Description
This article describes that vdom-link type ppp can be used without IP address.
Scope
FortiOS v6 and later.
Solution
Vdom-link is an interface type used for internal communication, so the traffic does not need to leave FortiGate in order to pass between VDOMs.
There are two types of vdom-link:
- Vdom-link type ppp (default).
- Vdom-link type Ethernet <----- Not covered in this article.
Diagram:
Interface vdom-link settings:
config global
config system vdom-link
edit "vdom-link"
set type { ppp | ethernet } <----- The default is ppp.
next
end
config system interface
edit "vdom_link0"
set vdom "root"
set type vdom-link
set snmp-index 16
next
edit "vdom_link1"
set vdom "client_vdom"
set type vdom-link
set snmp-index 17
next
end
end
Static route at root VDOM:
FGT1 (root) # show router static
config router static
edit 4
set gateway 10.191.31.254 <----- Route to the internet.
set device "port2"
next
edit 5
set dst 192.168.19.0 255.255.255.0 <----- Route to Windows user.
set device "vdom_link0"
next
end
Firewall policy at root VDOM:
FGT1 (root) # show firewall policy
config firewall policy
edit 4
set name "internet"
set srcintf "vdom_link0" <----- Interface to client_vdom.
set dstintf "port2" <----- Interface to internet.
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
set logtraffic-start enable
set nat enable
next
Static route at client_vdom:
FGT1 (client_vdom) # show router static
config router static
edit 1
set device "vdom_link1" <----- Default route via vdom_link1.
next
end
Firewall policy at client_vdom:
FGT1 (client_vdom) # show firewall policy
config firewall policy
edit 1
set name "internet_client_vdom"
set srcintf "port7" <----- Interface where windows user is located.
set dstintf "vdom_link1" <----- Interface to root VDOM.
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
set logtraffic-start enable
next
end
Ping test from user:
C:\Users\fortinet> ping yahoo.com
Pinging yahoo.com [98.137.11.164] with 32 bytes of data:
Reply from 98.137.11.164: bytes=32 time=8ms TTL=50
Reply from 98.137.11.164: bytes=32 time=7ms TTL=50
Reply from 98.137.11.164: bytes=32 time=7ms TTL=50
Reply from 98.137.11.164: bytes=32 time=7ms TTL=50
Ping statistics for 98.137.11.164:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 7ms, Maximum = 8ms, Average = 7ms
Conclusion:
- vdom-link type ppp does not require IP addresses to pass traffic in static routing configurations.
- Some dynamic routing configurations require the inter-vdom links to have IP addresses assigned.
Related documents:
