Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Inter-VDOM traffic / routing / addressing
Hi !
Can anyone tell me how to set topology like in picture from manual BUT " Sales" and " Accounting" are two diffrent company and they BOTH HAVE THE SAME Subnet addresing !
ComapnyA (192.168.1.0/24) --> (192.168.1.1) VDOM-A (vlink addresses ???)
ComapnyB (192.168.1.0/24) --> (192.168.1.1) VDOM-B (vlink addresses ???)
There are no traffic between A and B.
There is only 1 ISP with 1 public IP.
Manual doesn' t cover it.
I' m a little bit confused becouse in manual vlinks have no IP.
How LAN A (Sales) are translated when packets are sent to voom root ???
What is default route in VDOM Sales ?
Please explain me.
Dominik Weglarz, IT System Engineer
Dominik Weglarz, IT System Engineer
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
9 REPLIES 9
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What do you mean same subnet addressing ? I see 10.11.0.0 and 10.12.0.0 in this diagram and the interlink being a common address.
And to state the obvious, you are planning to build these together in the future you should rethink your design and change these to be very unique subnet if you have intentions of ever having an simple design and with little effort. It makes no sense at all & with rfc1918 address to
1: share a common subnet that' s under your control
2: restrict the size of the network space that you used in a rfc1918
If you should have to share a common subnet, than your only choices are a bunch of complex SNAT/DNAT combinations;
e.g ( using 10.11.0.0/24 )
VDOM
10.11.0.0/24 -SNAT ====172.16.11.0/24 <---------> 172.16.10.0/24 ====10.11.0.0/24
very bad practices and with proper design and planning you should do everything in your power to avoid the above.
So basically what I' m saying, re-address now and re-design.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
You need to specify an IP address on your vdom link (an unused IP range like 172.31.1.0/30). Like this, you will able to do SNAT on the firewall policy from VDOMA to VDOMroot (and the VDOM root will never see the subnet 192.168.1.0/24). If you have service reachable from internet, you will need to do a NAT on VDOM root from RootPublicIp to the VdomAIP, and a second NAT on VDOMA from VDOMAIP to your server..
But with this solution, you will have 2 NAT (2 outbount, 2 intbound for you services reachable from internet).
As said Emnoc, the best solution is to change one of the subnet, or take a second internet provider to configure an internet for each company.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
1. Picture at the top is only screenshot from manual. I wrote that in my case there are two subnets with the same addresses.
2. I cannot change addresses - admin from CompanyA said that he has too many things deployed with 192.168.1.x
3. The same story with owner of CompanyB (they even doesn' t have admin !!!).
4. Owner of Fortigate is CompanyC (they don' t have any subnet, they are owner of building and ISP is dealing with them).
If I had 3 FortiGates I would do scenario like on pic below (NAT on every FG, only outgoing rules).
Dominik Weglarz, IT System Engineer
Dominik Weglarz, IT System Engineer
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried to create topology based on that scenario with VDOMs :
Fortigate1 = VDOM-A
Fortigate2 = VDOM-B
Fortigate3 = root
but when I try to set address on second vlink I got message :
IP address is in same subnet as the others.
Dominik Weglarz, IT System Engineer
Dominik Weglarz, IT System Engineer
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OP Let me shed some light.
You problem is trivial, but it will cause you problems sooner or later ( been there done that , lesson from past experiences and lifes ;) )
1st, never ever never ever never ever use 192.168.1.0/24 in a ANY firewall. That is bad, lazy and the one single network-space you should NEVER use or simple ut AVOID!.
It' s the pre-installed-can' d default in almost all consumer grade devices
next , you will have two possibilities to make this happen if your stubborn and don' t want to re-address now. Here' s your options.
1: you built a interlink from the one vdom to the other, but the SNAT issues like I described earlier-on is going to be a management nightmare.
You will need to place some gh0st networks subnets to nat the like-as custA and custB network-space into unique networks-space ( if you did this in reality, than you would probably be better off now re-addressing & getting over this hurdle now vrs latter imho....)
2: option,you waste a 3rd vdom, but for practical sake you call it the root-vdom. Root-vdom has the public facing interface(s) or if you had a complete subnet, you could use ippools and allocate one per cust-vdom.
netx you craft 2x vdom-links.
( custA to Root & custB to Root )
You now will need to still SNAT 192.168.1.0/24s into a new subnet, but you can handle that on the vdom-interlink behind the virtual-interlink addresses.
