Options to pass a VLAN through different Fortigate interfaces in NAT mode

damianhlozano · ‎05-09-2024

Hello team!!!

I hope it goes well for you!

We have 2 different "trunk" interfaces (With different VLANs on each one).

For example:

* VLANs 10, 20 and 30 on port1

* VLANs 40, 50 and 60 on port2

Now, we need to add the VLAN 100 in both trunks interfaces

Because, for example, we need to access from something in VLAN 100 connected to port1 to something on VLAN 100, connected to port2.

We have a managed switch directly connected to port1 and a different managed switch connected to port2

I thought to create the first VLAN Switch (Other 2 are not VLAN switches, just interfaces with VLANs) but I do not believe I will be able to use current port 1 and port 2 on it

So, with my moderate knowledge, I think the following 2 options:

* Create a VLAN switch for different ports (example: port3 and port4), with VLAN 100, and connect both to each managed switch in a different port, with VLAN 100 as tagged

* Create a virtual switch (without VLANs) for different ports (example: port3 and port4), and connect both to each managed switch in a different port, with VLAN 100 as untagged

I think these 2 options are not so prolix.

Is there other option?

What do you suggest?

Thanks in advance.

Regards,

Damián

Damián Lozano

atakannatak · ‎05-11-2024

Hi @damianhlozano ,

You can only create one interface on FortiGate with the same VLAN-ID value, so in this scenario, it would be the best scenario to combine two of the solutions you mentioned according to your topology. For this, based on your topology, I configured a software switch definition on port 3/4 and then created a new interface under this definition with VLAN-ID 100. Then I created 2 different client machines on two different switches and tested end-to-end accesses and I did not encounter any problems.

If you design this way, you will have flexibility if you have similar needs in the future. For example, a new interface can be created for VLAN-ID 200 using the same software switch.

BR.

If my answer provided a solution for you, please mark the reply as solved it so that others can get it easily while searching for similar scenarios.

Atakan Atak

View solution in original post

atakannatak · ‎05-11-2024

Hi @damianhlozano ,

You can only create one interface on FortiGate with the same VLAN-ID value, so in this scenario, it would be the best scenario to combine two of the solutions you mentioned according to your topology. For this, based on your topology, I configured a software switch definition on port 3/4 and then created a new interface under this definition with VLAN-ID 100. Then I created 2 different client machines on two different switches and tested end-to-end accesses and I did not encounter any problems.

If you design this way, you will have flexibility if you have similar needs in the future. For example, a new interface can be created for VLAN-ID 200 using the same software switch.

BR.

If my answer provided a solution for you, please mark the reply as solved it so that others can get it easily while searching for similar scenarios.

Atakan Atak

damianhlozano · ‎05-11-2024

Wow, thanks atakannatak for all the time you take to make this.

I will try your solution.

Thanks again!!

Regards

Damián

Damián Lozano

cgtech · ‎05-21-2024

Hi there,

> You can only create one interface on FortiGate with the same VLAN-ID value

maybe there's something I don't understand here, but the VLAN documentation (for v7.0.x) says otherwise, and provides an example like so:

config system interface
    edit VLAN_100_int
        set type vlan
        set interface internal
        set vlanid 100
    next
    edit VLAN_100_ext
        set type vlan
        set interface external
        set vlanid 100
    next
end

Was this a limitation of previous versions of FortiOS, or I did not grasp the context of the question?

Thanks for extra insights on this,

C.

damianhlozano · ‎05-23-2024

Hello cgtech!!

I checked this in an active Fortigate and I saw that you can create 2 VLANs with the same VLAN ID, in different Interfaces (The two VLANs cannot have the same name), however, I think devices in a VLAN connected to one port will not reach devices in the same VLAN ID in other port.

Anyway, I dont know why this is allowed, maybe someone here could explain this.

Regards,

Damián

Damián Lozano

damianhlozano · ‎05-11-2024

Hello,

Just to know before try this, just if you already know the answer:

Should this work without any rule to allow traffic, right? (In layer 2, like a switch)

Thanks

Regards

Damián Lozano

atakannatak · ‎05-12-2024

Hi,

Actually the clients which are connect through the software switch doesn’t need any rule. However if you want connectivity between these clients and others you must add some rules depends on your desire.

BR.

Atakan Atak

damianhlozano · ‎05-12-2024

Thank you, it was what I suspected and what I intended.

Regards

Damián Lozano