To enable Internet on a new VLan from our Fortinet Firewall

Pkafkas
Pkafkas used Ask the Experts™
on
Hello:

Originally we had 1 Corporate Data VLan.  Now, I have created a new data VLan that is to be used exclusively for Servers.  This new VLan is setup and is fully route-able between the Original VLan-1 and VLan-11.  I can logon and use internal DNS; but internet is not yet enabled on VLan-11.

VLan-1   = 172.20.1.0/24
VLan-11 = 172.20.11.0/25

One may look at a previous question that I posed regarding this setup:  http://www.experts-exchange.com/questions/28870700/Why-will-a-new-VLan-not-work-on-a-specific-HP-Switch.html

My question today is regarding how to enable internet on this new VLan-11?  We have an "Internal" Zone/Interface from the Fortigate Firewall.  This Internal Interface has ports 1-7 assigned to it on the Firewall.  Port#1 on the Firewall is connected to a VLan-1 port one on our Corporate Data Switches.  This VLan-1 port is Port#2 on switch .252 (See the attached diagram).

I have created a case with Fortinet to enable internet from the Fortigate Firerwall to VLan-11 on our network.  We had some problems executing this task and they are stating that tagged frames are not being routed from the switch to the Firewall.  Their exact descriptin is the following:

"The CorpServerVlan Interface, on the Fortigate, is listening to ‘tagged’ traffic on VLan-11.  The Corporate Data Switch when pinging the fortigate (172.20.11.125) is not tagged.  Pings are coming through the ‘Internal’ interface not the CorpServerVLan Interface.  Please see the attached network diagrams and screen shots of what me and the Fortigate Technician have done.

Keep in mind that I can have laptops logon to the AD network and ping everything on VLan-1.  Equally important VLan-1 devices can ping VLan-11 devices and copy files back and forth.

I have a theory, to fix this internet problem since Ethernet Port#1 on the Fortigate Firewall is already assigned to the Internal Interface and that same port is already connected to port #2 on a VLan-1.  Could "Tagging" VLan-11 on the same port (Port#2 on data switch) enable internet on VLan-11 as well?
From-Corp-Server-Vlan-to-Wan1_edited.doc
1stpage_Public.pdf
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Consulting and Network/Security Specialist
Commented:
On a general note, you do need an L3 device to handle communication between the different VLANs. That MAY be another device in your network (in which case you maybe shouldn't also add the FG to it), or it can be the FortiGate. Depending on your security concerns, using the FG to segment the two areas has several benefits ...
Anyway, adding the VLAN interface on port 1 and the switch as tagged VLAN will give you general access, then of course you will need rules to get to the outside, plus rules for communication between the VLANs 1 and 11 (in the simplest case, permit any/any between the two, or reduce to the services you actually want accessible)
PkafkasNetwork Engineer

Author

Commented:
Ok,

It sounds as if 'tagging' port#2 on the HP ProCurve Switch is worth a shot.  Is that correct?

The Fortigate TEch. sated: "You can try this, anything coming on the Internal Interface with Vlan11 will be directed to the proper Vlan interface."

On another note, IP Routing is enabled on the HP ProCurve swith that also has Routing rules that govern to send traffic to here or there.  This part was setup by a consultant that has worked with ProCurve's a lot more frequently than I have.  I do wish to keep focus on the enabling of internet on different VLan's.

At my previous workplace, I setup multiple Corporate VLan's for various reasons and I want to say that I needed to 'tag' these extra VLan's in the router that had the internet connection from our Firewall for the 'Internal' Firewall Zone.  But I will try it out and we will see.  It doe snot sound that anything bad will happen and if so it is easily reversed.  Just remove the tagged VLan.
PkafkasNetwork Engineer

Author

Commented:
Also one may see the zone interface rules that were created from the screen shots:  From-Corp-Server-Vlan-to-Wan1_edited.doc

That is attached to this question.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

PkafkasNetwork Engineer

Author

Commented:
Tagging port#2, on switch .252 did not enable internet on Vlan-11.  I wonder what is required?  Any other ideas?

Agan, Fotinet support stated: '"The CorpServerVlan Interface, on the Fortigate, is listening to ‘tagged’ traffic on VLan-11.  The Corporate Data Switch when pinging the fortigate (172.20.11.125) is not tagged.  Pings are coming through the ‘Internal’ interface not the CorpServerVLan Interface. "

Any ideas on the next step.  I think I may need some assistance from someone who has more experience working with the Fortinet 100D.  The basics ideas are covered.

1.  Have a fully routable-VLan.
2.  Configure an address object to make rule son the FG100D.
3.  Make the appropriate Security policies on FG100D.
4.  Tag the Ethernet port with the new VLan, that allows Internet to come in from the Internal- Interface/Zone coming from the FG100D.
PkafkasNetwork Engineer

Author

Commented:
I have a consultant scheduled to assist today in the afternoon.
PkafkasNetwork Engineer

Author

Commented:
I have a consultant scheduled to assist today in the afternoon.
PkafkasNetwork Engineer

Author

Commented:
The consultant got Internet enable don that new VLan - 11.

The consultant did the following:

1.  Removed the 3 policies on the Firewall related to Vlan-11.
2.  Removed the sub - interface on the Firewall.
3.  Added a static route on the Firewall to send 172.20.11.0 traffic back to the HP Switch 172.20.1.254.
        a.  172.20.1.254 has a default route 0.0.0.0/0.0.0.0 to the Firewall.

This worked.  My questions is why?
PkafkasNetwork Engineer

Author

Commented:
It appears that Internet is allowed through VLan-1; but a default route is enabled on Switch .254 to send traffic to the Firewall.

I think since internet is only allowed via VLan-1 if VLan-11 traffic is routed to the Firewall the static route (172.20.11.0 - > 172.20.1.254) send the traffic back to switch .254's management IP address (Vlan-1).  Then the Vlan-1 traffic is allowed to the internet.

Then the internet acknowledgements and receives are sent back to the original sender.  I think that is how it is working.  This does not sound like the most efficient way to send traffic.
PkafkasNetwork Engineer

Author

Commented:
I've requested that this question be deleted for the following reason:

I figured this out on my own.
PkafkasNetwork Engineer

Author

Commented:
I figured this out on my own.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial