Configuring VLAN
Virtual Local Area Networks (VLANs) allow you to segment networks, increase performance, and provide additional network security.
By way of example, let’s create two virtual networks with access to each other and the Internet.
Creating Interfaces
Graphical Interface
To create a new interface:
- Go to the Network → Interfaces tab.
- Set a name for the new interface.
- Set Type to VLAN.
- Set the network ID in the VLAN ID field.
- Set Role to LAN.
- Set the IP address and netmask in the IP/Netmask field.
- Add addresses for the created VLANs. To do this, go to the Policy & Objects → Addresses tab.
- Create a new address and enter its name and IP address. In the latest versions of the FortiOS firmware, these addresses are created automatically when creating VLAN interfaces.
Console Interface
To create a new interface through the CLI, enter the following:
config system interface
edit “VLAN 101”
set vdom root
set ip 192.168.101.1 255.255.255.0
set allowaccess ping https ssh http
set role lan
set interface lan
set vlanid 101
next
edit “VLAN 102”
set vdom root
set ip 192.168.102.1 255.255.255.0
set allowaccess ping https ssh http
set role lan
set interface lan
set vlanid 102
end
Add adresses for the created VLANs:
config firewall address
edit VLAN 101 address
set type ipmask
set subnet <IP> <MASK>
next
edit VLAN 102 address
set type ipmask
set subnet <IP> <MASK>
end
Configuring Security Policy
Graphical Interface
Create two policies for VLAN subnet access to each other. To add rules:
- Go to the Policy & Objects → IPv4 Policy section and create a new policy.
- Select the interface of the first VLAN as the Incoming Interface and the interface of the second VLAN as the Outgoing Interface.
- Select the address of the first VLAN as Source, and the address of the second VLAN as Destination.
- This policy does not require NAT, so make sure that it is disabled.
- Create a second policy, but swap the VLANs.
- Create two policies for each VLAN subnet for Internet access, similarly to the previous ones, but select the external interface as the Outgoing Interface.
Make sure that NAT is disabled for these policies.
Console Interface
To create a new policy through the CLI, enter the following:
config firewall policy
edit 3
set name "VLAN 101 to VLAN 102"
set srcintf "VLAN 101"
set dstintf "VLAN 102"
set srcaddr "VLAN 101 address"
set dstaddr "VLAN 102 address"
set action accept
set schedule "always"
set service "ALL"
set nat disable
next
edit 4
set name "VLAN 102 to VLAN 101"
set srcintf "VLAN 102"
set dstintf "VLAN 101"
set srcaddr "VLAN 102 address"
set dstaddr "VLAN 101 address"
set action accept
set schedule "always"
set service "ALL"
set nat disable
next
end
Create two policies for each VLAN subnet for Internet access, similarly to the previous ones:
config firewall system
edit 5
set name "VLAN 101 to Internet"
set srcintf "VLAN 101"
set dstintf "wan1"
set srcaddr "VLAN 101 address"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
edit 6
set name "VLAN 102 to Internet"
set srcintf "VLAN 102"
set dstintf "wan1"
set srcaddr "VLAN 102 address"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
end