Three interfaces in different VDOMs but same subnet?

Forum|Forum|12 years ago
November 11, 2013
12 replies
29504 views

Hi guys, I' m setting up a 100D with three VDOMs; a root and two customer VDOMs. On the WAN side the 100D is connected to the ISP switch. The ISP typically issues you a subnet to be used for your firewall WAN interface(s) then you can register additional subnets of public IPs and have them routed to the WAN interface IP of a particular firewall. As we wanted the two customer VDOMs to be separate and have their own ranges of public IPs we took three physical interfaces on the FG to act as WAN interfaces, so one physical WAN interface per VDOM. I then asked the VSP for a range of public IPs to use for these interfaces. I added the first IP (1.2.3.4/30) to the root VDOM WAN interface no problem, but when I then try to add the second IP (1.2.3.5/30) to one of the customer VDOM WAN interfaces the FG gives an error saying the IP subnet is in-use on another interface. Is there any way around this or do I need to request separate interface IP subnet ranges from the ISP? They have to setup HSRP IPs and all sorts of stuff on each interface subnet they have to setup, so I' d prefer not to have to do this! Thanks for any thoughts!

Show previous replies

ZenithAuthor

New Member

Hi ede_pfau, It' s actually just a single /29 range we have to use as interface addresses. Of the /29 only 3 IPs are useable as one is network, one broadcast, one default gateway, one HSRP gateway address and not sure about the fifth. So we cannot divide down this subnet (firstly because it is too small, but secondly because the gateway address would only be available to one of the divided subnets :) ). As I say I could request two more ranges of addresses from the ISP for the other two WAN interfaces, but this seems like a waste of IPs and they might tell me to get lost :). Any other thoughts? A few people have suggested routing everything through the root-vdom but I' m still unclear how this would work in-terms of VPNs and NATing all the ranges of IP addresses required in each customer vdom? Thanks again!

Phill_Proud

New Member

You can route /32' s into VDOMs from an ' Outside' VDOM (or use root). I do this in some situations. It' s a bit more complicated/annoying to deal with but it has it' s advantages. I will say, using anything but root for your ' outside' VDOM is going to cause you a huge pain in the ass when it comes to FortiGuard registration/etc. See the very quick/dirty/simple diagram I' ve attached. You can still run VPNs to these IP' s, and NAT internal networks out, do port forwards, etc.

Fd93225.gif

sguru

New Member

Hi,

Have an common queries on inter VDOM communication, how many interVDOM link can create ? Is it limited or depends on hardware model?

For example if am creating more than 10 VDOM for different company, 5 VDOM need to communicate with other VDOM to access certain common applications. In that case how many interVDOM links need to create?

Is it necessary to configure separate inter-link for each VDOM communication?

Hope it's clear and let us know if need clarification on queries

Toshi_Esumi

SuperUser

I would recommend you open a new case since your situation doesn't sound directly relates to this very old thread.

https://help.fortinet.com/fgt/60/6-0-3/max-values.html

As you can see above, vdom-link is limited by the number of interfaces per model. Should be well beyond you need. You can consider each vdom as a router. Then you can understand how to connect them via vdom-links instead of ethernet cables to share a resources attached to one vdom.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded