Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Carl_Wallmark
Valued Contributor

Advanced VDom

Hi, My goal is to setup an enviroment as described in the picture i painted =) Each customer will have their own VDOM, but i still want to control bandwidth and ports etc... Are there anyone, who experienced in this type of setup ? I would like to know if there is any pitfalls i should think of. Each VDOM will have there own public ip, and i will use " IP Pool" for oubound and " Virtual IP" for inbound. Link to picture: http://195.67.73.228/vdom.jpg

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
8 REPLIES 8
UkWizard
New Contributor

picture uploading broke a while ago, so it wont work later either until it gets fixed.. suggest you put it on a public drive somewhere.
UK Based Technical Consultant FCSE v2.5 FCSE v2.8 FCNSP v3 Specialising in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT experience.
UK Based Technical Consultant FCSE v2.5 FCSE v2.8 FCNSP v3 Specialising in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT experience.
Carl_Wallmark
Valued Contributor

thanks, i have posted the link now.

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
Not applicable

Looks good to me. I' m doing alot of the same things in both NAT and TP mode.
Carl_Wallmark
Valued Contributor

one of my big concernes is the mapping of a public ip address. i want to set the public ip direct onto the customers vdom instead of 10.10.1.0/28 one solution would be to use TP on the root domain but then the vlink doesn´t work. sooooo, if i could get the ISP (tripnet) to give me the whole subnet including default gateway, i could then route it to the right vdom. Are there any problems using " IP Pool" and NAT' ing a whole public address ?, for example ipsec tunnels etc... ??

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
red_adair
New Contributor III

you do not need a Transfer Network for the IntraVDOM Links. Go for this solution: Do NOT put an IP to the " upper" INtraVDOM Links (10.10.1.1/10.10.1.17/10.10.1.33) and put the public IP to the northbound VDOm Interface (that is currently 10.10.1.2 etc.) You can set simple static routes in the root domain to send whatever network in size (/30 /29 etc.) to a certain IntraVDOM Interface. -R.
Carl_Wallmark
Valued Contributor

you mean i should type 0.0.0.0/0 instead of 10.10.1.1 ? but how can i route traffic from WAN1 to the " WAN" link for each VDOM if WAN1 have an IP from the same subnet as the one of the VDOM ? lets say you have: x.x.x.1 x.x.x.2 x.x.x.3 x.x.x.1 is the default gateway on Tripnets router. x.x.x.2 is on WAN1 on fortigate x.x.x.3 is wan link on VDOM1 should i do a static route: x.x.x.3 -> " WAN Link" on VDOM1 in the root domain ?

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
Carl_Wallmark
Valued Contributor

for those who are intressted, this is a working scenario with Vdoms: http://195.67.73.228/vdom2.jpg

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
MBR
New Contributor III

Could you please provide a new link with the working picture?

- MBR -

NSE1, NSE2, NSE3

FGT60D/E, FWF60D/E, FGT200D

- MBR - NSE1, NSE2, NSE3 FGT60D/E, FWF60D/E, FGT200D
Top Kudoed Authors