Solved: Re: SG300-10SFP InterVlan Routing Internet Problem

blntplt42 · ‎10-18-2019

Hi friends,

We use main gateway fortigate 100e on our company. We have buy a SG300-10SFP layer 3 switch. I configured vlans and ip address on cisco switch.
VLAN 10 - 10.42.10.1

VLAN 11 - 10.42.11.1

VLAN 12 - 10.42.12.1

GE10 interface trunk mode, admit all and tagged all vlans. Fortigate configured interfaces adding vlans and ip address.

VLAN 10 - 10.42.10.2

VLAN 11 - 10.42.11.2

VLAN 12 - 10.42.12.2

PCs adding layer 2 ubnt switch and access mode. Ubnt connected SG300-10SFP trunk mode. I added ip setting manual to pcs. Vlan10, Vlan11, Vlan12 pcs pings each other. No problems. I configured fortigate policy full internet all devices but pc never go internet. Pc pings cisco switch and fortigate. If I change pc gateway 10.42.10.1 instead 10.42.10.2 (Fortigate ip) then pc go full internet?

Can I adding each vlan default gateway in the switch?

Where I do wrong ???

Deepak Kumar · ‎10-19-2019

Hi,

You are doing some mistakes in the network design.

1. If you are using Cisco SG300 as L3 switch and performing InterVLAN routing on this switch then don't extend the VLAN 10,11,12 till to Fortigate.

or

2. If you are using Fortigate as InterVLAN routing then your SG300 switch then you must assign Default gateway in your system/PC as FortiGate Interface's VLAN IP address.

As I am understanding that you want to use SG300 as Core switch/Intervlan routing then you have to make some changes on the Fortigate Configuration and SG300 configuration as:

SG300 changes:

1. Create a New VLAN as VLAN 14 with subnet: 10.42.14.1/24 on the switch.

2. Interface GE10 convert in the access port and assign the VLAN 14.

3. Create A default route toward the Fortigate and your destination Ip address will be 10.42.14.2. (IP route 0.0.0.0 0.0.0.0 10.42.14.2)

Fortigate Changes:

1. Delete all VLAN configuration from the LAN/Internal Port

2. Add IP address on the LAN/Internal as 10.42.14.2/24

3. Add some static router as

VLAN 10 Route - Destination Subnet: 10.42.10.0/24 and Destination IP: 10.42.14.1

VLAN 11 Route - Destination Subnet: 10.42.11.0/24 and Destination IP: 10.42.14.1

VLAN 12 Route - Destination Subnet: 10.42.12.0/24 and Destination IP: 10.42.14.1

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

View solution in original post

Jaderson Pessoa · ‎10-18-2019

On your L3 switch is necessary create a default route to your fortigate.

for exemple:
ip route 0.0.0.0 0.0.0.0 1.1.1.1 (ip of your fortigate)

Jaderson Pessoa
*** Rate All Helpful Responses ***

Jaderson Pessoa · ‎10-18-2019

dont forget to create a route back from your fortigate to your three networks. vlan 10,20,30.

Jaderson Pessoa
*** Rate All Helpful Responses ***

Deepak Kumar · ‎10-19-2019

Hi,

You are doing some mistakes in the network design.

1. If you are using Cisco SG300 as L3 switch and performing InterVLAN routing on this switch then don't extend the VLAN 10,11,12 till to Fortigate.

or

2. If you are using Fortigate as InterVLAN routing then your SG300 switch then you must assign Default gateway in your system/PC as FortiGate Interface's VLAN IP address.

As I am understanding that you want to use SG300 as Core switch/Intervlan routing then you have to make some changes on the Fortigate Configuration and SG300 configuration as:

SG300 changes:

1. Create a New VLAN as VLAN 14 with subnet: 10.42.14.1/24 on the switch.

2. Interface GE10 convert in the access port and assign the VLAN 14.

3. Create A default route toward the Fortigate and your destination Ip address will be 10.42.14.2. (IP route 0.0.0.0 0.0.0.0 10.42.14.2)

Fortigate Changes:

1. Delete all VLAN configuration from the LAN/Internal Port

2. Add IP address on the LAN/Internal as 10.42.14.2/24

3. Add some static router as

VLAN 10 Route - Destination Subnet: 10.42.10.0/24 and Destination IP: 10.42.14.1

VLAN 11 Route - Destination Subnet: 10.42.11.0/24 and Destination IP: 10.42.14.1

VLAN 12 Route - Destination Subnet: 10.42.12.0/24 and Destination IP: 10.42.14.1

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

blntplt42 · ‎10-19-2019

Thanks Mr. Deepak Kumar. I changed my network designed it the way you said. Thats worked. But I have a mistake.
Some users access to internet some policies. Fortinet see all users cisco router mac address. I have enabled arp proxy. Bingo !!! Fortigate see users each mac address and I have adding security policies.

Thanks for giving again

Deepak Kumar · ‎10-19-2019

Hi,

I am happy that this solution has worked for you. A side note:

As Fortigate Firewall is a User aware firewall and you can integrate with the Active Directory and also enable the SSO (Single Sign-on). It will help you to maintain user rights based on the AD username neither to Device MAC address. In your correct configuration, if User A will be logged in the User B system then he (User A) is getting User B rights because the firewall is allowing based in the source mac address.

But after SSO configuration, this behavior will change and User B can log in in any system and he will get his rights only. (If you have a terminal server then must be excluded terminal server from the monitoring client)

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

blntplt42 · ‎10-19-2019

i think best configuration with Active Directory SSO. i will evaluate your suggestion