Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
nadav
New Contributor

Main Vdom is NAT, second Vdom is transparent - no internet on transparent vdom

Hi everyone i am a newbie in fortigate i have a 800c device and im trying to create a transparent vdom as second to the primary nat vdom i can browse the management ip of the transparent vdom from the client but i can' t get to the internet - from logs i see that the destination interface is unknown my internet comes from an adsl router with the gw 10.0.0.138 clients behind vdom0 with nat to 172.16.0.0/24 can browse fine but clients behind vdom1 can only see 10.0.0.140 (vdom1 mgmt ip) im guessing its a result of my wan being connected to vdom0 only but what can i do? thanks in advance
8 REPLIES 8
emnoc
Esteemed Contributor III

It hard to see what your topology but I think your doing what' s called stacked vdom. is vdom2 dependent on the 1st vdom? Take a look at this post and tell me if this is what you want or trying todo? Or draw a topology map.With the interfaces you are using? http://socpuppet.blogspot.com/2014/09/a-meshed-vdom-transparent-using-inter.html

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
nadav
New Contributor

Hi Emnoc - and thanks so much for replying i am building a vcloud lab with the fortigate machines which will be used in production i have management network working fine with vdom0 and tenants network that should be transparent with vdom1 (vshield will do the nat and firewall) my policy on both vdoms is to allow any from the VM on the transparent dswitch i can browse to 10.0.0.140 (vdom1' s management ip) but thats it if i create half-ip vdom interlink i can setup vm with the half ip as gateway - but i have to work with the 10.0.0.0/24 subnet which represents public ip for the cloud (to be clear - tenant gets an ip 10.0.0.200 and 10.0.0.138 as gw)
nadav
New Contributor

i am currently reviewing the link youv' e sent me i think the solution is in there i will let you know! thanks a lot
nadav
New Contributor

i have reviewed the article however - it still forces me to use a different subnet than 10.0.0.0/24 for the VMS so this is not exactly transparent but vdom-nat thingy :) i hope there is a way for the thing im trying :)
emnoc
Esteemed Contributor III

Ah I see so the cloud is represent by 10.0.0.0/24 . I never see a setup like that and here' s why, if you apply vdom0(nat ) and let' s say wan1 to wan-uplink-modem, it can only be tied to one vdom at a time. The vdom-interlink links vdom and interfaces per-se. So if you want to " transparent' bridge that wan into the vdom1( transparent mode ) it would not be possible. If you tie a vdom-interlink from vdom0<>1 and a policy from vdom1 to vdom0 over the interlink what happens?

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
nadav
New Contributor

I could only get it to work with half-ip configuration (giving the interlink on vdom0 an ip and leaving the interlink on vdom1 without an ip) as you can understand it forces me to use a different subnet... up to now i was working with pfsense - since it is open source i always had a physical one for nat and virtual machines as transparent with seperated feeds however for our new architecture plan we need to use more advanced technologies
nadav
New Contributor

So current status is i changed wan to vdom1 - transparent now obviously the cloud tenants and connect but i can' t access the first vdom (nat) what i am missing is the bgp setup or the routing from vdom0 to the gateway through vdom1 - can anyone point to the relevant article? THANKS!
nadav
New Contributor

update: i have moved the wan interface from nat-vdom to transparent-vdom than added a interconnect - no ip on both sides added a route from nat-vdom to the interconnect interface1 and i can ping the gateway 10.0.0.138 - from behind the nat and even browse it however - cant ping 8.8.8.8 anyone has any idea what is the next step?
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors