Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
PPriyesha
Staff
Staff

Created on ‎10-31-2022 06:31 AM Edited on ‎11-28-2022 01:09 AM By Community Manager

Article Id 228429

Technical Tip: Routing traffic between VLANs from different VDOMs

Description

This article describes how to route traffic between several VLANs that are configured in different VDOMs.
Scope FortiGate all firmware.
Solution

Topology :

 

PPriyesha_0-1667219590111.png

 

VDOMs can communicate among themselves via VDOM connections instead of extra physical interfaces.

 

The communication between VDOMs is known as inter-VDOM routing. Virtual interfaces known as VDOM linkages link together VDOMs. A pair of interfaces that are each linked to a VDOM and serve as either end of the inter-VDOM connection make up a VDOM link.

 

Create the VDOM:

To enable VDOMs:

 

# config system global
    set vdom-mode multi-vdom
end

 

To create the BO and LAB VDOMs:

 

# config global
    config vdom
        edit LAB
        next
        edit BO
        next
    end
end

 

Configure the physical interfaces:

 

Next, configure the physical interfaces. This example uses three interfaces on the FortiGate unit: port2 (internal), and port1 (external). Port2 interface and VLAN is a department’s network connected. Port1 is for all traffic to and from the Internet and uses DHCP to configure its IP address, which is common with many ISPs.

 

To configure the interfaces:

 

# config global
    config system interface
        edit VLAN_BO

            set alias BOLocal
            set vdom BO
            set mode static
            set ip 192.168.1.0 255.255.255.0
            set allowaccess ping ssh

            set interface port2

        next
        edit VLAN_LAB
            set alias LABLocal
            set vdom LAB
            set mode static
            set ip 192.168.2.0 255.255.255.0
            set allowaccess ping ssh

            set interface port2                         
        next
    end

 

To configure BO and LAB VDOM link:

 

# config global
    config system vdom-link
        edit Bo-Labvlnk
        next
    end
    config system interface
        edit Bo-Labvlnk0
            set vdom BO
            set ip 11.11.11.2 255.255.255.0
            set allowaccess https ping ssh
        next
        edit Bo-Labvlnk1
            set vdom LAB
            set ip 11.11.11.1 255.255.255.0
            set allowaccess https ping ssh
        next
    end
end

 

To configure the static routes in BO VDOM to route from BO to LAB VLAN:

 

# config vdom

    edit BO

        config router static

            edit 1

                set destination 192.168.2.0/24 -> IP from LAB internal subnet.

                set gateway 11.11.11.1 -> IP of LAB VDOM link.

                set distance 10

           end

 

To configure the static routes in LAB VDOM to route from LAB to BO VLAN:

 

# config vdom

   edit LAB

       config router static

          edit 1

                set destination 192.168.1.0/24 -> IP from BO internal subnet.

                set gateway 11.11.11.2  -> IP of BO VDOM link.

                set distance 10

          end

 

To configure the firewall policies from BOVDOM link to BO internal interface:

 

# config vdom
    edit BO
        config firewall policy
            edit 1
                set name "Internal-BOVDOMlink"
                set srcintf  VLAN_BO
                set dstintf Bo-Labvlnk0

                set srcaddr all
                set dstaddr all
                set action accept
                set schedule always
                set service ALL
                set nat disable
            next
        end
    next
    edit root
        config firewall policy
            edit 2
                set name "BOVDOMlink-Internal"
                set srcintf Bo-Labvlnk0
                set dstintf VLAN_BO
                set srcaddr all
                set dstaddr all
                set action accept
                set schedule always
                set service ALL
                set nat disable
            next
        end
    next
end

 

To configure the firewall policies from LABVDOM link to LAB internal interface:

 

# config vdom
    edit LAB
        config firewall policy
            edit 1
                set name "Internal-BOVDOMlink"
                set srcintf  VLAN_LAB
                set dstintf Bo-Labvlnk1

                set srcaddr all
                set dstaddr all
                set action accept
                set schedule always
                set service ALL
                set nat disable
            next
        end
    next
    edit root
        config firewall policy
            edit 2
                set name "BOVDOMlink-Internal"
                set srcintf Bo-Labvlnk1
                set dstintf VLAN_LAB
                set srcaddr all
                set dstaddr all
                set action accept
                set schedule always
                set service ALL
                set nat disable
            next
        end
    next
end

 

Any client from BO VLAN may now connect to any client in LAB VLAN, and vice versa.

 

Note.

Check if the windows firewall is turned off on the Windows PC if it is impossible to ping each other's subnet.

 

Related articles:

https://docs.fortinet.com/document/fortigate/6.4.5/administration-guide/335646/inter-vdom-routing

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-route-traffic-from-one-VDOM-to-anot...
 

 
Labels:
5617
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.