FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 280549

This article describes how it is possible to configure VRF route leak and have an internet connection.

Scope FortiOS version 7.0 or higher.
  • The Topology of the network is as follows:




  • There are a few requirements in order to achieve that:
  1. It is necessary to enable Multiple VDOMs
  2. Allow overlapping subnets.


  1. It is possible to enable the Multiple VDOMs by the following command:

config  system global

    set vdom-mode multi-vdom


  1. To allow overlapping subnet:


    FG101E-2 (vdom) # edit root

    current vf=root:0

    FG101E-2 (root) # config system settings

    FG101E-2 (settings) # set allow-subnet-overlap enable

    FG101E-2 (settings) # end


    • The configuration of the interfaces looks as follows:





    • Now it is necessary to create a VDOM link as follows:

    vdom linkpng.png


    • The next step is to create static routes:

     1. Create a static route to send the traffic from VRF 10 to VRF 0:

    VRF10 to VRF 0.png
    2.  The next step is to create a static route for the Local subnet so that VRF 0 will know where to send this traffic if received for this subnet. In this case, it would need to be sent to VRF 10 via the VDOM link and the gateway is

    VRF 0 to wan.png


Creating Firewall policies:

  1. The first policy that is needed is to allow the traffic from VRF 10 to VRF 0:

In this example as port 1 is VRF 10, it is necessary to send it to VRF 0.

Important: NAT needs to be disabled, otherwise, the traffic is not going to flow properly.



policy 1.png


  1. The second policy that we needed is to allow the VRF 10 traffic to be out to the internet. NAT needs to be enabled in this one.

    policy2. png.png
  2. It should put internet after this:


Seconds method:


  1. If it is not desired to define any IP addresses on the VDOM link that will work too and simplify the configuration as well. But in some scenarios, if it is necessary to use the IP addresses for VDOMs link, for Nating, or BGP peering for instance then it is possible to use the second scenario. The biggest advantage of this method is that it is not necessary to allow overlapping subnets as well.


    1. In this case, leave the VDOM links without an IP address.

      vdom links.png



    2. The static route configuration is simple as well and it is not necessary to define the gateway address.




Some of the common mistakes that can be made in this process are:

  1. Enabling NAT on the Firewall policy: if enabling by mistake the NAT on the firewall policy that allows the traffic from VRF 10 to VRF0, one can find that in the debugs it will start showing the error denied via policy 0.


forward policy.png


Disabling the NAT will help solve this problem.


  1. Missing static route: the second error that can be encountered is that it might be missing a static route back to the Local subnet in root VDOM. In the debugs an error message about 'reverse path check failed' can be observed.




It is necessary to create a static route VRF 0 in this example.


The routing table for VRF=0:

S* [10/0] via, wan1, [1/0]

S [10/0] is directly connected, VRF0-VRF10, [1/0]

If all of the above steps are correct and still facing issues, contact the TAC for further assistance.