FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
syordanov
Staff
Staff
Description

This article describes how to connect 2 Transperant VDOMs with NAT VDOM between them on the same FortiGate.

Scope FortiGate
Solution

Traditional IPv4 firewalls and NAT mode FortiGates handle traffic the same way that routers do.

Each interface must be in different subnets and each subnet forms a different broadcast domain.

FortiGate routes IP packets based on the IP header information, overwriting the source MAC address, in other words if client sends a packet to a server connected to different FortiGate interface, the packet will arrive at the server with a FortiGate MAC address, instead of the client’s MAC address.


In transparent operation mode, FortiGate forwards frames without changing the MAC addresses.

When client receives a packet from a server connected to a different FortiGate interface, the frame contains the server’s real MAC address – FortiGate does not change the MAC header, FortiGate is a Layer 2 bridge or switch.

 

So, the interface do not have IP addresses and by default , all belong to the same broadcast domain.


To connect 2 transparent VDOM’s , Inter-VDOM routing is not supported when both VDOMs use transparent mode and the only way to do that is using the NAT VDOM between them with VDOM links on which it is possoble to assign IP addresses.

 

In the topology for default gateway of PC1 is configured an IP address of vdomlinka, for PC2 default gateway is vdomlinkb.

If there is another L3 device which is acting as a gateway for the clients, it is possible to configure route for the remote network behind the other transparent VDOM, next hop should be the vdomlink.

 

Example topology:

 

syordanov_0-1640612354250.png

 

Here is the step by step guide:


Assume that VDOMs are already created, in this article, the following names are used:

 

custa – Transparent VDOM

custb – Transparent VDOM

root – NAT VDOM

 

Port 2 is assigned to custa VDOM, Port3 is assigned to custb VDOM.

 

Because on the transparent VDOM , it is not possible to assign IP addresses (expect for management purpose ) in order to connect both transparent VDOMs, NAT VDOM will be used with VDOM links with, on the VDOM links, it is possible to assign an IP addresses but only on the VDOM links assigned to NAT VDOM.

 

VDOM links configuration:

 

    edit "vdomlink_a0"

        set vdom "custa"

        set allowaccess ping https http

        set type vdom-link

        set snmp-index 8

        set macaddr 2e:60:e7:56:00:1d

    next

    edit "vdomlink_a1"

        set vdom "root"

        set ip 10.10.0.4 255.255.255.0

        set allowaccess ping https ssh http

        set type vdom-link

        set snmp-index 12

        set macaddr 22:f3:3c:6b:00:1e

    next

    edit "vdomlink_b0"

        set vdom "custb"

        set allowaccess ping https ssh http fgfm

        set type vdom-link

        set snmp-index 13

        set macaddr 1e:1c:ca:38:00:1f

    next

    edit "vdomlink_b1"

        set vdom "root"

        set ip 10.10.3.99 255.255.255.0

        set allowaccess ping https ssh http fgfm

        set type vdom-link

        set snmp-index 14

        set macaddr 2a:77:78:82:00:20

    next

 

On the root VDOM no special settings are configured only rules which allow communication to / from both vdom links, it is possible to setup a security profiles .

 

On the transparent VDOMS as per requirements you can configure UTM  features .

 

FW policies on VDOMs :

 

custa VDOM:

 

syordanov_0-1640612426969.png

 

custb VDOM:

 

syordanov_1-1640612426971.png

 

root VDOM:

 

syordanov_2-1640612426973.png

 

To check the MAC-address table in transparent mode VDOM use the following command under global mode:

 

# diagnose netlink brctl name host custa.b (For custa VDOM)

 

FGVM2 (global) # diagnose netlink brctl name host custa.b

show bridge control interface custa.b host.

fdb: hash size=32768, used=4, num=4, depth=1, gc_time=4, ageing_time=3

Bridge custa.b host table

port no device  devname mac addr                ttl     attributes

  2     21      vdomlink_a0     22:f3:3c:6b:00:1e       0        Hit(0)

  2     21      vdomlink_a0     2e:60:e7:56:00:1d       0       Local Static

  1     4       port2   00:0c:29:9f:88:0b       0        Hit(0)

  1     4       port2   00:0c:29:4f:be:4f       0       Local Static

 

FGVM2 (global) # diagnose netlink brctl name host custb.b

show bridge control interface custb.b host.

fdb: hash size=32768, used=4, num=4, depth=1, gc_time=4, ageing_time=3

Bridge custb.b host table

port no device  devname mac addr                ttl     attributes

  2     23      vdomlink_b0     1e:1c:ca:38:00:1f       0       Local Static

  1     5       port3   00:0c:29:39:bb:20       0        Hit(0)

  1     5       port3   00:0c:29:4f:be:59       0       Local Static

  2     23      vdomlink_b0     2a:77:78:82:00:20       0        Hit(0)

 

Related articles.

 

How to configure VDOM link:

https://community.fortinet.com/t5/No-tags-TKBs/Technical-Tip-How-to-route-traffic-from-one-VDOM-to-a...

 

How to create transparent VDOM:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-create-VDOM-with-Transparent-mode/t...

 

If ESXi is used / FortiVM , allow the following options on the virtual switches:

Allow promiscuous mode;

Allow Forget transmits;

Allow MAC changes;

Contributors