New Member

Solved

"Transparent" Port or Inter-VDOM setup

Forum|Forum|11 years ago
February 27, 2015
4 replies
6515 views

I am trying to segment the network into 2 part:

1) 2 ports (ie: Port 1, Port 2) each on a different private LAN

private IP: 192.168.1.0/24, 192.168.2.0/24

wan: 123.123.123.0-123.123.123.127

2) 1 port (ie: Port 3) on "transparent mode"

private IP: 123.123.123.128-123.123.123.255

wan: 123.123.123.128-123.123.123.255

I am wondering if it I should (or if possible to) setup my Fortigate as follow:

1) Set it up to run in NAT/Routing mode

Setup Virtual IP for Port 1 and Port 2 to take care of the IP translation.

Setup Routing Policy to direct data going to 123.123.123.128-123.123.123.255 to Port 3

(Is this even possible?)

OR

2) Setup 3 V-DOM (ie:Root, Private_VDOM, Public_VDOM)

Connect WAN to Root and set it up as NAT/Routing mode

Setup Private_VDOM in transparent mode

Setup Routing Policy to direct data going to 123.123.123.128-123.123.123.255 to Private_VDOM

Setup Private_VDOM in NAT/Routing mode

Setup Routing Policy to direct data going to 123.123.123.0-123.123.123.127 to Private_VDOM

Setup Virtual IP on Public_VDOM

I am very new in setting up these things. Thank you very much for your help in advance

5.2

Best answer by emnoc

I don't think you can do #1 but #2 could be done if you set vips for the hosts, but do you really need transparent link ? I think you could do this with less complexity if you could you just place VIPs 123.123.123.128-123.123.123.255 /25 and set the machine behind the VIPs

or

Just create a 3rd lan-interface that houses the 23.123.123.128/25

This could be a sub-interface that's tagged like a 802.1q interface if your limited on physical ports.

Please check out my stack vdom blog for other ideals & suggestions;

http://socpuppet.blogspot...pt-with-fortigate.html

emnocAnswer

New Member

I don't think you can do #1 but #2 could be done if you set vips for the hosts, but do you really need transparent link ? I think you could do this with less complexity if you could you just place VIPs 123.123.123.128-123.123.123.255 /25 and set the machine behind the VIPs

or

Just create a 3rd lan-interface that houses the 23.123.123.128/25

This could be a sub-interface that's tagged like a 802.1q interface if your limited on physical ports.

Please check out my stack vdom blog for other ideals & suggestions;

http://socpuppet.blogspot...pt-with-fortigate.html

RodneyAuthor

New Member

Thank you very much for your information.

I am hoping to setup "transparent link" is because this part of the network has already been in place. Such setup will reduce the amount of changes to the existing network.

I have read through your Stacked VDOM blog. However, I am still no sure about your 2nd suggestion:

"Just create a 3rd lan-interface that houses the 23.123.123.128/25"

Is it possible for you to further elaborate on it?

Also, in your Stacked VDOM blog post, is it possible to push to NAT down to the custA and custB VDOM instead of doing it in the root VDOM?

Thank you very much for your help in advance !

emnoc wrote:
I don't think you can do #1 but #2 could be done if you set vips for the hosts, but do you really need transparent link ? I think you could do this with less complexity if you could you just place VIPs 123.123.123.128-123.123.123.255 /25 and set the machine behind the VIPs

or

Just create a 3rd lan-interface that houses the 23.123.123.128/25

This could be a sub-interface that's tagged like a 802.1q interface if your limited on physical ports.
Please check out my stack vdom blog for other ideals & suggestions;

http://socpuppet.blogspot...pt-with-fortigate.html

emnoc

New Member

I hear you, but the upper end of the /25 ( .128-255 ) has what as a gatwate today? Can't you just lift that network and install it on a another interface on the fortigate & still meet your needs? Or bind two interfaces as a inbound & outbound interface for he lan segment that needs the transparent mode of operation?

e.g

port3 and port4 ( transparent vdom )

About the NAT in transparent vdoms, it can be done. I never have done this tho. You can configure ip-pools and set fwpolices to allow NAT, but be careful in your topology & design and remember that a interface can only be in one vdom regardless of the vdom mode of operation ( nat/routed or transparent ).

I would suggest you drafted out the details before diving in and ensure that the design encompass the goals and functionality that your looking for.

RodneyAuthor

New Member

Thank you very much emnoc.

I guess my original plan is not a recommended approach. I guess I will follow the topology that is similar to the one in your post:

http://socpuppet.blogspot.com.es/2014/09/a-stacked-vdom-concept-with-fortigate.html

However, I am wondering how I can set the Virtual IP to allow computer from WAN and custB to access a computer in custA (ie:10.100.10.123)?

Is this Virtual IP setting has to be done in VDOM:root? It can't be set in custA?

I tried to set the Virtual IP in VDOM:root with the following settings:

Interface: WAN

External IP: 123.123.123.123-123.123.123.123

Internal IP: 10.100.10.123-10.100.10.123

I have also set static route such that

Destination IP: 10.100.10.0/255.255.255.0

Device: root2custA0

Gateway: 192.168.0.2

For testing, I have allowed all tracffic to route from any interface to any interface in both VDOM. However, I still not able to ping the machine with ip 10.100.10.123 from the outside.

Is there anything I have missed?

Thanks.

RodneyAuthor

New Member

Packets are able to pass through after setting a policy to allow traffic to reach the specific Virtual IP as destination with NAT turned on.

Thank you very much for all your help!

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded