Explorer

Solved

inter vdom from NAT vdom to TP vdom

Forum|Forum|1 year ago
November 24, 2024
8 replies
5050 views

Hello,

i'am a new user in fortigate world :) with FG-51E

I read some tuto to learn how it works, and i'm stuck with routing between vdom.

it won't work :'(

i'm french, and my isp provider is named free.

To be able to watch tv with their player, it have to get an IPV6 SLAAC without DHCPv6. unfortunately, i don't know how to do that with fortigate. (it's not the subjet but if someone can help me for this point, i will be very happy )

So i create a root vdom in transparent mode, with member interface wan 1, and port 1. my tv player works without problem.

now, i create another "test" vdom in NAT mode, for testing, homelab. the interface member are the others ports

i wish to link this nat vdom with the root transparent vdom, and .... no way to make it works :'(

i miss something but i don't know what.

I relied on these links, for helping

http://socpuppet.blogspot.com/2014/09/a-meshed-vdom-transparent-using-inter.html

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Connect-2-Transparent-VDOMs-with-NAT-VDOM-between/ta-p/201940

https://www.fortinetguru.com/2017/01/configuring-vdom-links/

none of them help me

i also test this tips, and it works. but it is not what i wish to do

https://docs.fortinet.com/document/fortigate/7.6.0/administration-guide/335646/inter-vdom-routing-configuration-example-internet-access

could anyone help me to make it work please ?

Thank you very much !

Best answer by DPadula

Default route on HomeLan is wrong, the gateway should not be 0.0.0.0 but the ISP router ip address (192.168.0.254)'.

The right command is 'diagnose sniffer packet any "host 192.168.0.254 and icmp" 4 0', my bad.

Can you ping the google after you changed the gateway ip address on the static route?

DPadula

Staff & Editor

Hi Ajt69,

There is this forum topic where someone has asked bout inter-link vdom. Have a look on it:

https://community.fortinet.com/t5/Support-Forum/VDOM-setup-or-FortiManager-setup/m-p/354911/highlight/true#M255387

I hope it helps.

dingjerry_FTNT

Staff

Hi @Ajt69 ,

Without sharing your configurations, we can't assist you.

Ajt69Author

Explorer

well seen :)

Thank you for your quick reply

I hope it will help me

sorry for not having seen this topic.

it's past midnight here, i read and try this asap, and reply

Ajt69Author

Explorer

@dingjerry_FTNT

can you help me what i need to supply, for configuration ?

detail schema ? detail from cli ?

Let me know

thank you

dingjerry_FTNT

Staff

Hi @Ajt69 ,

We need all configurations you used for your case, such as (but not limited):

What interfaces?

What firewall policies?

What routing configuration?

Network diagram

Interesting traffic flow

And so on, anything you configured for your case.

It's better to attach your FGT config.

Ajt69Author

Explorer

thank you, i will do my best to supply information in order to help me

i also take a look at the topics given by @DPadula

Ajt69Author

Explorer

Hi,

I read the recommended topic, and all vdom are in operation mode NAT. Should i understand it is only in that way it works ? no possible inter vdom routing between TP and NAT ?

i create my first root vdom as transparent mode for lack of knowledge about ipv6 for tv box, and also to avoid double NAT. may be i'm wrong.

here my network

screenshot from web gui

and from CLI

FG-51E (global) #
set gui-ipv6 enable
set hostname "FG-51E"
set management-vdom "HomeLAN"
set switch-controller enable
set vdom-mode multi-vdom
end
config system vdom-link
edit "vdomlink"
next
edit "root2lan"
set type ethernet
next
end
config system interface
edit "wan1"
set vdom "root"
set allowaccess ping
set type physical
set alias "Freebox"
set role wan
set snmp-index 1
next
edit "wan2"
set vdom "root"
set allowaccess ping fgfm
set type physical
set snmp-index 2
next
edit "modem"
set vdom "root"
set type physical
set snmp-index 3
next
edit "lan2"
set vdom "HomeLAN"
set type physical
set snmp-index 4
next
edit "lan3"
set vdom "HomeLAN"
set type physical
set snmp-index 9
next
edit "lan4"
set vdom "VD-Test"
set ip 10.10.0.1 255.255.255.0
set allowaccess ping https ssh
set type physical
set device-identification enable
set lldp-transmission enable
set role lan
set snmp-index 8
next
edit "lan5"
set vdom "TPvdom"
set allowaccess ping https ssh
set type physical
set device-identification enable
set lldp-transmission enable
set role lan
set snmp-index 7
next
edit "lan"
set vdom "root"
set allowaccess ping https ssh
set type hard-switch
set alias "Pop"
set stp enable
set device-identification enable
set lldp-reception enable
set lldp-transmission enable
set role lan
set snmp-index 5
next
edit "LACP"
set vdom "HomeLAN"
set ip 10.0.0.1 255.255.255.0
set allowaccess ping https ssh
set type aggregate
set member "lan2" "lan3"
set alias "Home"
set device-identification enable
set lldp-transmission enable
set role lan
set snmp-index 6
next
edit "ssl.HomeLAN"
set vdom "HomeLAN"
set type tunnel
set alias "SSL VPN interface"
set snmp-index 10
next
edit "ssl.VD-Test"
set vdom "VD-Test"
set type tunnel
set alias "SSL VPN interface"
set snmp-index 11
next
edit "vdomlink0"
set vdom "HomeLAN"
set ip 0.0.0.0 255.255.255.255
set allowaccess ping
set type vdom-link
set description "homelanlink"
set snmp-index 12
next
edit "vdomlink1"
set vdom "VD-Test"
set ip 0.0.0.0 255.255.255.255
set allowaccess ping
set type vdom-link
set description "vdtestlink"
set snmp-index 13
next
edit "root2lan0"
set vdom "root"
set allowaccess ping https http
set type vdom-link
set snmp-index 14
set macaddr 1a:b5:6a:a3:00:33
next
edit "root2lan1"
set vdom "HomeLAN"
set allowaccess ping https http
set type vdom-link
set snmp-index 15
set macaddr 42:d7:5c:5a:00:34
next
end

