Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
FortMatt
New Contributor

Created on ‎07-25-2024 04:47 PM

NAT & Routing Troubles over multiple VDOMs

Hello.

 

I'm working on putting together a test topology for a private Datacentre and I've run into some troubles with NAT & Routing when passing traffic over an NPU Inter-VDOM link.

 

My design is to have an internal VDOM to handle all local policies and inter-VLAN routing, and an External VDOM to take in the WAN links and handle broad-scope security such as DDoS protection, IDPS, etc.

 

I have multiple Public IP addresses to use and would like to be NATing from the internal VDOM using IP Pools and sending this traffic over the NPU and out to the internet, however, I have not been able to get this working with this design. The only way I've gotten this working so far is by performing the outbound SNAT from the externally facing VDOM by passing private IP traffic over the inter-VDOM link instead of Public IP traffic. I'd like to avoid this, as it would include double-handling IP address objects between VDOMs.

 

My first hunch was to play around with the static routes / policy routes to get this working, so I've tried adding static routes on the External VDOM to direct return traffic destined for my Public IP to the NPU link, which didn't help, but I may be overthinking this.

 

Routing table for internal VDOM:

vivaldi_AObzravc3w.png

 

Routing table for External VDOM:

vivaldi_babo52XKtB.png

 

Would appreciate any help with how this needs to be configured as I've been looking at it much too closely and may be missing something obvious. I would also appreciate any constructive criticism regarding the design theory with any improvements I could make to efficiency / security.

 

Cheers,
Matt

Labels:
772
0 Kudos
3 REPLIES 3
amrit
Staff
Staff

Created on ‎07-25-2024 06:00 PM

Check if your Fortigate supports EMAC Vlans then you can implement this by using following articles https://docs.fortinet.com/document/fortigate/6.2.16/cookbook/212317/enhanced-mac-vlans

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-use-emac-vlan-to-share-the-same-VLA...

 

 

Amritpal Singh
752
FortMatt
New Contributor
In response to amrit

Created on ‎07-25-2024 06:43 PM

Hi Amritpal,

 

Thanks for sharing that article. I think that solution would expose the internal VLANs to the external VDOM which I was hoping to avoid. This would work similarly to the test I mentioned in my post where private IP traffic was routed over the NPU link and out to the WAN.

729
0 Kudos
amrit
Staff
Staff

Created on ‎07-25-2024 07:52 PM Edited on ‎07-25-2024 07:53 PM

Could you please clarify how EMAC vlan will expose your internal Vlans to the external vdom? 

By creating EMAC vlans we do not add vlan ID, instead we share the same physical port between vdoms. So each vdom with EMAC  vlan has with its own MAC  address hence the same public IP subnet can be shared between the vdom.

 

 

 

 

Amritpal Singh
714
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.