VLANs in NAT mode
In NAT mode, the FortiGate functions as a layer-3 device. In this mode, the FortiGate controls the flow of packets between VLANs, but can also remove VLAN tags from incoming VLAN packets. The FortiGate unit can also forward untagged packets to other networks, such as the Internet.
In NAT mode, the FortiGate supports VLAN trunk links with IEEE 802.1Q‑compliant switches, or routers. The trunk link transports VLAN-tagged packets between physical subnets or networks. When you add VLAN sub-interfaces to the FortiGate physical interfaces, the VLANs have IDs that match the VLAN IDs of packets on the trunk link. The FortiGate directs packets with VLAN IDs to sub‑interfaces with matching IDs.
You can define VLAN sub-interfaces on all FortiGate physical interfaces. However, if multiple virtual domains are configured on the FortiGate, you will have access to only the physical interfaces on your virtual domain. The FortiGate can tag packets leaving on a VLAN subinterface. It can also remove VLAN tags from incoming packets and add a different VLAN tag to outgoing packets.
Normally in VLAN configurations, the FortiGate device's internal interface is connected to a VLAN trunk, and the external interface connects to an Internet router that isn't configured for VLANs. In this configuration, the FortiGate can apply different policies for traffic on each VLAN interface connected to the internal interface, which results in less network traffic and better security.
Adding VLAN subinterfaces
A VLAN subinterface, also called a VLAN, is a virtual interface on a physical interface. The subinterface allows routing of VLAN tagged packets using that physical interface, but it's separate from any other traffic on the physical interface.
Adding a VLAN subinterface includes configuring:
- a physical interface
- an IP address and netmask
- a VLAN ID
- a VDOM
Physical interface
The term VLAN subinterface correctly implies the VLAN interface isn't a complete interface by itself. You add a VLAN subinterface to the physical interface that receives VLAN-tagged packets. The physical interface can belong to a different VDOM than the VLAN, but it must be connected to a network router that is configured for this VLAN. Without that router, the VLAN won't be connected to the network, and VLAN traffic won't be able to access this interface. The traffic on the VLAN is separate from any other traffic on the physical interface.
When you are working with interfaces on a FortiGate, use the column settings in the Interface display to make sure the information you need is displayed. When working with VLANs, it's useful to position the VLAN ID column close to the IP address. If you're working with VDOMs, including the Virtual Domain column as well will help you troubleshoot problems more quickly.
To view the Interface display, go to Network > Interfaces.
IP address and netmask
FortiGate interfaces can't have overlapping IP addresses. The IP addresses of all interfaces must be on different subnets. This rule applies to both physical and virtual interfaces, such as VLAN subinterfaces. Each VLAN subinterface must be configured with its own IP address and netmask pair. This rule helps prevent a broadcast storm or other similar network problems.
If you're unable to change your existing configurations to prevent IP overlap, enter the CLI command config system settings
and set allow-subnet-overlap enable
to allow IP address overlap. If you enter this command, multiple VLAN interfaces can have an IP address that's part of a subnet used by another interface. This command is recommended for advanced users only.
VLAN ID
The VLAN ID is part of the VLAN tag added to the packets by VLAN switches and routers. The VLAN ID is a number between 1 and 4094 that allow groups of IP addresses with the same VLAN ID to be associated together. VLAN ID 0 is used only for high priority frames, and 4095 is reserved.
All devices along a route must support the VLAN ID of the traffic along that route. Otherwise, the traffic will be discarded before reaching its destination. For example, if your computer is part of VLAN_100 and a co-worker on a different floor of your building is also on the same VLAN_100, you can communicate with each other over VLAN_100, only if all the switches and routers support VLANs and are configured to pass along VLAN_100 traffic properly. Otherwise, any traffic you send to your co-worker will be blocked or won't be delivered.
VDOM
If VDOMs are enabled, each VLAN subinterface must belong to a VDOM. This rule also applies for physical interfaces.
Interface-related CLI commands require a VDOM to be specified, regardless of whether a FortiGate has VDOMs enabled.
VLAN subinterfaces on separate VDOMs can't communicate directly with each other. In this situation, the VLAN traffic must exit the FortiGate and re-enter the unit, passing through firewalls in both directions. This situation is the same for physical interfaces.
A VLAN subinterface can belong to a different VDOM than the physical interface it is part of. This is because the traffic on the VLAN is handled separately from the other traffic on that interface. This is one of the main strengths of VLANs.
The following procedure will add a VLAN subinterface called VLAN_100
to the FortiGate internal interface with a VLAN ID of 100. It will have an IP address and netmask of 172.100.1.1/255.255.255.0
, and allow HTTPS and PING administrative access. Note that in the CLI, you must enter “set type vlan
” before setting the vlanid, and that the allowaccess protocols are lower case.
To add a VLAN subinterface in NAT mode - GUI:
- If Current VDOM appears at the bottom left of the screen, select Global from the list of VDOMs.
- Go to Network > Interfaces.
- Select Create New to add a VLAN subinterface.
- Enter the following:
- Select OK.
VLAN Name |
VLAN_100 |
Type |
VLAN |
Interface |
internal |
VLAN ID |
100 |
Addressing mode |
Manual |
IP/Network Mask |
172.100.1.1/255.255.255.0 |
Administrative Access |
HTTPS, PING, TELNET |
To view the new VLAN subinterface, select the expand arrow next to the parent physical interface (the internal interface). This will expand the display to show all VLAN subinterfaces on this physical interface. If there is no expand arrow displayed, there are no subinterfaces configured on that physical interface.
For each VLAN, the list displays the name of the VLAN, and, depending on column settings, its IP address, the Administrative access you selected for it, the VLAN ID number, and which VDOM it belongs to if VDOMs are enabled.
To add a VLAN subinterface in NAT mode – CLI
config system interface
edit VLAN_100
set interface internal
set type vlan
set vlanid 100
set ip 172.100.1.1 255.255.255.0
set allowaccess https ping
next
end
Configuring security policies and routing
Once you create a VLAN subinterface on a FortiGate, you need to configure security policies and routing for that VLAN. Without these, the FortiGate won't pass VLAN traffic to its intended destination. Security policies direct traffic through the FortiGate between interfaces. Routing directs traffic across the network.
Configuring security policies
Security policies permit communication between the FortiGate device's network interfaces, based on source and destination IP addresses. Interfaces that communicate with the VLAN interface need security policies to permit traffic to pass between them and the VLAN interface.
Each VLAN needs a security policy for each of the following connections the VLAN will be using:
- From this VLAN to an external network
- From an external network to this VLAN
- From this VLAN to another VLAN in the same virtual domain on the FortiGate
- From another VLAN to this VLAN in the same virtual domain on the FortiGate
The packets on each VLAN are subject to antivirus scans and other security profiles measures as they pass through the FortiGate.
Configuring routing
As a minimum, you need to configure a default static route to a gateway with access to an external network for outbound packets. In more complex cases, you must configure different static or dynamic routes based on packet source and destination addresses.
As with firewalls, you must configure routes for VLAN traffic. VLANs need routing and a gateway configured to send and receive packets outside their local subnet just as physical interfaces do. The type of routing you configure, static or dynamic, will depend on the routing used by the subnet and interfaces you're connecting to. Dynamic routing can be routing information protocol (RIP), border gateway protocol (BGP), open shortest path first (OSPF), or multicast.
If you enable SSH, PING, HTTPS and HTTP on the VLAN, you can use those protocols to troubleshoot your routing and test that it's properly configured. Enabling logging on the interfaces and using CLI diagnose commands, such as diagnose sniff packet <interface_name>
, can also help locate any possible configuration or hardware issues.