FortiOS 6.4+ Ruijie RGOS VMware ESXi 6/7 7 VLANs SSL VPN

Network Operations

Production Network Configuration Manual

A single-page runbook for infrastructure teams configuring the NTU/Router, FortiGate FG-81E, Ruijie RG-S2910 Core Switch, VLAN/IP plan, LAG trunk, SSL VPN, and HPE DL360 virtualization host.

Firewall

FortiGate FG-81E

Core Switch

Ruijie RG-S2910

Gateway VLAN

192.168.5.254

WAN Mode

PPPoE / Dynamic IP

/spec

Interactive Network Diagram

Mermaid diagram showing the path from ISP -> Router -> Firewall -> Core Switch -> Servers, including the reference IP and VLAN plan.

flowchart TD
  ISP[NT ISP FTTx Dynamic IP]
  ROUTER[NTU Router 192.168.1.1]
  PHONE[Telephone FAX]
  FW[FortiGate FG-81E WAN1 192.168.1.254]
  CORE[Ruijie Core Switch VLAN5 GW 192.168.5.254]
  ESXI[HPE DL360 Gen8 Virtual Host]
  VMS[Virtual Servers]
  USERS[Client VLANs 10 20 30 40 90 100]
  ILO[iLO Management 192.168.5.10]

  ISP --> ROUTER
  ROUTER --> PHONE
  ROUTER --> FW
  FW --> CORE
  CORE --> ESXI
  ESXI --> VMS
  CORE --> USERS
  CORE --> ILO

/plan

Prerequisites & Hardware Specs

Prepare the serial console, engineer notebook, management IP plan, and configuration backups before changing the topology.

Layer	Model / Spec	Management IP	Role
Internet	NT ISP FTTx + DynDNS	Dynamic Public IP	PPPoE uplink
Edge	NTU + Wireless Router	192.168.1.1	Bridge/router, port forward to firewall
Firewall	FortiGate FG-81E	192.168.1.254 / 192.168.5.1	NGFW, NAT, SSL VPN, policy control
Core	Ruijie RG-S2910-24GT4SFP-UP-H	192.168.5.254	L3 switching, DHCP, VLAN gateway
Server	HPE ProLiant DL360 Gen 8	iLO 192.168.5.10	Virtualization host (ESXi/Proxmox)
Cabling	Cat6 UTP x 8+, RJ45-to-Serial	N/A	Console + trunk links

Data Schema for Config Snippets

{
  "id": "switch-vlan-create",
  "title": "Create VLANs",
  "device": "Ruijie RG-S2910",
  "os": "RGOS",
  "risk": "medium",
  "rollback": "no vlan <id>",
  "commands": ["vlan 5", "name MGMT", "exit"]
}

Gateway / Router Config

Configure the NTU/Router to receive PPPoE from the ISP and hand off traffic to FortiGate through the WAN segment.

WAN PPPoE

Mode: PPPoE / Dynamic Public IP
LAN IP: 192.168.1.1/24
Port forward / DMZ target: 192.168.1.254

Static Route

Route internal VLANs back to FortiGate/Core as required
Disable duplicate DHCP scope on the router if the Core Switch owns DHCP

ROUTER CHECKLIST

1. Login NTU/Router: http://192.168.1.1
2. Set WAN mode: PPPoE
3. Confirm public/DynDNS status from ISP
4. Set LAN IP: 192.168.1.1/24
5. Forward required ports or DMZ to FortiGate WAN: 192.168.1.254
6. Disable router DHCP if Core Switch provides DHCP
7. Save config and reboot during the maintenance window

Firewall Rules & VPN

FortiGate provides NGFW inspection, NAT, remote access SSL VPN, and policy control between WAN, LAN, and VPN zones.

FORTIGATE CLI

config system interface
    edit "wan1"
        set mode static
        set ip 192.168.1.254 255.255.255.0
        set allowaccess ping https ssh
        set alias "NTU handoff"
    next
    edit "lan"
        set ip 192.168.5.1 255.255.255.0
        set allowaccess ping https ssh fabric
        set alias "Core switch transit"
    next
end

config router static
    edit 1
        set gateway 192.168.1.1
        set device "wan1"
    next
    edit 2
        set dst 192.168.0.0 255.255.0.0
        set gateway 192.168.5.254
        set device "lan"
    next
end

FORTIGATE CLI

config vpn ssl settings
    set servercert "Fortinet_Factory"
    set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
    set source-interface "wan1"
    set source-address "all"
    set default-portal "full-access"
    set port 10443
    config authentication-rule
        edit 1
            set groups "VPN_USERS"
            set portal "full-access"
        next
    end
end

FORTIGATE CLI

config firewall policy
    edit 0
        set name "SSLVPN_to_LAN"
        set srcintf "ssl.root"
        set dstintf "lan"
        set srcaddr "SSLVPN_TUNNEL_ADDR1"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set nat disable
    next
end

Core Switch: VLANs, LAG, Trunk

The Ruijie Core Switch acts as the L3 gateway, DHCP service point, and aggregation layer for FortiGate and server uplinks.

