Configure VLAN
Configure VLAN
Virtual Local Area Networks (VLANs) allow you to segment your network, maximize performance, and provide additional network security.
To create two virtual networks with access to each other and to the Internet:
Create interfaces
- UI
- Console
- Click the Network → Interfaces tab.
- Specify a name for the new interface.
- Select VLAN for Type.
- Set the network ID in the VLAN ID field.
- Select LAN for Role.
- In the IP/Netmask field, set the network address and mask.
- Add addresses for the created VLANs. To do this, go to Policy & Objects → Addresses.
- Create a new address and specify its name and IP address. In recent versions of FortiOS firmware, these addresses are created automatically when VLAN interfaces are created.
To create a new interface through the CLI, type:
config system interface
edit "VLAN 101"
set vdom root
set ip 192.168.101.1 255.255.255.255.0
set allowaccess ping https ssh http
set role lan
set interface lan
set vlanid 101
next
edit "VLAN 102"
set vdom root
set ip 192.168.102.1 255.255.255.255.0
set allowaccess ping https ssh http
set role lan
set interface lan
set vlanid 102
end
Add addresses for the created VLANs:
config firewall address
edit VLAN 101 address
set type ipmask
set subnet <IP> <MASK>
next
edit VLAN 102 address
set type ipmask
set subnet <IP> <MASK>
end
Customize security policy
- UI
- Console
Create two policies for VLAN subnets to access each other. In these policies, make sure that NAT is enabled.
- Go to Policy & Objects → IPv4 Policy and create a new policy.
- Select the interface of the first VLAN as the Incoming Interface and the interface of the second VLAN as the Outgoing Interface.
- Select the address of the first VLAN as Source and the address of the second VLAN as Destination.
- Make sure that NAT is turned off.
- Create a second policy, but swap the VLANs.
- Create two policies for each VLAN subnet for Internet access similar to the previous ones, but select the external interface as the Outgoing Interface.
To create a new policy through the CLI, type:
config firewall policy
edit 3
set name "VLAN 101 to VLAN 102"
set srcintf "VLAN 101"
set dstintf "VLAN 102"
set srcaddr "VLAN 101 address"
set dstaddr "VLAN 102 address"
set action accept
set schedule "always"
set service "ALL"
set nat disable
next
edit 4
set name "VLAN 102 to VLAN 101"
set srcintf "VLAN 102"
set dstintf "VLAN 101"
set srcaddr "VLAN 102 address"
set dstaddr "VLAN 101 address"
set action accept
set schedule "always"
set service "ALL"
set nat disable
next
end
Create two policies for each VLAN subnet for Internet access similar to the previous ones:
config firewall system
edit 5
set name "VLAN 101 to Internet"
set srcintf "VLAN 101"
set dstintf "wan1"
set srcaddr "VLAN 101 address"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
edit 6
set name "VLAN 102 to Internet"
set srcintf "VLAN 102"
set dstintf "wan1"
set srcaddr "VLAN 102 address"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
end