Now you can apply these new SNAT into the root-vdom and nat them behind 1> the public-wan interface or 2> into ippool if you have a range.
Here' s a jest to get you started on the cfg in global and then vdom level;
vdom-links;
config system vdom-link
edit " vcust1toroot"
next
edit " vcust2toroot"
next
end
next we place the vdom into each customer vdom+root ( one side into root one into the customer )
config sys interface
edit " vcust1toRoot0"
set vdom " root"
set ip 10.10.10.1 255.255.255.252
set allowaccess ping ssh
set type vdom-link
set snmp-index 25
next
edit " vcust1toRoot1"
set vdom " custA"
set ip 10.10.10.2 255.255.255.252
set allowaccess ping ssh
set type vdom-link
set snmp-index 26
next
edit " vcust2toRoot0"
set vdom " root"
set ip 10.10.10.5 255.255.255.252
set allowaccess ping ssh
set type vdom-link
set snmp-index 27
next
edit " vcust2toRoot1"
set vdom " custB"
set ip 10.10.10.6 255.255.255.252
set allowaccess ping ssh
set type vdom-link
set snmp-index 28
next
Now a generic firewall for SNAT repeat for the other vdom in the vdom cfg leve;
config firewall policy
edit 0
set srcintf " <install vdom link name"
set dstintf " wan1"
set srcaddr " customerA-LAN"
set dstaddr " all"
set action accept
set nat enable
set schedule " always"
next
end
( you get the picture ? )
And so on.
Once again very bad, more complexity, and it become more complex timing consuming and bothersome to t-shoot.
Also keep these thoughts in mind;
1: if you change the address now, than you will not need to do SNAT leading into root-vdom b4 you hit the public-internet
2: custA and B could never ever talk to each other with out pulling out the SNAT/DNAT mirrors and doing some massage work
3: what happens if custAorB needs to speak to a external networks that happens to use 192.168.1.0/24? ( did you ever thought about that scenario? )
4: vip management if required later has to be carefully thought out and can be limiting.
YMMV
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
1. These (192.168.1.0/24) are not my networks. I didn' t design it.
Usually I avoid 192.168.1.0/24 and 192.168.0.0/24 (and also I avoid VDOMs too ! ;-))
2. CustomerA and B will never talk to each other.
3.
what happens if custAorB needs to speak to a external networks that happens to use 192.168.1.0/24? ( did you ever thought about that scenario? )This is common problem with VPN tunnels but - usually I don' t build these networks. Most customers have their own IT which made decision many years before I arrived ;-) 4. There will be no traffic from WAN to LAN - no VIP.
Dominik Weglarz, IT System Engineer
Dominik Weglarz, IT System Engineer
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi !
Problem is solved.
Thank you guys for your posts.
@emnoc - your 1st option is not " political" - companyB has access to companyA and B is dependent on A.
So admin from A with his VDOM-A can block B - unacceptable.
2nd option was my goal like with 3 Fortigates.
I' ve build test environment in VMs and tested.
The KEY POINT is - there is no such thing as switch (virtual switch) between VDOMs.
I thought that I can somehow build LAN (i.e. 10.0.0.0/24) between more than 2 VDOMs but I can' t.
VLinks works as point-to-point (like crossover patchcord + 2 interfaces of two routers) and that' s it.
That was my problem.
Now everything works fine :
Dominik Weglarz, IT System Engineer
Dominik Weglarz, IT System Engineer
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you want to create a LAN between VDOM, you need to do that physically (with a external switch, or in your case with a vswitch).
Vdom link isn' t the only way to create link between two vdom. a physical cable works too ;)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
VLinks works as point-to-point (like crossover patchcord + 2 interfaces of two routers) and that' s it. That was my problem.I like you analogy and yes that how I see it also. I believe fortigate has the means to declare the vlink-type and by the default it' s PPP and ethernet is an option. I' m sure Ede will come along and correct me if I' m wrong
Vdom link isn' t the only way to create link between two vdom. a physical cable works too ;True you just waste ports if you have 2+ or more vdom connectivity links. Another option that' s more economical 1: 802.1q router on a stick ( cisco L3 routers like a 3560 or 2550 are cheap now ) 2: you use 2 physical ports and build a 802.1q tagged interface between the 2 and one interface per vdom These are alternative to Psuedo vlink. As with anything, you have a host of PROs and CONs to look at in every scenario. Good luck.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan