Hello.
I'm working on putting together a test topology for a private Datacentre and I've run into some troubles with NAT & Routing when passing traffic over an NPU Inter-VDOM link.
My design is to have an internal VDOM to handle all local policies and inter-VLAN routing, and an External VDOM to take in the WAN links and handle broad-scope security such as DDoS protection, IDPS, etc.
I have multiple Public IP addresses to use and would like to be NATing from the internal VDOM using IP Pools and sending this traffic over the NPU and out to the internet, however, I have not been able to get this working with this design. The only way I've gotten this working so far is by performing the outbound SNAT from the externally facing VDOM by passing private IP traffic over the inter-VDOM link instead of Public IP traffic. I'd like to avoid this, as it would include double-handling IP address objects between VDOMs.
My first hunch was to play around with the static routes / policy routes to get this working, so I've tried adding static routes on the External VDOM to direct return traffic destined for my Public IP to the NPU link, which didn't help, but I may be overthinking this.
Routing table for internal VDOM:
Routing table for External VDOM:
Would appreciate any help with how this needs to be configured as I've been looking at it much too closely and may be missing something obvious. I would also appreciate any constructive criticism regarding the design theory with any improvements I could make to efficiency / security.
Cheers,
Matt
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Check if your Fortigate supports EMAC Vlans then you can implement this by using following articles https://docs.fortinet.com/document/fortigate/6.2.16/cookbook/212317/enhanced-mac-vlans
Hi Amritpal,
Thanks for sharing that article. I think that solution would expose the internal VLANs to the external VDOM which I was hoping to avoid. This would work similarly to the test I mentioned in my post where private IP traffic was routed over the NPU link and out to the WAN.
Could you please clarify how EMAC vlan will expose your internal Vlans to the external vdom?
By creating EMAC vlans we do not add vlan ID, instead we share the same physical port between vdoms. So each vdom with EMAC vlan has with its own MAC address hence the same public IP subnet can be shared between the vdom.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1692 | |
1087 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.