0.0.0/0.0.0.0 to the Firewall.
This worked. My questions is why?
ASKER
It appears that Internet is allowed through VLan-1; but a default route is enabled on Switch .254 to send traffic to the Firewall.
I think since internet is only allowed via VLan-1 if VLan-11 traffic is routed to the Firewall the static route (172.20.11.0 - > 172.20.1.254) send the traffic back to switch .254's management IP address (Vlan-1). Then the Vlan-1 traffic is allowed to the internet.
Then the internet acknowledgements and receives are sent back to the original sender. I think that is how it is working. This does not sound like the most efficient way to send traffic.
I think since internet is only allowed via VLan-1 if VLan-11 traffic is routed to the Firewall the static route (172.20.11.0 - > 172.20.1.254) send the traffic back to switch .254's management IP address (Vlan-1). Then the Vlan-1 traffic is allowed to the internet.
Then the internet acknowledgements and receives are sent back to the original sender. I think that is how it is working. This does not sound like the most efficient way to send traffic.
ASKER
I've requested that this question be deleted for the following reason:
I figured this out on my own.
I figured this out on my own.
ASKER
I figured this out on my own.
ASKER
It sounds as if 'tagging' port#2 on the HP ProCurve Switch is worth a shot. Is that correct?
The Fortigate TEch. sated: "You can try this, anything coming on the Internal Interface with Vlan11 will be directed to the proper Vlan interface."
On another note, IP Routing is enabled on the HP ProCurve swith that also has Routing rules that govern to send traffic to here or there. This part was setup by a consultant that has worked with ProCurve's a lot more frequently than I have. I do wish to keep focus on the enabling of internet on different VLan's.
At my previous workplace, I setup multiple Corporate VLan's for various reasons and I want to say that I needed to 'tag' these extra VLan's in the router that had the internet connection from our Firewall for the 'Internal' Firewall Zone. But I will try it out and we will see. It doe snot sound that anything bad will happen and if so it is easily reversed. Just remove the tagged VLan.