Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
5q46n2te8jPWJY
New Contributor III

Allow my customer to manage his VIP

Hello,

 

We are hosting a client on our infrastructure and have set up VDOMs as follows:

 

7c05a07157339373ac2647cbf55f0030_Topology_Inter VDOM Routing Ex_Internet access_Updated-01.png

 

We use FortiManager and have created an ADOM that contains the client's VDOM. The client can manage their firewall rules autonomously.

 

We have assigned them 10 public IPs and I would like them to be able to manage these autonomously as well. How should we proceed?

 

Thank you for your help!

1 Solution
pminarik
Staff
Staff

Assuming root VDOM is under your control and VDOM1/2 under customer control, then in root you can simply route the 10 public IPs to the customer's VDOM, where they can deal with it however they like (VIP, IP pool, etc.)

[ corrections always welcome ]

View solution in original post

16 REPLIES 16
pminarik
Staff
Staff

Assuming root VDOM is under your control and VDOM1/2 under customer control, then in root you can simply route the 10 public IPs to the customer's VDOM, where they can deal with it however they like (VIP, IP pool, etc.)

[ corrections always welcome ]
5q46n2te8jPWJY

Sorry but it doesn't work... 

 

I created a route in my root VDOM to route my public IP (1.2.3.4) to my VDOM1. 

 

config router static
   edit 1
      set dst 1.2.3.4 255.255.255.255
      set gateway 10.0.0.2
      set device "vlnk_VDOM1"
   next
end

 

and create a VIP 

 

config firewall vip
    edit "FTTO_SAMPLE_WEB_SERVICE_443"
        set extip 1.2.3.4
        set mappedip "192.168.1.1"
        set extintf "vlnk_VDOM0"
        set portforward enable
        set extport 443
        set mappedport 443
    next

 

and create rules

config firewall policy
    edit 69
        set name "WAN to FTTO_SAMPLE_WEB_SERVICE_443"
        set srcintf "vlnk_VDOM0"
        set dstintf "VLAN_574"
        set action accept
        set srcaddr "all"
        set dstaddr "FTTO_SAMPLE_WEB_SERVICE_443" 
        set schedule "always"
        set service "HTTP" "HTTPS"
    next
end

Can you help me to find what is wrong ?

Toshi_Esumi

I would just disable the portforward and allow only ALL_ICMP in the policy to just test if routing is working fine with simple ping.
Your gateway IP is different from the diagram, which making me wonder if routing is working for the "1.2.3.4" IP.

Toshi

5q46n2te8jPWJY
New Contributor III

Thank you, yes, I took the diagram in Fortigate's doc.

 

I disabled port forwarding, and enable ALL_ICMP, I can't ping my ressource from internet. In my network, ping is OK.

 

Here the full conf

 

 

  • Public IP: 1.2.3.4
  • Internal resource IP: 5.6.7.8

 

Inter vdom link :

 

config global
config system vdom-link
    edit "link_root_to_vdom1"
    next
end
config vdom
edit root
config system interface
    edit "link_root_to_vdom1"
        set ip 192.168.1.1 255.255.255.252
        set vdom "root"
        set type vdom-link
    next
end

edit vdom1
config system interface
    edit "link_root_to_vdom1"
        set ip 192.168.1.2 255.255.255.252
        set vdom "vdom1"
        set type vdom-link
    next
end

 

Configure routing in root vdom

 

config vdom
edit root
config router static
    edit 1
        set dst 5.6.7.8 255.255.255.255
        set gateway 192.168.1.2
        set device "link_root_to_vdom1"
    next
end

 

Add static route in vdom1

 

config vdom
edit vdom1
config router static
    edit 1
        set dst 0.0.0.0/0
        set gateway 192.168.1.1
        set device "link_root_to_vdom1"
    next
end

 

Create VIP in vdom1

 

config vdom
edit vdom1
config firewall vip
    edit "Public_to_Internal"
        set extip 1.2.3.4
        set mappedip 5.6.7.8
        set extintf "link_root_to_vdom1"
    next
end

 

Configure security policy

 

config vdom
edit vdom1
config firewall policy
    edit 1
        set srcintf "link_root_to_vdom1"
        set dstintf "port2"
        set srcaddr "all"
        set dstaddr "Public_to_Internal"
        set action accept
        set schedule "always"
        set service "ALL"
        set nat enable
    next
end

 

 

pminarik

The static route in root is wrong. Root needs to be told how to route to the extip of the VIP in vdom1. (to be clear: it is wrong when talking about the VIP, it may be correct if you want root to talk to the destination's real IP 5.6.7.8 directly)

 

As always, debug flow and packet sniffer should help clarify what's going on.

[ corrections always welcome ]
5q46n2te8jPWJY

You can find a diagram of my need 

 

VDOM Public IP.drawio.png

pminarik

The general layout is understood already.

 

- What about the static route comment?

- What about the debug flow & sniffer?

+ If there is an IP pool that covers 1.2.3.4 in the root VDOM, you need to edit it or delete it. The VIP won't work in vdom1 if root is already using 1.2.3.4 in an IP pool. (if it is literally just "an IP in a pool" and not an IP pool (the configuration term), then disregard this point)

[ corrections always welcome ]
5q46n2te8jPWJY
New Contributor III

Sorry, I'm not sure I understand correctly. Above, you answered me :

 

Assuming root VDOM is under your control and VDOM1/2 under customer control, then in root you can simply route the 10 public IPs to the customer's VDOM, where they can deal with it however they like (VIP, IP pool, etc.)

 

I want my user to be able to use these IPs to create their VIPs. So this is why I try to created this static route. Can you guide me to the right way ? 

 

I haven't IP Pool on root VDOM.

pminarik

Basic outline

 

assuming:

public IP of VIP: 1.2.3.4

local IP of the server: 9.8.7.6


root VDOM:

static route:

dst 1.2.3.4/32 via inter-vdom-link

firewall policy:

WAN->inter-vdom-link, allowing 1.2.3.4/32. (no SNAT)

 

vdom1:

VIP:

extip: 1.2.3.4

mappedip: 9.8.7.6

extintf: inter-vdom-link

 

firewall policy:

inter-vdom-link-> <interface towards 9.8.7.6>, dstaddr = the VIP. (no SNAT, typically)

 

static routes:

default route via inter-vdom-link

[ corrections always welcome ]
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors