Quick background on the environment.
Root vdom contains all the physical connections to the VMWare stack and the internet.
VDOM A - All internet bound traffic (inbound or outbound) runs through an intervdom link. Everything works as expected.
I understand how one would pass traffic through for either all ports or a single port from an external IP, through a VIP on Root, to the intervdom link IP of VDOM-A and then another VIP on VDOM-A to 'inside' VDOM-A.
What happens when you need to have multiple external IPs all routing to something within VDOM-A? With the intervdom link, VDOM-A essentially only has 1 'external' IP.
For example, you've got external IP: 40.40.40.40 that goes to WebserverA in VDOM-A and you've got 40.40.40.41 that goes to WebserverB in VDOM-A.
Do I create separate intervdom links for each external IP?
Do I take the VIP from external to Root and do something like take 40.40.40.40 port 80 outside, translate it to 172.17.172.1 (intervdom link IP) port 80 then at the VDOM-A VIP, take 172.17.172.1 port 80 and translate to 10.10.10.10 port 80 (this I've done and it works). Then take 40.40.40.41 port 80 outside, translate it it to 172.17.172.1 port 79 then at the VDOM-A VIP translate 172.17.172.1 port 79 and translate it to 10.10.10.11 port 80.
So something like this:
External IP | Root VIP | VDOM A VIP |
40.40.40.40 port 80 | 172.17.172.1 port 80 | 10.10.10.10 port 80 |
40.40.40.41 port 80 | 172.17.172.1 port 79 | 10.10.10.11 port 80 |
I'm not sure how else I would get the traffic from 'outside' to VDOM-A when VDOM-A essentially only has 1 IP. I can't VIP both of the external IPs to port 80 but I'm also not sure how to get around it.
Solved! Go to Solution.
Created on 12-02-2024 10:39 AM Edited on 12-02-2024 10:43 AM
Then you need to keep your original design. As I said the subnet you would route from root to VDOM-A doesn't have to be on any interface (means can be bogus). You just need to have a static route toward the vdom-link(npu-vlink) at the root vdom. Then, you can just map them to local subnet like 10.10.10.0/24 by VIPs at VDOM-A.
Don't forget the opposite direction. Outgoing traffic for 10.10.10.0/24 toward the outside/interfnet needs to NATed as well. You might use the same subnet 172.17.172.0/24 or a different one. If different, you need to have another route at root vdom.
Toshi
VIPs are necessary because of NAT, hiding the internal subnets from outside/internet. Between VDOMs (root and other vdoms) if you don't have NAT you can just route them, then you don't need VIPs at the VDOM borders.
Further, if you route the public IPs/40.40.40.40 and .41 to VDOM-A, you don't need the VIPs at all even at the root VDOM.
Toshi
Created on 12-02-2024 09:47 AM Edited on 12-02-2024 09:50 AM
Sorry, but that makes 0 sense. Even completely ignoring the VDOMs, I need a VIP to translate 40.40.40.40 to 10.10.10.10.
Perhaps my original statement was unclear. All traffic from VDOM-A runs through the intervdom link to Root and then out the interface contained in Root. All traffic inbound runs through Root, then to the intervdom link to VDOM-A. VDOM-A has no access to anything without the intervdom link.
I meant if you have assigned like 40.40.40.40 instead of 10.10.10.10 at the sever, you don't need any VIPs. Of course, if the server has local IP, you at least need to have the VIP at the VDOM-A.
Toshi
That is not the case. All servers have RFC 1918 IPs.
In other words, you need to map 40.40.40.40 directly to 10.10.10.10 then you can route either 40.40.40.40 to VDOM-A or 10.10.10.10 to root vdom. You shouldn't need two VIPs at both vdoms.
Toshi
No, 40.40.40.40 can't map directly to 10.10.10.10 because Root doesn't know what 10.10.10.10 is. Root only communicates with the 10.10.10.0/24 network via intervdom link. So 40.40.40.40 gets a VIP to 172.17.172.1 (the intervdom link IP) and then another VIP from 172.17.172.1 to 10.10.10.10
That's what I'm saying you need to "route" 10.10.10.0/24 from the root vdom to VDOM-A. Like by a static route toward the vdom-link(npu-vlink).
Each VDOM, including root, is just an independent router. You just need to have a route to get to the other router if there is no NAT in-between.
Toshi
The "route" from Root to VDOM-A is via the intervdom link. So the 40.40.40.40 needs to get translated to the intervdom link IP, so that VDOM-A can pick up the 172.17.172.1 traffic and translate it to the actual 10.10.10.10 server that's inside of VDOM A. I can't just VIP 40.40.40.40 to 10.10.10.10 because the router won't know what 10.10.10.10 to send it too when you've got multiple VDOMs running the same IP schemes.
Unless 10.10.10.0/24 exists at both root vdom and VDOM-A, you can do below. If both have the same subnet(s), yes, you have to do VIP/NAT again at VDOM-A side by assigning a vogus subnet(s) like 172.17.172.0/24.
Toshi
User | Count |
---|---|
2675 | |
1410 | |
810 | |
702 | |
455 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.