Skip to main content
WillemB
WillemB
New Member
June 29, 2015
Solved

VDOM-link Enhancement Request

  • June 29, 2015
  • 4 replies
  • 7178 views

Enable multiple IP addresses on VDOM-links

 

VDOMs and VDOM-links are a great feature on the Fortigate Firewalls, however they have limited functionality compared to physical links. The one feature they miss that requires me to use loop-back Ethernet cables on the Fortigate is the inability to add multiple IP addresses. I also tried to workaround this by adding extra VDOM-links but they are not allowed to be in the same IP range. I hope you will add the very useful multiple IP feature to the VDOM-links in the near future.

    Best answer by emnoc

    Two tier firewall setup. First firewall is a transparent firewall that is used to filter traffic to the servers with their own public IP's.

     

    with an external switch you can do  this just fine and  still pass the  other traffic to the 2nd vdom. A transparent can ONLY have a in/out interfaces, so that's a limiting factor in a tiered or stacked vdom.

     

    Between those two ports there is a VDOM-link, as one of the VDOM's is a transparent VDOM the type of the link must be ethernet.

     

    Basically see the above limiting factor, and mixing layer2 and layer3 firewall vdoms makes for the issues to be even more complex.

     

    I can add multiple VDOM-links between both VDOMs but adding IP addresses in the same subnet is not allowed,as you get an error (In the beginning of FortiOS 5.0 this was not possible because adding multiple VDOM-links to a transparent VDOM did not work, all VDOM links used the same internal MAC address, a bug I found, reported and Fortinet fixed this in a later 5.0 release)

     

    FWIW

     

    With any vdom-links enabled as  tyep=ethernet you can change the mac_address per vdom-link.  This has never been an issues as far as I known for the last  few release. Also with point2point there's never a need for ethernet-mac-address for obvious reasons.

     

    e.g

     

    config system vdom-link

    edit "transparent"         set type ethernet

    end

     config system interface

        edit transparent0

           set macaddr aa.bb.cc.dd.ee.ff

         edit transparent0

            set macaddr aa.bb.cc.dd.ee.fe

    end

     

    http://socpuppet.blogspot.com/2014/09/a-stacked-vdom-concept-with-fortigate.html

     

     

    4 replies

    WillemB
    WillemBAuthor
    New Member
    July 3, 2015

    Anyone interested in this can upvote it at:

    http://fortinet.uservoice.com/forums/23797-fortipartner-feature-requests/suggestions/8694448-vdom-link-secondary-ip-address-option

     

    emnoc
    emnoc
    New Member
    July 3, 2015

    Qs:

     

    I why would you need secondary on a vdom-interlink is my 1st question?

     

    Also are you defining  these as p2p or ethernet  type of  vdom-interlinks?

     

    As far as I know, you can run almost unlimited vdom-interlinks or whatever the limit is , I have never seem to hit it ;)

     

    Can you present a topology of what your requirements are and how secondaries are involved?

     

    WillemB
    WillemBAuthor
    New Member
    July 4, 2015

    The reason for this is request is as follows:

     

    Two tier firewall setup. First firewall is a transparent firewall that is used to filter traffic to the servers with their own public IP's.

    Second firewall is a NAT/Routing firewall that is used for VPN, filtering traffic to/from the servers that do not have public IP's.

     

    Between those two ports there is a VDOM-link, as one of the VDOM's is a transparent VDOM the type of the link must be ethernet.

     

    The second firewall needs to have multiple IPs on its "WAN" port which is one end of the VDOM-link. These IP's are used to be able to provide multiple services to the same ports and to be able to route all traffic from certain hosts to specific IPs. I can add multiple VDOM-links between both VDOMs but adding IP addresses in the same subnet is not allowed,as you get an error (In the beginning of FortiOS 5.0 this was not possible because adding multiple VDOM-links to a transparent VDOM did not work, all VDOM links used the same internal MAC address, a bug I found, reported and Fortinet fixed this in a later 5.0 release)

    emnoc
    emnocAnswer
    New Member
    July 4, 2015

    Two tier firewall setup. First firewall is a transparent firewall that is used to filter traffic to the servers with their own public IP's.

     

    with an external switch you can do  this just fine and  still pass the  other traffic to the 2nd vdom. A transparent can ONLY have a in/out interfaces, so that's a limiting factor in a tiered or stacked vdom.

     

    Between those two ports there is a VDOM-link, as one of the VDOM's is a transparent VDOM the type of the link must be ethernet.

     

    Basically see the above limiting factor, and mixing layer2 and layer3 firewall vdoms makes for the issues to be even more complex.

     

    I can add multiple VDOM-links between both VDOMs but adding IP addresses in the same subnet is not allowed,as you get an error (In the beginning of FortiOS 5.0 this was not possible because adding multiple VDOM-links to a transparent VDOM did not work, all VDOM links used the same internal MAC address, a bug I found, reported and Fortinet fixed this in a later 5.0 release)

     

    FWIW

     

    With any vdom-links enabled as  tyep=ethernet you can change the mac_address per vdom-link.  This has never been an issues as far as I known for the last  few release. Also with point2point there's never a need for ethernet-mac-address for obvious reasons.

     

    e.g

     

    config system vdom-link

    edit "transparent"         set type ethernet

    end

     config system interface

        edit transparent0

           set macaddr aa.bb.cc.dd.ee.ff

         edit transparent0

            set macaddr aa.bb.cc.dd.ee.fe

    end

     

    http://socpuppet.blogspot.com/2014/09/a-stacked-vdom-concept-with-fortigate.html

     

     

    Terms & ConditionsAccessibility statement