FG-51E (root) #
config system settings
set opmode transparent
set manageip 192.168.0.200/255.255.255.0
end

config firewall policy
edit 1
set uuid 4d93bd88-a6b0-51ee-3735-98ffa0ae402f
set srcintf "lan"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
edit 2
set uuid b3205dac-a6b8-51ee-e9a5-513d62a1a0a1
set srcintf "wan1"
set dstintf "lan"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic disable
next
edit 3
set uuid 7c4621f4-a9dc-51ef-c0ca-edac476ec261
set srcintf "wan1"
set dstintf "root2lan0"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
edit 4
set uuid 8c708eac-a9dc-51ef-7436-53afa1525e9d
set srcintf "root2lan0"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
end
config firewall policy6
edit 1
set uuid 61c2b6ec-a6b5-51ee-1a5b-270d916165f2
set srcintf "lan"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
end

config router static
edit 1
set gateway 192.168.0.254
next
end

FG-51E (HomeLAN) #
config firewall policy
edit 1
set uuid ec31c09a-a9e1-51ef-8d46-d006a8e9eaf7
set srcintf "vdomlink0"
set dstintf "LACP"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
edit 2
set uuid 41073616-a9e4-51ef-5276-2bccbd489cc0
set srcintf "LACP"
set dstintf "root2lan1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
edit 3
set uuid 5260fd16-a9e4-51ef-646c-25ba2fc68ab8
set srcintf "root2lan1"
set dstintf "LACP"
set srcaddr "all"

FG-51E (VD-Test) #
config firewall policy
edit 1
set name "vdtest2homelan"
set uuid 703de03c-a91d-51ef-141e-28c108dfe72d
set srcintf "vdomlink1"
set dstintf "lan4"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
edit 2
set name "out"
set uuid f5dc6582-a91e-51ef-db89-c4452393a6df
set srcintf "lan4"
set dstintf "vdomlink1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
end

config router static
edit 1
set device "vdomlink1"
next
endset dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
end

config router static
edit 1
set device "vdomlink0"
set comment "linkvdom"
next
edit 2
set device "root2lan1"
next
end

Hope it's enough to help me in order to achieve inter vdom routing from vdom NAT to vdom TP

Thank's a lot

DPadula

Staff & Editor

Hi Ajt69,

The difference between a transparent vdom and a NAT vdom is the layer they operate. In a very simple way a transparent vdom 'works' like a L2 switch. A NAT vdom operates like a router. So if you want o keep the network diagram like your draw you need to add a IP address on the 'vdomlink0', the ip address must be on the same subnet of the GW (192.168.0.0/24) and the default route should point to the GW ip address.

Another way to see your diagram would be like that:

Give it a try and let us know about the results.

Ajt69Author

Explorer

hi @DPadula

Thank you for your explanation, and the time you take.

I thought I understood and it was clear, but I don't know how to get around it, it doesn't work :'(

it's a shame for me

here is what i did in vdom B

my firewall policy could be bad too ?

DPadula

Staff & Editor

Let's start with simple tests.

Can you ping the gateway 192.168.0.254 from HomeLan vdom?
If you can, great, routing is working fine between HomeLan and root. If you cannot run the command 'diag sniffer packet any "host 192.168.0.254 and icmp" 4 0' on HomeLan vdom and also on root vdom while you are trying to ping the gateway.

We need to understand what is happening to the traffic if you cannot ping the gateway from HomeLan vlink interface ip address 192.168.0.201

Also, try to ping the mgmt ip on root vdom (192.168.0.200) from the HomeLan. What is the outcome?

Ajt69Author

Explorer

i made some change on HomeLan vdom, i switch to link "root2lan1" instead of "vdomlink0" and set an ip of subnet 192.168.0.x/24.

and add this static route to reach the other test vdom

With this, i can ping my other device on this subnet, and vdom test.

Good point i think, but cannot ping the gateway 192.168.0.254

i try to add wan1 in firewall policy (I feel like it's a bit twisted)

and this way, i can ping the gateway.

but i cannot ping outside network like 8.8.8.8.... It's starting to drive me crazy !!

i don't have this command 'diag debug packet any "host 192.168.0.254 and icmp" 4 0' , May be not implement ine FW 6.2.15

Ajt69Author

Explorer

Hi,

I think i am close to the goal

I'll be back with some additional information by this evening

DPadula

Staff & Editor

Exactly, divide and conquer. ;)

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded