Hello, You need to specify an IP address on your vdom link (an unused IP range like 172.31.1.0/30). Like this, you will able to do SNAT on the firewall policy from VDOMA to VDOMroot (and the VDOM root will never see the subnet 192.168.1.0/24). If you have service reachable from internet, you will need to do a NAT on VDOM root from RootPublicIp to the VdomAIP, and a second NAT on VDOMA from VDOMAIP to your server.. But with this solution, you will have 2 NAT (2 outbount, 2 intbound for you services reachable from internet). As said Emnoc, the best solution is to change one of the subnet, or take a second internet provider to configure an internet for each company.

1. Picture at the top is only screenshot from manual. I wrote that in my case there are two subnets with the same addresses. 2. I cannot change addresses - admin from CompanyA said that he has too many things deployed with 192.168.1.x 3. The same story with owner of CompanyB (they even doesn' t have admin !!!). 4. Owner of Fortigate is CompanyC (they don' t have any subnet, they are owner of building and ISP is dealing with them). If I had 3 FortiGates I would do scenario like on pic below (NAT on every FG, only outgoing rules).

I tried to create topology based on that scenario with VDOMs : Fortigate1 = VDOM-A Fortigate2 = VDOM-B Fortigate3 = root but when I try to set address on second vlink I got message : IP address is in same subnet as the others.

OP Let me shed some light. You problem is trivial, but it will cause you problems sooner or later ( been there done that , lesson from past experiences and lifes ;) ) 1st, never ever never ever never ever use 192.168.1.0/24 in a ANY firewall. That is bad, lazy and the one single network-space you should NEVER use or simple ut AVOID!. It' s the pre-installed-can' d default in almost all consumer grade devices next , you will have two possibilities to make this happen if your stubborn and don' t want to re-address now. Here' s your options. 1: you built a interlink from the one vdom to the other, but the SNAT issues like I described earlier-on is going to be a management nightmare. You will need to place some gh0st networks subnets to nat the like-as custA and custB network-space into unique networks-space ( if you did this in reality, than you would probably be better off now re-addressing & getting over this hurdle now vrs latter imho....) 2: option,you waste a 3rd vdom, but for practical sake you call it the root-vdom. Root-vdom has the public facing interface(s) or if you had a complete subnet, you could use ippools and allocate one per cust-vdom. netx you craft 2x vdom-links. ( custA to Root & custB to Root ) You now will need to still SNAT 192.168.1.0/24s into a new subnet, but you can handle that on the vdom-interlink behind the virtual-interlink addresses. Now you can apply these new SNAT into the root-vdom and nat them behind 1> the public-wan interface or 2> into ippool if you have a range. Here' s a jest to get you started on the cfg in global and then vdom level; vdom-links; config system vdom-link edit " vcust1toroot" next edit " vcust2toroot" next end next we place the vdom into each customer vdom+root ( one side into root one into the customer ) config sys interface edit " vcust1toRoot0" set vdom " root" set ip 10.10.10.1 255.255.255.252 set allowaccess ping ssh set type vdom-link set snmp-index 25 next edit " vcust1toRoot1" set vdom " custA" set ip 10.10.10.2 255.255.255.252 set allowaccess ping ssh set type vdom-link set snmp-index 26 next edit " vcust2toRoot0" set vdom " root" set ip 10.10.10.5 255.255.255.252 set allowaccess ping ssh set type vdom-link set snmp-index 27 next edit " vcust2toRoot1" set vdom " custB" set ip 10.10.10.6 255.255.255.252 set allowaccess ping ssh set type vdom-link set snmp-index 28 next Now a generic firewall for SNAT repeat for the other vdom in the vdom cfg leve; config firewall policy edit 0 set srcintf " <install vdom link name" set dstintf " wan1" set srcaddr " customerA-LAN" set dstaddr " all" set action accept set nat enable set schedule " always" next end ( you get the picture ? ) And so on. Once again very bad, more complexity, and it become more complex timing consuming and bothersome to t-shoot. Also keep these thoughts in mind; 1: if you change the address now, than you will not need to do SNAT leading into root-vdom b4 you hit the public-internet 2: custA and B could never ever talk to each other with out pulling out the SNAT/DNAT mirrors and doing some massage work 3: what happens if custAorB needs to speak to a external networks that happens to use 192.168.1.0/24? ( did you ever thought about that scenario? ) 4: vip management if required later has to be carefully thought out and can be limiting. YMMV

1. These (192.168.1.0/24) are not my networks. I didn' t design it. Usually I avoid 192.168.1.0/24 and 192.168.0.0/24 (and also I avoid VDOMs too ! ;-)) 2. CustomerA and B will never talk to each other. 3.

what happens if custAorB needs to speak to a external networks that happens to use 192.168.1.0/24? ( did you ever thought about that scenario? )

This is common problem with VPN tunnels but - usually I don' t build these networks. Most customers have their own IT which made decision many years before I arrived ;-) 4. There will be no traffic from WAN to LAN - no VIP.

Hi ! Problem is solved. Thank you guys for your posts. @emnoc - your 1st option is not " political" - companyB has access to companyA and B is dependent on A. So admin from A with his VDOM-A can block B - unacceptable. 2nd option was my goal like with 3 Fortigates. I' ve build test environment in VMs and tested. The KEY POINT is - there is no such thing as switch (virtual switch) between VDOMs. I thought that I can somehow build LAN (i.e. 10.0.0.0/24) between more than 2 VDOMs but I can' t. VLinks works as point-to-point (like crossover patchcord + 2 interfaces of two routers) and that' s it. That was my problem. Now everything works fine :

If you want to create a LAN between VDOM, you need to do that physically (with a external switch, or in your case with a vswitch). Vdom link isn' t the only way to create link between two vdom. a physical cable works too ;)

VLinks works as point-to-point (like crossover patchcord + 2 interfaces of two routers) and that' s it. That was my problem.

I like you analogy and yes that how I see it also. I believe fortigate has the means to declare the vlink-type and by the default it' s PPP and ethernet is an option. I' m sure Ede will come along and correct me if I' m wrong

Vdom link isn' t the only way to create link between two vdom. a physical cable works too ;

True you just waste ports if you have 2+ or more vdom connectivity links. Another option that' s more economical 1: 802.1q router on a stick ( cisco L3 routers like a 3560 or 2550 are cheap now ) 2: you use 2 physical ports and build a 802.1q tagged interface between the 2 and one interface per vdom These are alternative to Psuedo vlink. As with anything, you have a host of PROs and CONs to look at in every scenario. Good luck.