troubleshooting Question
To enable Internet on a new VLan from our Fortinet Firewall
Hello:
Originally we had 1 Corporate Data VLan. Now, I have created a new data VLan that is to be used exclusively for Servers. This new VLan is setup and is fully route-able between the Original VLan-1 and VLan-11. I can logon and use internal DNS; but internet is not yet enabled on VLan-11.
VLan-1 = 172.20.1.0/24
VLan-11 = 172.20.11.0/25
One may look at a previous question that I posed regarding this setup: https://www.experts-exchange.com/questions/28870700/Why-will-a-new-VLan-not-work-on-a-specific-HP-Switch.html
My question today is regarding how to enable internet on this new VLan-11? We have an "Internal" Zone/Interface from the Fortigate Firewall. This Internal Interface has ports 1-7 assigned to it on the Firewall. Port#1 on the Firewall is connected to a VLan-1 port one on our Corporate Data Switches. This VLan-1 port is Port#2 on switch .252 (See the attached diagram).
I have created a case with Fortinet to enable internet from the Fortigate Firerwall to VLan-11 on our network. We had some problems executing this task and they are stating that tagged frames are not being routed from the switch to the Firewall. Their exact descriptin is the following:
"The CorpServerVlan Interface, on the Fortigate, is listening to ‘tagged’ traffic on VLan-11. The Corporate Data Switch when pinging the fortigate (172.20.11.125) is not tagged. Pings are coming through the ‘Internal’ interface not the CorpServerVLan Interface. Please see the attached network diagrams and screen shots of what me and the Fortigate Technician have done.
Keep in mind that I can have laptops logon to the AD network and ping everything on VLan-1. Equally important VLan-1 devices can ping VLan-11 devices and copy files back and forth.
I have a theory, to fix this internet problem since Ethernet Port#1 on the Fortigate Firewall is already assigned to the Internal Interface and that same port is already connected to port #2 on a VLan-1. Could "Tagging" VLan-11 on the same port (Port#2 on data switch) enable internet on VLan-11 as well?
From-Corp-Server-Vlan-to-Wan1_edited.doc
1stpage_Public.pdf
Originally we had 1 Corporate Data VLan. Now, I have created a new data VLan that is to be used exclusively for Servers. This new VLan is setup and is fully route-able between the Original VLan-1 and VLan-11. I can logon and use internal DNS; but internet is not yet enabled on VLan-11.
VLan-1 = 172.20.1.0/24
VLan-11 = 172.20.11.0/25
One may look at a previous question that I posed regarding this setup: https://www.experts-exchange.com/questions/28870700/Why-will-a-new-VLan-not-work-on-a-specific-HP-Switch.html
My question today is regarding how to enable internet on this new VLan-11? We have an "Internal" Zone/Interface from the Fortigate Firewall. This Internal Interface has ports 1-7 assigned to it on the Firewall. Port#1 on the Firewall is connected to a VLan-1 port one on our Corporate Data Switches. This VLan-1 port is Port#2 on switch .252 (See the attached diagram).
I have created a case with Fortinet to enable internet from the Fortigate Firerwall to VLan-11 on our network. We had some problems executing this task and they are stating that tagged frames are not being routed from the switch to the Firewall. Their exact descriptin is the following:
"The CorpServerVlan Interface, on the Fortigate, is listening to ‘tagged’ traffic on VLan-11. The Corporate Data Switch when pinging the fortigate (172.20.11.125) is not tagged. Pings are coming through the ‘Internal’ interface not the CorpServerVLan Interface. Please see the attached network diagrams and screen shots of what me and the Fortigate Technician have done.
Keep in mind that I can have laptops logon to the AD network and ping everything on VLan-1. Equally important VLan-1 devices can ping VLan-11 devices and copy files back and forth.
I have a theory, to fix this internet problem since Ethernet Port#1 on the Fortigate Firewall is already assigned to the Internal Interface and that same port is already connected to port #2 on a VLan-1. Could "Tagging" VLan-11 on the same port (Port#2 on data switch) enable internet on VLan-11 as well?
From-Corp-Server-Vlan-to-Wan1_edited.doc
1stpage_Public.pdf
Learn from the best
Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.
Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 10 Comments.
Try for 7 days”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.
Our community of experts have been thoroughly vetted for their expertise and industry experience.