Technical Tip: How to route traffic from one VDOM to another one using the inter-VDOM link connection

Step 1: Configure the inter-VDOM link.

Configure the Inter-VDOM link from GLOBAL using the web-based manager or the CLI:

Step 2: Configure the IP addresses for each VDOM:

Step 3: Verify connectivity between these two points:

config vdom

    edit SERVERS

        execute ping 192.168.100.1 <----- The IP of the root VDOM.

        PING 192.168.100.1 (192.168.100.1): 56 data bytes

        64 bytes from 192.168.100.1: icmp_seq=0 ttl=255 time=0.1 ms

        ^C

        --- 192.168.100.1 ping statistics ---

        1 packets transmitted, 1 packets received, 0% packet loss

        round-trip min/avg/max = 0.1/0.1/0.1 ms

The presence of virtual interfaces is one of the key differences between inter-VDOM links and regular interfaces.
Inter-VDOM links do not require IP addresses.
This introduces three possible situations with an inter-VDOM line:

• Unnumbered: An inter VDOM link with no IP addresses for either end of the tunnel.
• Half-numbered: An inter VDOM link with one IP address for one end and none for the other end.
• Full-numbered: An inter VDOM link with two IP addresses, one for each end.       <----- Scenario in use.

Note:

Half or full-numbered interfaces are required for NAT. Either SNAT or DNAT as an IP number is needed on both ends to translate between.

• Use unnumbered interfaces in static routing by naming the interface and using 0.0.0.0 for the gateway.
• Running the tracer route will not show the interface in the list of hops.
• However, the interface is visible when sniffing packets, which is useful for troubleshooting.

Step 4: Define the Inter-VDOM routing and firewall policies on each VDOM to allow the traffic.

The default gateway for the Internal VDOM communication will be the External VDOM (VDOM root in this example).

Internal VDOM (SERVERS):

Configure the static route by using the following command:

config vdom

    edit SERVERS

        config router static

            edit 1

                set gateway 192.168.100.1

                set device "VDOM_link1"

                set dst 0.0.0.0/0

            next

        end

Configure the policy using the following command:

    config firewall policy

        edit 1

            set name "SRV2INT"

            set uuid 7c34242c-5ff9-51ef-c915-84ce7d2213f2

            set srcintf "port2"

            set dstintf "VDOM_link1"

            set action accept

            set srcaddr "10.222.0.0/20"

            set dstaddr "all"

            set schedule "always"

            set service "ALL"

        next

    end

External VDOM (root):

Configure the static route using the following command:

config vdom

    edit root

        config router static

            edit 2

                set dst 10.222.0.0/20 <----- Servers subnet.

                set device VDOM_link0

                set gateway 192.168.100.2

            end

Configure the Policy using the following command:

config firewall policy

    edit 1

        set name "SRV_SUB"

        set uuid c3b04978-5ffb-51ef-b826-1b22e711c8a8

        set srcintf "VDOM_link0" <----- VDOM interface.

        set dstintf "port1" <----- WAN Interface.

        set action accept

        set srcaddr "10.222.0.0/20"

        set dstaddr "all"

        set schedule "always"

        set service "ALL"

        set nat enable

    next

end

Step 4: Verify connectivity from the Windows Server:

Sniffer on the SERVERS VDOM:

diagnose sniffer packet any 'icmp' 4 0 l

2026-02-23 16:03:42.880590 port2 in 10.222.3.251 -> 54.151.118.105: icmp: echo request
2026-02-23 16:03:42.880645 VDOM_link1 out 10.222.3.251 -> 54.151.118.105: icmp: echo request
2026-02-23 16:03:42.880664 VDOM_link0 in 10.222.3.251 -> 54.151.118.105: icmp: echo request
2026-02-23 16:03:42.880689 port1 out 10.47.4.206 -> 54.151.118.105: icmp: echo request

2026-02-23 16:03:43.088405 port1 in 54.151.118.105 -> 10.47.4.206: icmp: echo reply
2026-02-23 16:03:43.088462 VDOM_link0 out 54.151.118.105 -> 10.222.3.251: icmp: echo reply
2026-02-23 16:03:43.088470 VDOM_link1 in 54.151.118.105 -> 10.222.3.251: icmp: echo reply
2026-02-23 16:03:43.088485 port2 out 54.151.118.105 -> 10.222.3.251: icmp: echo reply

Debug flow on the SERVERS VDOM:

The ICMP echo request arrives at the SERVERS VDOM:

id=65308 trace_id=51 func=print_pkt_detail line=5872 msg="vd-SERVERS:0 received a packet(proto=1, 10.222.3.251:4->54.151.118.105:2048) tun_id=0.0.0.0 from port2. type=8, code=0, id=4, seq=0."
id=65308 trace_id=51 func=init_ip_session_common line=6057 msg="allocate a new session-00003983"
id=65308 trace_id=51 func=__vf_ip_route_input_rcu line=1991 msg="find a route: flag=00000000 gw-192.168.100.1 via VDOM_link1"
id=65308 trace_id=51 func=__iprope_tree_check line=535 msg="gnum-100004, use addr/intf hash, len=2"
id=65308 trace_id=51 func=fw_forward_handler line=990 msg="Allowed by Policy-1:"
id=65308 trace_id=51 func=ip_session_confirm_final line=3111 msg="npu_state=0x100, hook=4"

The ICMP echo request arrives at the root VDOM:

id=65308 trace_id=52 func=print_pkt_detail line=5872 msg="vd-root:0 received a packet(proto=1, 10.222.3.251:4->54.151.118.105:2048) tun_id=0.0.0.0 from VDOM_link0. type=8, code=0, id=4, seq=0."
id=65308 trace_id=52 func=init_ip_session_common line=6057 msg="allocate a new session-00003984"
id=65308 trace_id=52 func=__vf_ip_route_input_rcu line=1991 msg="find a route: flag=00000000 gw-10.47.15.254 via port1"
id=65308 trace_id=52 func=__iprope_tree_check line=535 msg="gnum-100004, use addr/intf hash, len=2"
id=65308 trace_id=52 func=get_new_addr line=1213 msg="find SNAT: IP-10.47.4.206(from IPPOOL), port-60421"
id=65308 trace_id=52 func=fw_forward_handler line=990 msg="Allowed by Policy-1: SNAT"
id=65308 trace_id=52 func=ip_session_confirm_final line=3111 msg="npu_state=0x100, hook=4"
id=65308 trace_id=52 func=__ip_session_run_tuple line=3443 msg="SNAT 10.222.3.251->10.47.4.206:60421"

The ICMP echo reply arrives at the root VDOM:

id=65308 trace_id=53 func=print_pkt_detail line=5872 msg="vd-root:0 received a packet(proto=1, 54.151.118.105:60421->10.47.4.206:0) tun_id=0.0.0.0 from port1. type=0, code=0, id=60421, seq=0."
id=65308 trace_id=53 func=resolve_ip_tuple_fast line=5960 msg="Find an existing session, id-00003984, reply direction"
id=65308 trace_id=53 func=__ip_session_run_tuple line=3456 msg="DNAT 10.47.4.206:0->10.222.3.251:4"
id=65308 trace_id=53 func=__vf_ip_route_input_rcu line=1991 msg="find a route: flag=00000000 gw-192.168.100.2 via VDOM_link0"
id=65308 trace_id=53 func=npu_handle_session44 line=1320 msg="Trying to offloading session from port1 to VDOM_link0, skb.npu_flag=00000000 ses.state=00000200 ses.npu_state=0x00000100"
id=65308 trace_id=53 func=fw_forward_dirty_handler line=439 msg="state=00000200, state2=00000000, npu_state=00000100"

The ICMP echo reply arrives at the SERVERS VDOM:

id=65308 trace_id=54 func=print_pkt_detail line=5872 msg="vd-SERVERS:0 received a packet(proto=1, 54.151.118.105:4->10.222.3.251:0) tun_id=0.0.0.0 from VDOM_link1. type=0, code=0, id=4, seq=0."
id=65308 trace_id=54 func=resolve_ip_tuple_fast line=5960 msg="Find an existing session, id-00003983, reply direction"
id=65308 trace_id=54 func=__vf_ip_route_input_rcu line=1991 msg="find a route: flag=00000000 gw-0.0.0.0 via port2"
id=65308 trace_id=54 func=npu_handle_session44 line=1320 msg="Trying to offloading session from VDOM_link1 to port2, skb.npu_flag=00000000 ses.state=00000204 ses.npu_state=0x00000100"
id=65308 trace_id=54 func=fw_forward_dirty_handler line=439 msg="state=00000204, state2=00000001, npu_state=00000100"