To enable Internet on a new VLan from our Fortinet Firewall

Hello:

Originally we had 1 Corporate Data VLan.  Now, I have created a new data VLan that is to be used exclusively for Servers.  This new VLan is setup and is fully route-able between the Original VLan-1 and VLan-11.  I can logon and use internal DNS; but internet is not yet enabled on VLan-11.

VLan-1   = 172.20.1.0/24
VLan-11 = 172.20.11.0/25

One may look at a previous question that I posed regarding this setup:  http://www.experts-exchange.com/questions/28870700/Why-will-a-new-VLan-not-work-on-a-specific-HP-Switch.html

My question today is regarding how to enable internet on this new VLan-11?  We have an "Internal" Zone/Interface from the Fortigate Firewall.  This Internal Interface has ports 1-7 assigned to it on the Firewall.  Port#1 on the Firewall is connected to a VLan-1 port one on our Corporate Data Switches.  This VLan-1 port is Port#2 on switch .252 (See the attached diagram).

I have created a case with Fortinet to enable internet from the Fortigate Firerwall to VLan-11 on our network.  We had some problems executing this task and they are stating that tagged frames are not being routed from the switch to the Firewall.  Their exact descriptin is the following:

"The CorpServerVlan Interface, on the Fortigate, is listening to ‘tagged’ traffic on VLan-11.  The Corporate Data Switch when pinging the fortigate (172.20.11.125) is not tagged.  Pings are coming through the ‘Internal’ interface not the CorpServerVLan Interface.  Please see the attached network diagrams and screen shots of what me and the Fortigate Technician have done.

Keep in mind that I can have laptops logon to the AD network and ping everything on VLan-1.  Equally important VLan-1 devices can ping VLan-11 devices and copy files back and forth.

I have a theory, to fix this internet problem since Ethernet Port#1 on the Fortigate Firewall is already assigned to the Internal Interface and that same port is already connected to port #2 on a VLan-1.  Could "Tagging" VLan-11 on the same port (Port#2 on data switch) enable internet on VLan-11 as well?
From-Corp-Server-Vlan-to-Wan1_edited.doc
1stpage_Public.pdf
LVL 1
PkafkasNetwork EngineerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Garry GlendownConsulting and Network/Security SpecialistCommented:
On a general note, you do need an L3 device to handle communication between the different VLANs. That MAY be another device in your network (in which case you maybe shouldn't also add the FG to it), or it can be the FortiGate. Depending on your security concerns, using the FG to segment the two areas has several benefits ...
Anyway, adding the VLAN interface on port 1 and the switch as tagged VLAN will give you general access, then of course you will need rules to get to the outside, plus rules for communication between the VLANs 1 and 11 (in the simplest case, permit any/any between the two, or reduce to the services you actually want accessible)

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
PkafkasNetwork EngineerAuthor Commented:
Ok,

It sounds as if 'tagging' port#2 on the HP ProCurve Switch is worth a shot.  Is that correct?

The Fortigate TEch. sated: "You can try this, anything coming on the Internal Interface with Vlan11 will be directed to the proper Vlan interface."

On another note, IP Routing is enabled on the HP ProCurve swith that also has Routing rules that govern to send traffic to here or there.  This part was setup by a consultant that has worked with ProCurve's a lot more frequently than I have.  I do wish to keep focus on the enabling of internet on different VLan's.

At my previous workplace, I setup multiple Corporate VLan's for various reasons and I want to say that I needed to 'tag' these extra VLan's in the router that had the internet connection from our Firewall for the 'Internal' Firewall Zone.  But I will try it out and we will see.  It doe snot sound that anything bad will happen and if so it is easily reversed.  Just remove the tagged VLan.
PkafkasNetwork EngineerAuthor Commented:
Also one may see the zone interface rules that were created from the screen shots:  From-Corp-Server-Vlan-to-Wan1_edited.doc

That is attached to this question.
Your Guide to Achieving IT Business Success

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

PkafkasNetwork EngineerAuthor Commented:
Tagging port#2, on switch .252 did not enable internet on Vlan-11.  I wonder what is required?  Any other ideas?

Agan, Fotinet support stated: '"The CorpServerVlan Interface, on the Fortigate, is listening to ‘tagged’ traffic on VLan-11.  The Corporate Data Switch when pinging the fortigate (172.20.11.125) is not tagged.  Pings are coming through the ‘Internal’ interface not the CorpServerVLan Interface. "

Any ideas on the next step.  I think I may need some assistance from someone who has more experience working with the Fortinet 100D.  The basics ideas are covered.

1.  Have a fully routable-VLan.
2.  Configure an address object to make rule son the FG100D.
3.  Make the appropriate Security policies on FG100D.
4.  Tag the Ethernet port with the new VLan, that allows Internet to come in from the Internal- Interface/Zone coming from the FG100D.
PkafkasNetwork EngineerAuthor Commented:
I have a consultant scheduled to assist today in the afternoon.
PkafkasNetwork EngineerAuthor Commented:
I have a consultant scheduled to assist today in the afternoon.
PkafkasNetwork EngineerAuthor Commented:
The consultant got Internet enable don that new VLan - 11.

The consultant did the following:

1.  Removed the 3 policies on the Firewall related to Vlan-11.
2.  Removed the sub - interface on the Firewall.
3.  Added a static route on the Firewall to send 172.20.11.0 traffic back to the HP Switch 172.20.1.254.
        a.  172.20.1.254 has a default route 0.0.0.0/0.0.0.0 to the Firewall.

This worked.  My questions is why?
PkafkasNetwork EngineerAuthor Commented:
It appears that Internet is allowed through VLan-1; but a default route is enabled on Switch .254 to send traffic to the Firewall.

I think since internet is only allowed via VLan-1 if VLan-11 traffic is routed to the Firewall the static route (172.20.11.0 - > 172.20.1.254) send the traffic back to switch .254's management IP address (Vlan-1).  Then the Vlan-1 traffic is allowed to the internet.

Then the internet acknowledgements and receives are sent back to the original sender.  I think that is how it is working.  This does not sound like the most efficient way to send traffic.
PkafkasNetwork EngineerAuthor Commented:
I've requested that this question be deleted for the following reason:

I figured this out on my own.
PkafkasNetwork EngineerAuthor Commented:
I figured this out on my own.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Architecture

From novice to tech pro — start learning today.