BGP Multihop across Fortigate

Forum|Forum|6 years ago
September 22, 2019
1 reply
11276 views

Dear All,

I would like to understand how the packet flow works for BGP multihop through a firewall (i.e. how does the middle device in the multi-hop know what to do?). I realise the two devices either side of the firewall will dynamically learn the correct routes, but how can the firewall itself know where to write the packets it receives? It is really a case of configuring static routes on the FGT?

I have attached a diagram to help explain my question.

Many thanks in advance for any assistance.

Regards

James.

FGT-Multihop.jpg

Toshi_Esumi

SuperUser

All middle devices sit between two iBGP peers just need to route BGP unicast packets from one side to the other. They just need to know which interface to route to based on the destination IP. If it's a FW like FGT, you just need to let it route without NAT in a pair of policies for both directions.

In your case 10.0.0.1 needs to see the source IP 192.168.0.1, and vice versa. Since they're directly connected to the FGT, you don't need to have any additional routes. Both /31 routes are already in the routing-table as directly connected routes.

j_a_m_e_sAuthor

New Member

Hi Toshi What about the other packet flows, in my example a packet from 10.99.0.1 to 10.99.100.1? If the FGT itself is not a BGP speaker how will it know which egress interface to route through? Regards James

j_a_m_e_sAuthor

New Member

I guess the answer is that it won't work without static routes on the FGT, and that's simply not a scalable solution - I'm planning to have around 20 - 30 vdoms with the same route peering running though.

Does anyone know whether virtual wirepairs might work? The trust/untrust interfaces would have a sub-interface for each vdom. Or is there some limitation where VWPs don't work with sub-interfaces?

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded