Configure VLAN

Last update: March 04 2024

Configure VLAN

Virtual Local Area Networks (VLANs) allow you to segment your network, maximize performance, and provide additional network security.

To create two virtual networks with access to each other and to the Internet:

1. Create interfaces.
2. Configure security policy.

Create interfaces⁠

UI

1. Click the Network → Interfaces tab.
2. Specify a name for the new interface.
3. Select VLAN for Type.
4. Set the network ID in the VLAN ID field.
5. Select LAN for Role.
6. In the IP/Netmask field, set the network address and mask.
7. Add addresses for the created VLANs. To do this, go to Policy & Objects → Addresses.
8. Create a new address and specify its name and IP address. In recent versions of FortiOS firmware, these addresses are created automatically when VLAN interfaces are created.

Console

To create a new interface through the CLI, type:

    config system interface
        edit "VLAN 101"
            set vdom root
            set ip 192.168.101.1 255.255.255.255.0
            set allowaccess ping https ssh http
            set role lan
            set interface lan
            set vlanid 101
        next
        edit "VLAN 102"
            set vdom root
            set ip 192.168.102.1 255.255.255.255.0
            set allowaccess ping https ssh http
            set role lan
            set interface lan
            set vlanid 102
    end

Add addresses for the created VLANs:

    config firewall address
        edit VLAN 101 address
            set type ipmask
            set subnet <IP> <MASK>
        next
        edit VLAN 102 address
            set type ipmask
            set subnet <IP> <MASK>
    end

Customize security policy⁠

UI

Create two policies for VLAN subnets to access each other. In these policies, make sure that NAT is enabled.

1. Go to Policy & Objects → IPv4 Policy and create a new policy.
2. Select the interface of the first VLAN as the Incoming Interface and the interface of the second VLAN as the Outgoing Interface.
3. Select the address of the first VLAN as Source and the address of the second VLAN as Destination.
4. Make sure that NAT is turned off.
5. Create a second policy, but swap the VLANs.
6. Create two policies for each VLAN subnet for Internet access similar to the previous ones, but select the external interface as the Outgoing Interface.

Console

To create a new policy through the CLI, type:

    config firewall policy
        edit 3
            set name "VLAN 101 to VLAN 102"
            set srcintf "VLAN 101"
            set dstintf "VLAN 102"
            set srcaddr "VLAN 101 address"
            set dstaddr "VLAN 102 address"
            set action accept
            set schedule "always"
            set service "ALL"
            set nat disable
        next
    edit 4
            set name "VLAN 102 to VLAN 101"
            set srcintf "VLAN 102"
            set dstintf "VLAN 101"
            set srcaddr "VLAN 102 address"
            set dstaddr "VLAN 101 address"
            set action accept
            set schedule "always"
            set service "ALL"
            set nat disable
        next
    end

Create two policies for each VLAN subnet for Internet access similar to the previous ones:

    config firewall system
        edit 5
            set name "VLAN 101 to Internet"
            set srcintf "VLAN 101"
            set dstintf "wan1"
            set srcaddr "VLAN 101 address"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
        next
        edit 6
            set name "VLAN 102 to Internet"
            set srcintf "VLAN 102"
            set dstintf "wan1"
            set srcaddr "VLAN 102 address"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
        next
    end