Internet to all VLANs

[fallis88]

Hello everybody,

Just as an FYI, I am new to this kind of stuff and I am mostly self taught through this forum, the manuals, google and Youtube.

My issues is that only VLAN 2 (servers) receives internet. After trolling endlessly, I figured I would reach out for some input on whether or not this is my switch configuration or something with my Fortigate (which I will turn to their forums if that is the case)

My set up is as follows:
ISP Modem -> Fortigate 81F (PPPoE passthrough for WAN connection) -> Omniswitch 6560-P24x4

The Fortigate IP is: 192.168.10.99
Servers are: 192.168.10.XX
Cameras are: 192.168.20.XX
Workstations: 192.168.30.XX

My issues is that only VLAN 2 (servers) receives internet. My devices can all communicate across the vlans as desired (i.e. my workstations can ping the servers, cameras and ping servers and vice versa). Devices on VLAN 2 can ping the Fortigate, but devices on VLAN 3/4 can not.

The Fortigate is patched in to an untagged port assigned to VLAN 2. If I put it onto a tagged port assigned to all VLAN's, no devices can communicate with it.

My Vlans are configured as:
vlan type admin oper ip mtu name
------+-------+-------+------+------+------+------------------
1 std Dis Dis Dis 1500 VLAN 1
2 std Ena Ena Ena 1500 Servers
3 std Ena Ena Ena 1500 Cameras
4 std Ena Ena Ena 1500 Workstations
4094 vcm Ena Dis Dis 1500 VCM IPC

My IP Interfaces:
Name IP Address Subnet Mask Status Forward Device Flags
--------------------------------+---------------+---------------+------+-------+---------+------
Cameras 192.168.20.1 255.255.255.0 UP YES vlan 3
Loopback 127.0.0.1 255.255.255.255 UP NO Loopback
Servers 192.168.10.1 255.255.255.0 UP YES vlan 2
Workstations 192.168.30.1 255.255.255.0 UP YES vlan 4

My IP Routes:
Dest Address Gateway Addr Age Protocol
------------------+-------------------+----------+-----------
0.0.0.0/0 192.168.10.99 00:17:32 STATIC
127.0.0.1/32 127.0.0.1 03:38:08 LOCAL
192.168.10.0/24 192.168.10.1 03:37:16 LOCAL
192.168.20.0/24 192.168.20.1 03:37:16 LOCAL
192.168.30.0/24 192.168.30.1 03:37:16 LOCAL

If you need any more info let me know!

Thanks in advance!

Ben

[Gleylancer]

Since you have a Fortigate in your network, the easiest way would be to make that the routing instance and have it connect to all vlans using 802.1q.

Tag all VLANs on the Fortigate and the switch - then use the Fortigate as Gateway on all of them.

[fallis88]

Thanks Gleylancer!

I will look into how to use 802.1q on the Fortigate (now I see why it didn't work when I changed the switch port to tagged). I will then follow up with changed the default gateway as the Fortigate on the devices.

Thanks!

[fallis88]

Reviving this as it is related to my original question and looking to see what I might be missing.

I was able to tag all the VLANs on the Fortigate and switch and with using the Fortigate as the default gateway, all VLAN's received internet. We no longer wish to use the FortiGate as our default gateway, we only want it on the edge of our network to be used for remote access and to provide internet to the equipment when needed (these are only used for CCTV networks and the cameras/workstations/servers do not require internet access unless doing VMS, firmware or Windows updates).

If I add a static route 0.0.0.0/0 gateway 10.166.2.2, VLAN 2 has internet access. If I add a route (this worked on an Aruba switch that we have in production) 0.0.0.0/0 gateway 10.166.2.66, no devices have internet access.

I tried adding static routes on the Fortigate:
i.e. Destination: 10.166.2.64/26 Gateway: 10.166.2.65 Interface: Cameras (10.166.2.66/26)

I am still pretty new to this stuff and figuring it out as I go, so any advice is appreciated!

