Quick background on the environment.
Root vdom contains all the physical connections to the VMWare stack and the internet.
VDOM A - All internet bound traffic (inbound or outbound) runs through an intervdom link. Everything works as expected.
I understand how one would pass traffic through for either all ports or a single port from an external IP, through a VIP on Root, to the intervdom link IP of VDOM-A and then another VIP on VDOM-A to 'inside' VDOM-A.
What happens when you need to have multiple external IPs all routing to something within VDOM-A? With the intervdom link, VDOM-A essentially only has 1 'external' IP.
For example, you've got external IP: 40.40.40.40 that goes to WebserverA in VDOM-A and you've got 40.40.40.41 that goes to WebserverB in VDOM-A.
Do I create separate intervdom links for each external IP?
Do I take the VIP from external to Root and do something like take 40.40.40.40 port 80 outside, translate it to 172.17.172.1 (intervdom link IP) port 80 then at the VDOM-A VIP, take 172.17.172.1 port 80 and translate to 10.10.10.10 port 80 (this I've done and it works). Then take 40.40.40.41 port 80 outside, translate it it to 172.17.172.1 port 79 then at the VDOM-A VIP translate 172.17.172.1 port 79 and translate it to 10.10.10.11 port 80.
So something like this:
External IP | Root VIP | VDOM A VIP |
40.40.40.40 port 80 | 172.17.172.1 port 80 | 10.10.10.10 port 80 |
40.40.40.41 port 80 | 172.17.172.1 port 79 | 10.10.10.11 port 80 |
I'm not sure how else I would get the traffic from 'outside' to VDOM-A when VDOM-A essentially only has 1 IP. I can't VIP both of the external IPs to port 80 but I'm also not sure how to get around it.
Solved! Go to Solution.
Created on ‎12-02-2024 10:39 AM Edited on ‎12-02-2024 10:43 AM
Then you need to keep your original design. As I said the subnet you would route from root to VDOM-A doesn't have to be on any interface (means can be bogus). You just need to have a static route toward the vdom-link(npu-vlink) at the root vdom. Then, you can just map them to local subnet like 10.10.10.0/24 by VIPs at VDOM-A.
Don't forget the opposite direction. Outgoing traffic for 10.10.10.0/24 toward the outside/interfnet needs to NATed as well. You might use the same subnet 172.17.172.0/24 or a different one. If different, you need to have another route at root vdom.
Toshi
10.10.10.0/24 exists in multiple VDOMs.
Created on ‎12-02-2024 10:39 AM Edited on ‎12-02-2024 10:43 AM
Then you need to keep your original design. As I said the subnet you would route from root to VDOM-A doesn't have to be on any interface (means can be bogus). You just need to have a static route toward the vdom-link(npu-vlink) at the root vdom. Then, you can just map them to local subnet like 10.10.10.0/24 by VIPs at VDOM-A.
Don't forget the opposite direction. Outgoing traffic for 10.10.10.0/24 toward the outside/interfnet needs to NATed as well. You might use the same subnet 172.17.172.0/24 or a different one. If different, you need to have another route at root vdom.
Toshi
Ok, now we are getting somewhere. However, I'm a bit lost.
Let's say I want to make 172.18.18.0/24 the "external" IPs for VDOM-A. I would make a route in Root that's going to point 172.18.18.0/24 to the 172.17.17.1 (intervdom link IP)? Then in Root I'd create a VIP for 40.40.40.40 to translate to 172.18.18.1 (which Root is going to route to 172.17.17.1).
Then in VDOM-A I'd do a VIP from 172.18.18.1 to 10.10.10.10?
If the vdom link is like 172.17.17.0/30 (172.17.17.1 on root vdom side/172.17.17.2 on VDOM-A side), you need to set the gateway of the static route to 172.17.17.2. A gateway is always on the opposite side of the link.
Then, yes, that's what I'd configure for VDOM-A VIP.
Toshi
Ok, so that's another option. I wasn't thinking about the VIP in VDOM-A actually listening on another IP or routing a bogus subnet to VDOM-A.
40.40.40.40 port 80 VIP to 172.18.18.1 port 80 (assuming Root has a route to 172.18.18.1), VIP to 10.10.10.10 port 80.
Might be cleaner to do it that way than trying to keep track of a bunch of random VIP ports. I mean at most we are talking like 20-30 ports, so not overwhelming but still.
It might not work if you stack a series of VIPs (VIP-to-VIP) at one vdom depending on how VIP operation is designed on FGTs. At least I never tried that.
Toshi
Created on ‎12-02-2024 11:28 AM Edited on ‎12-02-2024 11:29 AM
Or, most unlikely it would work. If the intermediate subnet's route doesn't exist, the first VIP would fail becuase of no route. And if you route the subnet to somewhere else like VDOM-A, the packet would go out to the vdom and won't go through the second VIP.
But you can find it out easily when you configure it then test. You need to run "flow debug" to see the operation inside of the FortiOS.
Toshi
What about rather than making the intervdom link a /30, you make it a /28?
You wouldn't need the additional route entry, because root would know where to send all traffic within the /28. You've got 14 full IPs to play with. You may need to play a little port ping pong depending on what kind of traffic you need to route, but like if you needed to do ports 500 and 4500 for IPSec VPN, port 25 for mail, and ports 80/443 for web traffic, you could do those all on the same IP, without having to dink around with changing any ports. I've done a small test of using a /28 in the intervdom link rather than /30 and it seems to work in my lab.
It wouldn't be a matter either way you choose. As you said, the root vdom doesn't know where to route for 10.10.10.0/24. So the second VIPs need to happen at VDOM-A anyway.
Toshi
In my lab, I've tested doing the VIP to VIP carrying port 80 all the way through, then did VIP from 80 to 79, then VIP from 79 to 80. It worked fine. Now, I'm not sure if I had a bunch of them, like say ports 80-60 and then 60-80, if it would work so well. I don't see why it wouldn't work but the bogus network would work just as well.
User | Count |
---|---|
2677 | |
1412 | |
810 | |
703 | |
455 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.