Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Zenith
New Contributor

Three interfaces in different VDOMs but same subnet?

Hi guys, I' m setting up a 100D with three VDOMs; a root and two customer VDOMs. On the WAN side the 100D is connected to the ISP switch. The ISP typically issues you a subnet to be used for your firewall WAN interface(s) then you can register additional subnets of public IPs and have them routed to the WAN interface IP of a particular firewall. As we wanted the two customer VDOMs to be separate and have their own ranges of public IPs we took three physical interfaces on the FG to act as WAN interfaces, so one physical WAN interface per VDOM. I then asked the VSP for a range of public IPs to use for these interfaces. I added the first IP (1.2.3.4/30) to the root VDOM WAN interface no problem, but when I then try to add the second IP (1.2.3.5/30) to one of the customer VDOM WAN interfaces the FG gives an error saying the IP subnet is in-use on another interface. Is there any way around this or do I need to request separate interface IP subnet ranges from the ISP? They have to setup HSRP IPs and all sorts of stuff on each interface subnet they have to setup, so I' d prefer not to have to do this! Thanks for any thoughts!
17 REPLIES 17
emnoc
Esteemed Contributor III

A topology drawing would be nice. As for the interfaces can you post the cfgs and have you ensured that the WAN uplinks are in 3 unique vdoms ?

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Zenith
New Contributor

Thanks for replying! I' ve just anonymised a network diagram I had done and attached it, if you need more details just shout! Just to explain the IP situation a bit better - - The ISP have given us a range like 1.2.3.4/30 with a default gateway of say 1.2.3.5. - If we had three independent firewalls connected to the ISP switch we could set the WAN IP of one to say 1.2.3.6/30, the next 1.2.3.7/30 and finally the next 1.2.3.8/30. (In fact this is the way we do have a couple of physically separate firewalls in there.) - Assuming we want to use more ranges of IPs for servers behind these firewalls we would request a range and ask the ISP to forward it to one of the three WAN IPs above depending on which customer is going to use the IPs. I' ll post a screenshot of the Interfaces page in a moment, but yes definitely separate VDOMs setup. You' ll see in my screenshot I' m trying to set an IP on the port15/port16 interfaces, the error you get is " IP address is in same subnet as the others" .
Zenith
New Contributor

Interfaces screenshot.
Zenith
New Contributor

Actually if you take a look at this thread - https://forum.fortinet.com/FindPost/99727 there' s a drawing I did half way down which shows the IP addresses and WAN interfaces much better!

Zenith
New Contributor

I see this in the FortiOS5 manual which is presumably the root of my problem - " FortiGate unit interfaces cannot have overlapping IP addresses, the IP addresses of all interfaces must be on different subnets. This rule applies to both physical interfaces and to virtual interfaces such as VLAN subinterfaces. Each VLAN subinterface must be configured with its own IP address and netmask. This rule helps prevent a broadcast storm or other similar network problems." But under it this - " If you are unable to change your existing configurations to prevent IP overlap, enter the CLI command config system global and set ip-overlap enable to allow IP address overlap. If you enter this command, multiple VLAN interfaces can have an IP address that is part of a subnet used by another interface. This command is recommended for advanced users only." I guess I just want to understand what the implications are if I do enable ip-overlap, what sorts of topology issues should I be watching out for to avoid broadcast storms etc? I assume it is disabled by default for a fairly good reason but don' t want to discover that reason at 5pm some Friday when it is live :). Thanks again for the replies!
rwpatterson
Valued Contributor III

Personally, I would back up and see why I would really need to have the same subnet on 3 interfaces... Sounds like a weak network design to me.
ORIGINAL: Zenith Hi guys, I' m setting up a 100D with three VDOMs; a root and two customer VDOMs. On the WAN side the 100D is connected to the ISP switch. The ISP typically issues you a subnet to be used for your firewall WAN interface(s) then you can register additional subnets of public IPs and have them routed to the WAN interface IP of a particular firewall. As we wanted the two customer VDOMs to be separate and have their own ranges of public IPs we took three physical interfaces on the FG to act as WAN interfaces, so one physical WAN interface per VDOM. I then asked the VSP for a range of public IPs to use for these interfaces. I added the first IP (1.2.3.4/30) to the root VDOM WAN interface no problem, but when I then try to add the second IP (1.2.3.5/30) to one of the customer VDOM WAN interfaces the FG gives an error saying the IP subnet is in-use on another interface. Thanks for any thoughts!
If you use one VDOM as the gateway and use inter-VDOM links, then you do not need a WAN interface in each VDOM.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Zenith
New Contributor

It wouldn' t be a big deal to change it as it is not live yet, but from reading the documentation (admittedly a few months back) it seemed like routing the traffic through the root-vdom wouldn' t really be suitable in this case, correct me if I' m wrong though! The two clients are entirely separate businesses with their own public IP address ranges, various different VPNs, different administration teams etc. So it wouldn' t be a runner for an admin in one company being able to log into the root-vdom and potentially make changes that could cause issues with the other company and visa-versa, which is my understanding of how this would work. Essentially we want them to have two separate firewalls altogether, but the benefit of putting them in the same firewall in separate VDOMs is they can share the HA infrastructure of the two FGs and the cost of this.
rwpatterson
Valued Contributor III

They wouldn' t need to touch the root VDOM. They would have an Internet handoff from that VDOM in their own that they would use. They would only have access to their side of the inter-VDOM link.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Zenith
New Contributor

OK I must have misunderstood that, can you give me a bit more info about how this would work? Will they be able to setup VPNs to their own VDOM, have ranges of public IPs NAT' d in their VDOM etc.? Thanks!
Labels
Top Kudoed Authors