I am new in setting up Layer 3 routing in Unifi - I don’t have a cisco background either and am very familiar with Layer 2 routing in Unifi Switches. My Scenario is following:
I have a Fortigate firewall that I am trying to setup with USW Pro Switches
My Management LAN is 192.168.1.1 - (DHCP enabled from Fortinet Firewall) (Default Vlan)
Vlans:
192.168.2.1 - Layer 3 Switch is the default GW, DHCP managed from Switch (Vlan ID 2)
192.168.3.1 - Layer 3 Switch is the default GW, DHCP managed from Switch (Vlan ID 3)
192.168.4.1 - Layer 3 Switch is the default GW, DHCP managed from Switch (Vlan ID 4)
172.16.0.1 - Tagged Vlan (172) for Voice
I created interfaces with the same vlan tags on fortinet (GW 192.168.2.254, 3.254, 4.254) on the fortinet and have made static routes as well for the subnet 10.255.253.0 to route any traffic out of the vlan or internet from the switch to the firewall
My Issue:
Intervlan between vlans 2,3,4 work seamlessly. but not able to ping 192.168.1.1 network from any of the vlans
able to ping firewall from each individual subnet - but internet traffic is not going through from the switch to the firewall. However i am able to ping 10.255.253.1 from any of the vlans
Appreciate the advise and guidance if anyone can provide. Thanks
Don’t create the VLANs on the Fortinet - delete 192.168.2.254, 3.254, 4.254.
Look in your Unifi Controller’s list of networks for the “Inter-VLAN Routing” network. You need to add this VLAN to your fortinet, with the Fortinet using the first IP in the subnet.
Create static routes for 192.168.2.0/24, 3.0/24, and 4.0/24 on the Fortinet pointing to the switch’s IP in the Inter-VLAN Routing network (I am not 100% sure how you verify this IP address - I know some people SSH into the switch and run a command to get all of its IP addresses)
Edit: Basically at this point you need to think of the switch as a router, for the subnets that you set it to be the default gateway for. This means normal static routing procedures apply. The switch has its default gateway IP set to the first IP in the Inter-VLAN Routing subnet.
I haven’t created the vlans on fortinet - all vlans created on the switch and the default gateway is set as the switch
Inter-Vlan Routing network I have added to fortinet with vlad id 4040 and set the gateway to 10.255.253.2 which is the switch GW
now the issue is - I am not able to access internet via the switch. also, not able to ping the management vlan 192.168.1.1 which is created on the fortinet for management purposes.
I’ll post some logs and pictures once I am at the site so you can get a clear picture.
@brwainer - just to update - I followed the instructions provided by you and the internet is working perfectly along with internal vlan routing on the layer 3 switch.
My only issues that I am currently facing is that from any of the internal vlans (3.x, 4.x, 5.x), I am not able to ping the 192.168.1.1 network which is on the fortinet firewall.
I am able to browse internet, but not able to ping 192.168.1.1 or any device in that network and vice versa. Any suggestions would be greatly appreciated.
Does the Fortinet default firewall allow or deny traffic between “LAN” subnets? You may want to try creating an allow firewall rule like “from 102.168.0.0/16 to 192.168.0.0/16”. I have no experience with Fortinet so I don’t know how their firewall rules are done.
Run a traceroute to one of the IPs you can’t reach, from both ends.
I deleted all the vlans from my fortigate I only add the inter-vlan for step 3
I went to static route in the fortigate 192.168.43.1/24 is a vlan on my ubiquiti l3 switch and the gateway address is the ip address for my l3 swtich on ubqiquit native vlan is this correct? I have attached snap shots
I am trying to allow all vlans I created to access the internet and also talk to the native vlan
In the Fortinet, the gateway IP for the new static routes would be the IP of the switch in the interVLAN network - maybe 10.255.253.2?
So you’re aware and OK with all the VLANs being able to communicate between each other with no limitations? The only difference between this, and having a completely flat network (no VLANs/subnets) is that broadcast and multicast packets won’t move between VLANs. The fortinet will only see traffic that is going to/from the internet.
