• The Topology of the network is as follows:

PC1---VRF10----FGT-----wan1--VRF0

• There are a few requirements in order to achieve that:

1. Enabling multi-vdom mode is required to create VDOM links, but this depends on the Firmware version.

config system global

    set vdom-mode multi-vdom

end

Software VDOM link:

v7.0.x and later - not required:

config system vdom-link
    edit ToDeviceOne
    next
end

NPU vdom link:

v7.4.x and below - required.

v7.6.1 and later - not required.

config system global

    set single-vdom-npuvlink enable

end

2. Overlapping subnets are also required:

    

FG101E-2 (vdom) # edit root

current vf=root:0

FG101E-2 (root) # config system settings

FG101E-2 (settings) # set allow-subnet-overlap enable <----- Only allows to configuration of the same subnet on different interfaces. Cannot use the same subnet on different VRFs.

FG101E-2 (settings) # end   

The configuration of the interfaces looks as follows:

• It is necessary to create a VDOM link as follows:

• The next step is to create static routes:
  
  

1. Create a static route to send the traffic from VRF 10 to VRF 0:
   
   

2. The next step is to create a static route for the Local subnet 10.200.1.0 so that VRF 0 will know where to send this traffic if received for this subnet. In this case, it would need to be sent to VRF 10 via the VDOM link and the gateway is 1.1.1.2.

Creating Firewall policies:

1. The first policy that is needed is to allow the traffic from VRF 10 to VRF 0:

In this example as port 1 is VRF 10, it is necessary to send it to VRF 0.

Important: NAT needs to be disabled, otherwise, the traffic is not going to flow properly.

1. The second policy that we needed is to allow the VRF 10 traffic to be out to the internet. NAT needs to be enabled in this one.
   
   
2.  
3. It should put internet after this:
   
   
   

Seconds method:

1. If it is not desired to define any IP addresses on the VDOM link that will work too and simplify the configuration as well. But in some scenarios, if it is necessary to use the IP addresses for VDOMs link, for Nating, or BGP peering for instance then it is possible to use the second scenario. The biggest advantage of this method is that it is not necessary to allow overlapping subnets as well.

    

   1. In this case, leave the VDOM links without an IP address.
      
      

       

   2. The static route configuration is simple as well and it is not necessary to define the gateway address.
      
      

      

       

Some of the common mistakes that can be made in this process are:

1. Enabling NAT on the Firewall policy: if enabling by mistake the NAT on the firewall policy that allows the traffic from VRF 10 to VRF0, one can find that in the debugs it will start showing the error denied via policy 0.

Disabling the NAT will help solve this problem.

2. Missing static route: the second error that can be encountered is that it might be missing a static route back to the Local subnet in root VDOM. In the debugs an error message about 'reverse path check failed' can be observed.

It is necessary to create a static route VRF 0 in this example.

The routing table for VRF=0:

S*      0.0.0.0/0 [10/0] via 10.9.15.254, wan1, [1/0]

S       10.200.1.0/24 [10/0] is directly connected, VRF0-VRF10, [1/0]

If all of the above steps are correct and still facing issues, contact the TAC team for further assistance.