VLAN	Name	Subnet	Gateway	Purpose
5	MGMT	192.168.5.0/24	192.168.5.254	Network management
10	OFFICE	192.168.10.0/23	192.168.10.254	Office users
20	HR_FIN	192.168.20.0/24	192.168.20.254	HR/Finance
30	SERVERS	192.168.30.0/24	192.168.30.254	Virtual server network
40	WIFI_GUEST	192.168.40.0/23	192.168.40.254	Guest Wi-Fi
90	IOT_CCTV	192.168.90.0/23	192.168.90.254	Camera/IoT
100	DMZ	192.168.100.0/24	192.168.100.254	Public-facing services

RUIJIE CLI

configure terminal
vlan 5
 name MGMT
 exit
vlan 10
 name OFFICE
 exit
vlan 20
 name HR_FIN
 exit
vlan 30
 name SERVERS
 exit
vlan 40
 name WIFI_GUEST
 exit
vlan 90
 name IOT_CCTV
 exit
vlan 100
 name DMZ
 exit
show vlan brief

RUIJIE CLI

configure terminal
interface vlan 5
 ip address 192.168.5.254 255.255.255.0
 no shutdown
 exit
interface vlan 10
 ip address 192.168.10.254 255.255.254.0
 no shutdown
 exit
interface vlan 20
 ip address 192.168.20.254 255.255.255.0
 no shutdown
 exit
interface vlan 30
 ip address 192.168.30.254 255.255.255.0
 no shutdown
 exit
ip route 0.0.0.0 0.0.0.0 192.168.5.1

RUIJIE CLI

configure terminal
interface range gigabitEthernet 0/21-24
 port-group 1 mode active
 exit
interface aggregateport 1
 description LAG_TO_FORTIGATE
 switchport mode trunk
 switchport trunk native vlan 5
 switchport trunk allowed vlan only 5,10,20,30,40,90,100
 exit
show interfaces aggregateport 1 switchport

RUIJIE CLI

configure terminal
interface range gigabitEthernet 0/17-20
 port-group 2 mode active
 exit
interface aggregateport 2
 description LAG_TO_HPE_DL360_ESXI
 switchport mode trunk
 switchport trunk native vlan 5
 switchport trunk allowed vlan only 5,30,100
 exit
show lacp neighbor

Virtualization Host: HPE DL360 Gen 8

Supports ESXi or Proxmox using a VLAN trunk from the Core Switch, with out-of-band management separated through iLO.

ILO NETWORK SETTINGS

IP Address:  192.168.5.10
Subnet Mask: 255.255.255.0
Gateway:     192.168.5.254
DNS:         192.168.5.1
Hostname:    bug-srv01-ilo
Access URL:  https://192.168.5.10

ESXI / PROXMOX HOST PLAN

Physical NICs:
  vmnic0-3: LACP uplink to Ruijie AggregatePort 2

Port Groups:
  MGMT        VLAN 5    vmkernel / host management
  SERVERS     VLAN 30   production virtual machines
  DMZ         VLAN 100  reverse proxy / public services

ESXi:
  vSwitch or vDS uplink policy: Route based on IP hash when using LACP

Proxmox:
  Create Linux bond mode 802.3ad, then VLAN-aware bridge vmbr0

Maintenance Log

Record change windows, rollback steps, and owners so other engineers can continue operations safely.

Date	Change	Device	Owner	Rollback
2026-04-29	Initial manual build	All	Network Team	Restore saved config
YYYY-MM-DD	Describe change here	Device name	Engineer	Rollback command / backup file

Backup / Verify / Rollback

VERIFY CHECKLIST

FortiGate:
  get system status
  get router info routing-table all
  diagnose vpn ssl list
  execute ping 192.168.5.254

Ruijie:
  show vlan brief
  show ip interface brief
  show lacp neighbor
  show ip route
  ping 192.168.5.1

Host:
  ping 192.168.5.10
  confirm ESXi/Proxmox port groups and VLAN tags

ROLLBACK PLAN

1. Keep pre-change backups from FortiGate and Ruijie.
2. If LAG trunk fails, move one uplink to access VLAN 5 for emergency management.
3. Restore firewall policy/routing from saved backup.
4. Restore switch startup-config or remove new VLAN/LAG commands.
5. Validate internet, SSL VPN, management IP, and server reachability.