Skip to main content
infrasigrp
infrasigrp
New Member
September 20, 2022
Question

Preserve source ip inter-vdom routing

  • September 20, 2022
  • 1 reply
  • 5475 views

Hi everyone,

 

TL/DR : How do you preserve the source IP when passing by inter-vdom, for a packet coming from the internet/public IP ?

 

We got a Fortigate 100F which is configured in multi-vdom. The first vdom is managed by our ISP, it has an interface connected directly to it's backbone and a default route pointing to it. They have setup it like that for management purposes. The other vdom (lets name it "our vdom") is kind of our LAN side, serves as an hub for an SDWAN architecture, and has a default route to another third-party firewall which has its own internet interface and handle the IDS/IPS.

 

I need to "progressively" migrate the internet I/Os from the third-party firewall to our vdom on the 100F. For the internet access from our local network, i've created a policy route for specific addresses to go out by the ISP-vdom internet access. 

 

The problem is when i need to access from the internet, on the ISP-vdom public IP, to my LAN which is behind the our vdom. I've created a static route for our LAN subnets to the inter-vdom and appropriate firewall rules, now i got the trafic from internet coming to our vdom. The problem is :

  • if i don't enable sNAT on the inter-vdom firewall rule, the packet is refused with the "reverse path check fail, drop". Because the source IP is public, i cannot create any static or policy routing to return the packet to the inter-vdom.
  • if i enable sNAT, the packet is accepted, but the trafic coming from inter-vdom has the source IP of the inter-vdom interface : so i cannot make any firewall rules. The idea is to concentrate our configuration on our vdom only, and let the ISP-vdom with the fewest config possible

Thanks in advance

Arnaud

 

 

1 reply

gfleming
Staff
gfleming
Staff
September 20, 2022

Reverse path forwarding is enabled by default on FortiGate and can only be disabled by enabling asymmetric routing which is not a best practice.

 

Typically all you need to avoid RPF drops is a route for the source IP out the interface it is coming in.

 

Do you have a default route pointing to your Inter-VDOM link? I assume you would... but maybe not....

 

EDIT: just re-read your post I see your default route points to your third-party firewall. You can try adding another default route with a higher AD but a lower higher priority and this will still send traffic to your third-party firewall but keep a default route for both interfaces in your table.

 

Alternatively, and you should consider perhaps configuring an SD-WAN zone/interface because it sounds like you might be heading down that road already. With that in place you won't have any issue with RPF regardless of where your traffic is coming from on the Internet.

 

Legacy Dual WAN config (what you are doing now): https://docs.fortinet.com/document/fortigate/7.2.1/administration-guide/360563/dual-internet-connections

 

SD-WAN config (what you should probably look at doing): https://docs.fortinet.com/document/fortigate/7.2.1/administration-guide/889544/sd-wan-quick-start

akristof
Staff
akristof
Staff
September 21, 2022

Hello,

Agree with all your statements, but I want to correct one thing. If he will create another default-route with higher AD it will achieve nothing, because it will not be installed in routing-table (probably you meant same AD, higher priority). If you will have default route with same AD but higher priority, this route will be in routing-table, but not used, unless route towards 3rd party firewall will disappear. And at the same time, this will achieve that the traffic will not be dropped by RPF.

    Terms & ConditionsAccessibility statement