VDOM internet access

Forum|Forum|16 years ago
August 5, 2009
9 replies
5417 views

Hello guys, Hope you can help me. I use a Fortigate 110C with FortiOS 4.03 I try to get internet access on my " Internal" VDOM. When i log in to cli i can ping to for examle www.google.com from the root VDOM. When i try to ping from the Internal VDOM he resolves the hostname but i can' t ping the host. This is my conf: edit " InternalLin0" set vdom " Intern" set ip 10.0.1.1 255.255.255.0 set allowaccess ping https ssh telnet set type vdom-link next edit " InternalLin1" set vdom " root" set ip 10.0.1.1 255.255.255.0 set allowaccess ping https ssh telnet set type vdom-link edit " port5" set vdom " Intern" set ip 192.168.10.1 255.255.255.0 set allowaccess ping https ssh snmp telnet set type physical set alias " internal" next edit " port6" set vdom " Intern" set type physical set alias " internal" next edit " port7" set vdom " Intern" set type physical set alias " internal" next edit " port8" set vdom " Intern" set type physical set alias " internal" next config firewall address edit " all" next edit " Internal_local" set associated-interface " INTERNAL" set subnet 192.168.10.0 255.255.255.0 next edit " InternalManagement" set associated-interface " InternalLin0" set subnet 10.0.1.0 255.255.255.255 next end config firewall address edit " all" next edit " Internal_local" set associated-interface " INTERNAL" set subnet 192.168.10.0 255.255.255.0 next edit " InternalManagement" set associated-interface " InternalLin0" set subnet 10.0.1.0 255.255.255.255 next end config system interface edit " InternalLin0" set vdom " Intern" set ip 10.0.1.1 255.255.255.0 set allowaccess ping https ssh telnet set type vdom-link next end ----------------------------- show system interface InternalLin1 config system interface edit " InternalLin1" set vdom " root" set ip 10.0.1.1 255.255.255.0 set allowaccess ping https ssh telnet set type vdom-link next FG100C3G09602495 (root) # show system interface InternalLin0 config system interface edit " InternalLin0" set vdom " Intern" set ip 10.0.1.1 255.255.255.0 set allowaccess ping https ssh telnet set type vdom-link next end FG100C3G09602495 (root) # show system interface InternalLin1 config system interface edit " InternalLin1" set vdom " root" set ip 10.0.1.1 255.255.255.0 set allowaccess ping https ssh telnet set type vdom-link next config firewall address edit " all" next edit " InternalManagement" set associated-interface " InternalLin1" set subnet 10.0.1.0 255.255.255.255 next config firewall policy edit 2 set srcintf " InternalLin1" set dstintf " wan1" set srcaddr " InternalManagement" set dstaddr " all" set action accept set schedule " always" set service " ANY" next Hope you can help me out. Kind Regards

ede_pfau

SuperUser

Hi, welcome to the forums. I think InternalLin0 and InternalLin1 shouldn' t have the same IP (oops). Otherwise, return traffic will not be delivered to the originating interface.

A

Anonymous_UserAuthor

Contributor

Hi Ede, Thanks for the reply. I thought of that but i did exactly what was written in de vdom howto.pdf(http://docs.forticare.com/fgt/techdocs/fortigate-vlans-vdoms.pdf). I changed the ip of internallin1 tot 10.0.1.2 but it didn' t help. Hope you help me out

ede_pfau

SuperUser

sorry my fault 2 things: only if you want to route traffic BETWEEN the VDOMs you need different IPs. Actually you didn' t mention that you wanted to do that, so no point here. second: there is no policy for InternalLin0 to wan1 so there is no traffic going out: config firewall policy edit 2 set srcintf " InternalLin0" set dstintf " wan1" set srcaddr " all" (* or whatever *) set dstaddr " all" set action accept set schedule " always" set service " ANY" next what about the default route for VDOM " Intern" ? Set?

A

Anonymous_UserAuthor

Contributor

I made a policy for that see the last policy in my conf: config firewall policy edit 2 set srcintf " InternalLin1" set dstintf " wan1" set srcaddr " InternalManagement" set dstaddr " all" set action accept set schedule " always" set service " ANY" next I had configured the default route for VDOM Intern but i deleted it because i didn' t find it in the manual. What ip must i configure as default route?

ede_pfau

SuperUser

nope, I mean a policy for InternalLin0 (ZERO) to wan1! use any index other than 2 (edit 3)... re. default gw: I' ve got no idea what your next hop router is. What is the root default route then? Make one similar to it.

A

Anonymous_UserAuthor

Contributor

Ede, Thanks for your reply. When i want to add the policy I get this: FG100C3G09602495 (vdom) # edit root current vf=root:0 FG100C3G09602495 (root) # config firewall policy FG100C3G09602495 (policy) # edit 3 new entry ' 3' added FG100C3G09602495 (3) # set srcintf InternalLin0 node_check_object fail! for srcintf InternalLin0 value parse error before ' InternalLin0' Command fail. Return code -651 I add 10.0.1.1, 10.0.1.2 and the route i use in the root VDOM but no luck

ede_pfau

SuperUser

Keep steady. InternalLin0 belongs to and exists only in VDOM Internal. Not root.

A

Anonymous_UserAuthor

Contributor

Hi Ede, This is the policy i' ve got now in the Internal VDOM: config firewall policy edit 1 set srcintf " INTERNAL" set dstintf " InternalLin0" set srcaddr " Internal_local" set dstaddr " InternalManagement" set action accept set schedule " always" set service " ANY" next end

ede_pfau

SuperUser

Fine. And what? You started this thread because you couldn' t ping to the internet from VDOM Internal. How does this policy affect your goal?? Frankly, you' re wasting time.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded