Adding transparent VDOM to support second public IP address

Question

Hello, I am coming to you after spending many hours trying to solve this issue and i hope you could share some light on the issue

We are running fortinet 90D in the office and we have two ISP links connected to two switches and from there to the WAN1 & WAN2 interfaces on the fortinet appliance. The internal network is connected to port 1 interface. A quick diagram will look like this:

ISP -> switch 1 & switch 2 -> fortinet -> switch -> internal network ISP

We are running 3 VDOMs in NAT operation mode and everything works just lovely.I am attaching a screenshot of the interfaces that we are using.

The issue that we are facing with now is that we need to connect a video conference appliance that will need to use a public IP address. One of the 194.*.*.* that we get from our ISP. We can connect the VC appliance directly to the ISP using the switch, but we would like to have a FW to control the incoming and outgoing traffic.For that, we are are thinking about adding another VDOM that will be a transparent VDOM and will help us to monitor and control the traffic coming to the VC appliance.

We add another VDOM, set it as transparent, set two new interfaces (port 3 & port 4) to the VDOM. Port 3 is connected to the switch and set to vlan 2 (the same vlan as the ISP connection) and port 4 is connected directly to the VC appliance.

Running ping from public location to the VC public IP address, we could see ARP request coming from the ISP default GW, looking for the VC MAC address. We could also see the VC reply to that ARP, but it seems that the ISP is unable to receive the reply: (i changed the IP of the VC to 194.*.*.2 and the ISP to 194.*.*.1)

(Video) # diagnose sniffer packet internal4 "" 4
interfaces=[internal4]
filters=[]
pcap_lookupnet: internal4: no IPv4 address assigned
1.726121 internal4 -- arp who-has 194.*.*.2 tell 194.*.*.1
1.726244 internal4 -- arp reply 194.*.*.2 is-at 0:e0:db:42:44:10
2.718951 internal4 -- arp who-has 194.*.*.2 tell 194.*.*.1
2.719070 internal4 -- arp reply 194.*.*.2 is-at 0:e0:db:42:44:10
3.718960 internal4 -- arp who-has 194.*.*.2 tell 194.*.*.1
3.719076 internal4 -- arp reply 194.*.*.2 is-at 0:e0:db:42:44:10
6.725296 internal4 -- arp who-has 194.*.*.2 tell 194.*.*.1
6.725418 internal4 -- arp reply 194.*.*.2 is-at 0:e0:db:42:44:10

8 packets received by filter
0 packets dropped by kernel

(Video) # diagnose sniffer packet internal3 "" 4
interfaces=[internal3]
filters=[]
pcap_lookupnet: internal3: no IPv4 address assigned
1.044888 internal3 -- BPDU on switchport 'internal10' stp 802.1s, rapid stp, cist flags [forward]
2.725509 internal3 -- arp who-has 194.*.*.2 tell 194.*.*.1
2.725675 internal3 -- arp reply 194.*.*.2 is-at 0:e0:db:42:44:10
3.044840 internal3 -- BPDU on switchport 'internal10' stp 802.1s, rapid stp, cist flags [forward]
3.718876 internal3 -- arp who-has 194.*.*.2 tell 194.*.*.1

What do you think? Do we need to have an inter vdom link ? Do we need to set forward-domain on the interfaces? Can we delete the transparent VDOM and use the same Corp VDOM to have 2 public IPs in the same subnet? Do we have an issue with sharing the WAN interface? Any help / advice / question will be much appreciated.

Thanks

ede_pfau · Answer

There are several options in "config system interface" pertaining to L2 forwarding and VLAN forwarding. I'd check these in the CLI Reference for your version of FortiOS (which is...?).

The WAN switches (plural) will have to have VLAN 2 forwarding enabled.

What about the default route in the second VDOM? Somehow the VDOM will have to know about the ingress addresses (which are arbitrary) so it won't discard the traffic as 'of unknown origin'. Frankly, I haven't worked much with TP mode yet so I'm in shallow waters with this one (whether RPF is active in TP mode).

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded