Switches, Hubs, and Modems
cancel
Showing results for 
Search instead for 
Did you mean: 

vlan can't go to internet

SOLVED
Go to solution
warmlight
Occasional Visitor

vlan can't go to internet

Hi, i having problem can't make my vlan go to internet. Currently i have fortigate firewall and 2610 procurve switch with 3 vlan setup. Now wat problem is my other vlan can't go to internet. Please advice.

firewall - 192.168.0.254
vlan 1 - 192.168.0.1
vlan 200 - 192.168.1.1
vlan 300 - 192.168.2.1

; J9085A Configuration Editor; Created on release #R.11.07

hostname "ProCurve Switch 2610-24"
ip default-gateway 192.168.0.254
ip routing
snmp-server community "public" Unrestricted
vlan 1
name "Server"
untagged 1,3,5,7,9,11,13,15,17,19,21,23,25-28
ip address 192.168.0.1 255.255.255.0
no untagged 2,4,6,8,10,12,14,16,18,20,22,24
exit
vlan 200
name "Production"
untagged 2,4,6,8,10,12
ip address 192.168.1.1 255.255.255.0
ip helper-address 192.168.0.201
tagged 1,23,25
exit
vlan 300
name "Tester"
untagged 14,16,18,20,22,24
ip address 192.168.2.1 255.255.255.0
ip helper-address 192.168.0.201
tagged 1
exit
ip route 0.0.0.0 0.0.0.0 192.168.0.254
password manager

Now only my default vlan 1 can't go to internet, my vlan 200 and vlan 300 can't.

In the firewall i already add route to my vlan:
ip route 192.168.1.0 255.255.255.0 192.168.0.1
ip route 192.168.2.0 255.255.255.0 192.168.0.1

Any help is appreciated.
Thanks!
6 REPLIES
Mohieddin Kharnoub
Honored Contributor

Re: vlan can't go to internet

Hi

The current configuration on both the 2610 and the Firewall seems to me perfect.

However, make sure that you must add a Security Policy on the Fortigate Firewall to allow internet access from both subnets:
192.168.1.0/24
192.168.2.0/24

By default, the Fortigate won;t allow such traffic, so it needs a security policy to allow that.

Good Luck !!!
Science for Everyone
warmlight
Occasional Visitor

Re: vlan can't go to internet

hi Mohieddin

In the fortigate firwall , i already create the vlan 200 - 192.168.1.254 interface and vlan 300 - 192.168.2.254 interface and i already allow policy vlan 200 and vlan 300 to access internet already.

In the 2610 switch , if i add the route command
ip route 0.0.0.0 0.0.0.0 192.168.1.254 then only vlan200 can connect, if change to ip route 0.0.0.0 0.0.0.0 192.168.2.254 then only vlan 300 can go internet. But the problem is only this kind of default route can exist in switch. I can't add all the default route in the switch.

So now where goes wrong ...?



Mohieddin Kharnoub
Honored Contributor

Re: vlan can't go to internet

Hi

Well, I'm not sure why you've created Vlans 200,300 on the Fortigate unless you need them there since the routing is done on the switch.

What i suggest:

- Check the gateway of clients on Vlans 200,300 and it should be the switch.
- Try from one PC in Vlan200 or 300 to ping the Fortigate interface 192.168.0.254.
- From the Fortigate try to ping a client on Vlan 200 or 300.
- If you allow ping, and it was ok, then try from the client (in Vlan200 or 300) to retrieve a DNS for any web site www.google.com and see if its working or not.
- Then check your DHCP scopes in the DHCP server 192.168.0.201

And let us know your tests result.

Good Luck !!!
Science for Everyone
warmlight
Occasional Visitor

Re: vlan can't go to internet

hi

- Check the gateway of clients on Vlans 200,300 and it should be the switch.

ans :yes, my client's gateways is point to the vlan of the switch.


- Try from one PC in Vlan200 or 300 to ping the Fortigate interface 192.168.0.254.

ans :it is failed - request timed out


- From the Fortigate try to ping a client on Vlan 200 or 300.

ans :in the fortigate , i can ping client on vlan 200 or 300.

So u suggest not need create the interface of vlan200 and 300 in fortigate since routing is done in the switch?

Now the problem is i can't ping 192.168.0.254 from the pc in vlan 200 or 300. Is that the main problem? So What to do to make it..?

Thanks..

Mohieddin Kharnoub
Honored Contributor
Solution

Re: vlan can't go to internet

Hi

Usually, echo reply is disabled on the Firewalls unless you enable it,

However, since the Firewall can see your clients in Vlans 200 & 300, then:

- Delete Vlan200,300 from the Firewall.
- Check the DNS test, maybe you can ping the IP of any web address like google.com, but you can;t ping www.google.com IF its a DNS problem.

Good Luck !!!
Science for Everyone
warmlight
Occasional Visitor

Re: vlan can't go to internet

hi

It works, i just remove the vlan interface in my fortigate firewall then ok le.

Many thanks to you..