| Description |
This article describes how to connect 2 Transperant VDOMs with NAT VDOM between them on the same FortiGate. |
| Scope | FortiGate |
| Solution |
Traditional IPv4 firewalls and NAT mode FortiGates handle traffic the same way that routers do. Each interface must be in different subnets and each subnet forms a different broadcast domain. FortiGate routes IP packets based on the IP header information, overwriting the source MAC address, in other words if client sends a packet to a server connected to different FortiGate interface, the packet will arrive at the server with a FortiGate MAC address, instead of the client’s MAC address.
When client receives a packet from a server connected to a different FortiGate interface, the frame contains the server’s real MAC address – FortiGate does not change the MAC header, FortiGate is a Layer 2 bridge or switch.
So, the interface do not have IP addresses and by default , all belong to the same broadcast domain.
In the topology for default gateway of PC1 is configured an IP address of vdomlinka, for PC2 default gateway is vdomlinkb. If there is another L3 device which is acting as a gateway for the clients, it is possible to configure route for the remote network behind the other transparent VDOM, next hop should be the vdomlink.
Example topology:
Here is the step by step guide:
custa – Transparent VDOM custb – Transparent VDOM root – NAT VDOM
Port 2 is assigned to custa VDOM, Port3 is assigned to custb VDOM.
Because on the transparent VDOM , it is not possible to assign IP addresses (expect for management purpose ) in order to connect both transparent VDOMs, NAT VDOM will be used with VDOM links with, on the VDOM links, it is possible to assign an IP addresses but only on the VDOM links assigned to NAT VDOM.
VDOM links configuration:
edit "vdomlink_a0" set vdom "custa" set allowaccess ping https http set type vdom-link set snmp-index 8 set macaddr 2e:60:e7:56:00:1d next edit "vdomlink_a1" set vdom "root" set ip 10.10.0.4 255.255.255.0 set allowaccess ping https ssh http set type vdom-link set snmp-index 12 set macaddr 22:f3:3c:6b:00:1e next edit "vdomlink_b0" set vdom "custb" set allowaccess ping https ssh http fgfm set type vdom-link set snmp-index 13 set macaddr 1e:1c:ca:38:00:1f next edit "vdomlink_b1" set vdom "root" set ip 10.10.3.99 255.255.255.0 set allowaccess ping https ssh http fgfm set type vdom-link set snmp-index 14 set macaddr 2a:77:78:82:00:20 next
On the root VDOM no special settings are configured only rules which allow communication to / from both vdom links, it is possible to setup a security profiles .
On the transparent VDOMS as per requirements you can configure UTM features .
FW policies on VDOMs :
custa VDOM:
custb VDOM:
root VDOM:
To check the MAC-address table in transparent mode VDOM use the following command under global mode:
# diagnose netlink brctl name host custa.b (For custa VDOM)
FGVM2 (global) # diagnose netlink brctl name host custa.b show bridge control interface custa.b host. fdb: hash size=32768, used=4, num=4, depth=1, gc_time=4, ageing_time=3 Bridge custa.b host table port no device devname mac addr ttl attributes 2 21 vdomlink_a0 22:f3:3c:6b:00:1e 0 Hit(0) 2 21 vdomlink_a0 2e:60:e7:56:00:1d 0 Local Static 1 4 port2 00:0c:29:9f:88:0b 0 Hit(0) 1 4 port2 00:0c:29:4f:be:4f 0 Local Static
FGVM2 (global) # diagnose netlink brctl name host custb.b show bridge control interface custb.b host. fdb: hash size=32768, used=4, num=4, depth=1, gc_time=4, ageing_time=3 Bridge custb.b host table port no device devname mac addr ttl attributes 2 23 vdomlink_b0 1e:1c:ca:38:00:1f 0 Local Static 1 5 port3 00:0c:29:39:bb:20 0 Hit(0) 1 5 port3 00:0c:29:4f:be:59 0 Local Static 2 23 vdomlink_b0 2a:77:78:82:00:20 0 Hit(0)
Related articles.
How to configure VDOM link:
How to create transparent VDOM:
If ESXi is used / FortiVM , allow the following options on the virtual switches: Allow promiscuous mode; Allow Forget transmits; Allow MAC changes; |