Below is my configuration (with no additional static routes):

The Fortigates IP's are:
Tagged VLAN 2 - 10.166.2.2
Tagged VLAN 3 - 10.166.2.66
Tagged VLAN 4 - 10.166.2.130
Connected to switch via a single tagged port. switch and devices can ping the FortiGate on all VLANs
Firewall policies exist for all VLAN interfaces to have WAN access, as well to internally talk to eachother (i.e. V2-3, V3-2, V3-4, V4-3 etc).

My Vlans are configured as:
vlan type admin oper ip mtu name
------+-------+-------+------+------+------+------------------
1 std Dis Dis Dis 1500 VLAN 1
2 std Ena Ena Ena 1500 Servers
3 std Ena Ena Ena 1500 Cameras
4 std Ena Ena Ena 1500 Workstations
4094 vcm Ena Dis Dis 1500 VCM IPC

My IP Interfaces:
Name IP Address Subnet Mask Status Forward Device Flags
--------------------------------+---------------+---------------+------+-------+---------+------
Cameras 10.166.2.65 255.255.255.192 UP YES vlan 3
Loopback 127.0.0.1 255.255.255.255 UP NO Loopback
Servers 10.166.2.1 255.255.255.192 UP YES vlan 2
Workstations 10.166.2.129 255.255.255.192 UP YES vlan 4

My IP Routes:
Dest Address Gateway Addr Age Protocol
------------------+-------------------+----------+-----------
127.0.0.1/32 127.0.0.1 03:38:08 LOCAL
10.166.2.0/26 10.166.2.1 03:37:16 LOCAL
10.166.2.64/26 10.166.2.65 03:37:16 LOCAL
10.166.2.128/26 10.166.2.129 03:37:16 LOCAL

[Gleylancer]

If the one device directly connected to the Internet is still the Fortigate, it will have to remain the gateway regardless of what you are trying to do here. One possibility is to have the switch route the traffic through a coupling network, and then have it be the default gateway for the clients, but I fail to see the advantage of this, as you are adding a routing instance that has zero purpose.

Unfortunately, I do not understand what your goal is and the network topology description is kind of vague. A firewall has infinite means to limit access to everything, why not use it accordingly?

[fallis88]

Thanks Gleylancer,

Our team works on CCTV systems (anywhere from 15 to 300+ camera sites) that have been closed networks until last year when we began a remote management pilot. Our networks are pretty simple compared to much of what I read on here. We have only the servers, cameras and CCTV workstations on our network and these workstations are strictly used for CCTV viewing. The devices do not have internet access and the departments internal network is on a completely separate physical network managed by another department.

The firewalls are in place for us to provide our team with remote access (through FortiClient).

I agree that having the firewall as the gateway can provide excellent control, our use case doesn't really need it at this time. I have used QOS policies to block traffic as needed on the network, and the internet access would only be enabled on the network when performing software/firmware updates, otherwise, it is only used for remote access. A few other reasons why we don't want to use them as gateways, at least for now:

- The models we have only have 1G interfaces and I found it insufficient in testing for being the gateway. 10G models are considerably more expensive, and this is public sector so buying upgraded ones will be a nightmare. Could linkagg them, but that can eat up a lot of ports.
- We are still doing a lot of testing and configuration changes to them. If we mess something up and lose remote access/failed firmware update, it would bring down the system and many of these sites are critical to have CCTV be online.

That's a lot to read, but I hope it provides the background and use case for you. Appreciate the help! It'd be great if we could bring somebody on with more of the networking knowledge, but for now it's me, these forums and learning to figure it out for myself!

[Gleylancer]

I see what your goal is, but not what kind of solution you are aiming for.

If the cameras are on a completely different network and should only get internet access for firmware/software updates, you should either place a proxy server on that network, or a private server that provides these updates, you could even consider DNS manipulation if the CCTV equipment is stubborn.