Main Vdom is NAT, second Vdom is transparent - no internet on transparent vdom
i am a newbie in fortigate
i have a 800c device and im trying to create a transparent vdom as second to the primary nat vdom
i can browse the management ip of the transparent vdom from the client
but i can' t get to the internet - from logs i see that the destination interface is unknown
my internet comes from an adsl router with the gw 10.0.0.138
clients behind vdom0 with nat to 172.16.0.0/24 can browse fine
but clients behind vdom1 can only see 10.0.0.140 (vdom1 mgmt ip)
im guessing its a result of my wan being connected to vdom0 only
but what can i do?
thanks in advance
It hard to see what your topology but I think your doing what' s called stacked vdom. is vdom2 dependent on the 1st vdom?
Take a look at this post and tell me if this is what you want or trying todo? Or draw a topology map.With the interfaces you are using?
Hi Emnoc - and thanks so much for replying
i am building a vcloud lab with the fortigate machines which will be used in production
i have management network working fine with vdom0
and tenants network that should be transparent with vdom1 (vshield will do the nat and firewall)
my policy on both vdoms is to allow any
from the VM on the transparent dswitch i can browse to 10.0.0.140 (vdom1' s management ip) but thats it
if i create half-ip vdom interlink i can setup vm with the half ip as gateway - but i have to work with the 10.0.0.0/24 subnet which represents public ip for the cloud
(to be clear - tenant gets an ip 10.0.0.200 and 10.0.0.138 as gw)
i have reviewed the article however - it still forces me to use a different subnet than 10.0.0.0/24 for the VMS
so this is not exactly transparent but vdom-nat thingy :)
i hope there is a way for the thing im trying :)
Ah I see so the cloud is represent by 10.0.0.0/24 . I never see a setup like that and here' s why, if you apply vdom0(nat ) and let' s say wan1 to wan-uplink-modem, it can only be tied to one vdom at a time. The vdom-interlink links vdom and interfaces per-se.
So if you want to " transparent' bridge that wan into the vdom1( transparent mode ) it would not be possible.
If you tie a vdom-interlink from vdom0<>1 and a policy from vdom1 to vdom0 over the interlink what happens?
I could only get it to work with half-ip configuration (giving the interlink on vdom0 an ip and leaving the interlink on vdom1 without an ip)
as you can understand it forces me to use a different subnet...
up to now i was working with pfsense - since it is open source i always had a physical one for nat and virtual machines as transparent with seperated feeds
however for our new architecture plan we need to use more advanced technologies
So current status is
i changed wan to vdom1 - transparent
now obviously the cloud tenants and connect but i can' t access the first vdom (nat)
what i am missing is the bgp setup or the routing from vdom0 to the gateway through vdom1 - can anyone point to the relevant article?
i have moved the wan interface from nat-vdom to transparent-vdom
than added a interconnect - no ip on both sides
added a route from nat-vdom to the interconnect interface1
and i can ping the gateway 10.0.0.138 - from behind the nat and even browse it
however - cant ping 220.127.116.11
anyone has any idea what is the next step?
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.