Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
IrbkOrrum
Contributor

Created on ‎12-02-2024 08:44 AM

Multiple external IP passthrough for VDOMs

Quick background on the environment.
Root vdom contains all the physical connections to the VMWare stack and the internet. 

VDOM A - All internet bound traffic (inbound or outbound) runs through an intervdom link.  Everything works as expected.

I understand how one would pass traffic through for either all ports or a single port from an external IP, through a VIP on Root, to the intervdom link IP of VDOM-A and then another VIP on VDOM-A to 'inside' VDOM-A.

What happens when you need to have multiple external IPs all routing to something within VDOM-A?  With the intervdom link, VDOM-A essentially only has 1 'external' IP.  
For example, you've got external IP: 40.40.40.40 that goes to WebserverA in VDOM-A and you've got 40.40.40.41 that goes to WebserverB in VDOM-A.  

Do I create separate intervdom links for each external IP?
Do I take the VIP from external to Root and do something like take 40.40.40.40 port 80 outside, translate it to 172.17.172.1 (intervdom link IP) port 80 then at the VDOM-A VIP, take 172.17.172.1 port 80 and translate to 10.10.10.10 port 80 (this I've done and it works).  Then take 40.40.40.41 port 80 outside, translate it it to 172.17.172.1 port 79 then at the VDOM-A VIP translate 172.17.172.1 port 79 and translate it to 10.10.10.11 port 80.

So something like this:

External IPRoot VIPVDOM A VIP
40.40.40.40 port 80172.17.172.1 port 8010.10.10.10 port 80
40.40.40.41 port 80172.17.172.1 port 7910.10.10.11 port 80

 

I'm not sure how else I would get the traffic from 'outside' to VDOM-A when VDOM-A essentially only has 1 IP.  I can't VIP both of the external IPs to port 80 but I'm also not sure how to get around it.

Labels:
1196
0 Kudos
1 Solution
Toshi_Esumi
SuperUser
SuperUser
In response to IrbkOrrum

Created on ‎12-02-2024 10:39 AM Edited on ‎12-02-2024 10:43 AM

Then you need to keep your original design. As I said the subnet you would route from root to VDOM-A doesn't have to be on any interface (means can be bogus). You just need to have a static route toward the vdom-link(npu-vlink) at the root vdom. Then, you can just map them to local subnet like 10.10.10.0/24 by VIPs at VDOM-A.

Don't forget the opposite direction. Outgoing traffic for 10.10.10.0/24 toward the outside/interfnet needs to NATed as well. You might use the same subnet 172.17.172.0/24 or a different one. If different, you need to have another route at root vdom.

Toshi

View solution in original post

954
0 Kudos
19 REPLIES 19
Toshi_Esumi
SuperUser
SuperUser

Created on ‎12-02-2024 09:11 AM

VIPs are necessary because of NAT, hiding the internal subnets from outside/internet. Between VDOMs (root and other vdoms) if you don't have NAT you can just route them, then you don't need VIPs at the VDOM borders. 

Further, if you route the public IPs/40.40.40.40 and .41 to VDOM-A, you don't need the VIPs at all even at the root VDOM.

Toshi

576
0 Kudos
IrbkOrrum
Contributor
In response to Toshi_Esumi

Created on ‎12-02-2024 09:47 AM Edited on ‎12-02-2024 09:50 AM

Sorry, but that makes 0 sense.  Even completely ignoring the VDOMs, I need a VIP to translate 40.40.40.40 to 10.10.10.10.  

Perhaps my original statement was unclear.  All traffic from VDOM-A runs through the intervdom link to Root and then out the interface contained in Root.  All traffic inbound runs through Root, then to the intervdom link to VDOM-A.  VDOM-A has no access to anything without the intervdom link.

553
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to IrbkOrrum

Created on ‎12-02-2024 09:50 AM

I meant if you have assigned like 40.40.40.40 instead of 10.10.10.10 at the sever, you don't need any VIPs. Of course, if the server has local IP, you at least need to have the VIP at the VDOM-A.

Toshi

549
0 Kudos
IrbkOrrum
Contributor
In response to Toshi_Esumi

Created on ‎12-02-2024 09:52 AM

That is not the case.  All servers have RFC 1918 IPs.

544
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to IrbkOrrum

Created on ‎12-02-2024 09:54 AM

In other words, you need to map 40.40.40.40 directly to 10.10.10.10 then you can route either 40.40.40.40 to VDOM-A or 10.10.10.10 to root vdom. You shouldn't need two VIPs at both vdoms.

Toshi

540
0 Kudos
IrbkOrrum
Contributor
In response to Toshi_Esumi

Created on ‎12-02-2024 09:56 AM

No, 40.40.40.40 can't map directly to 10.10.10.10 because Root doesn't know what 10.10.10.10 is.  Root only communicates with the 10.10.10.0/24 network via intervdom link.  So 40.40.40.40 gets a VIP to 172.17.172.1 (the intervdom link IP) and then another VIP from 172.17.172.1 to 10.10.10.10

537
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to IrbkOrrum

Created on ‎12-02-2024 10:00 AM

That's what I'm saying you need to "route" 10.10.10.0/24 from the root vdom to VDOM-A. Like by a static route toward the vdom-link(npu-vlink).
Each VDOM, including root, is just an independent router. You just need to have a route to get to the other router if there is no NAT in-between.

Toshi

535
0 Kudos
IrbkOrrum
Contributor
In response to Toshi_Esumi

Created on ‎12-02-2024 10:06 AM

The "route" from Root to VDOM-A is via the intervdom link. So the 40.40.40.40 needs to get translated to the intervdom link IP, so that VDOM-A can pick up the 172.17.172.1 traffic and translate it to the actual 10.10.10.10 server that's inside of VDOM A.  I can't just VIP 40.40.40.40 to 10.10.10.10 because the router won't know what 10.10.10.10 to send it too when you've got multiple VDOMs running the same IP schemes.  

529
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to IrbkOrrum

Created on ‎12-02-2024 10:31 AM

Unless 10.10.10.0/24 exists at both root vdom and VDOM-A, you can do below. If both have the same subnet(s), yes, you have to do VIP/NAT again at VDOM-A side by assigning a vogus subnet(s) like 172.17.172.0/24.

vipmodel.png

 

Toshi

497
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.