Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
infrasigrp
New Contributor II

Preserve source ip inter-vdom routing

Hi everyone,

 

TL/DR : How do you preserve the source IP when passing by inter-vdom, for a packet coming from the internet/public IP ?

 

We got a Fortigate 100F which is configured in multi-vdom. The first vdom is managed by our ISP, it has an interface connected directly to it's backbone and a default route pointing to it. They have setup it like that for management purposes. The other vdom (lets name it "our vdom") is kind of our LAN side, serves as an hub for an SDWAN architecture, and has a default route to another third-party firewall which has its own internet interface and handle the IDS/IPS.

 

I need to "progressively" migrate the internet I/Os from the third-party firewall to our vdom on the 100F. For the internet access from our local network, i've created a policy route for specific addresses to go out by the ISP-vdom internet access. 

 

The problem is when i need to access from the internet, on the ISP-vdom public IP, to my LAN which is behind the our vdom. I've created a static route for our LAN subnets to the inter-vdom and appropriate firewall rules, now i got the trafic from internet coming to our vdom. The problem is :

  • if i don't enable sNAT on the inter-vdom firewall rule, the packet is refused with the "reverse path check fail, drop". Because the source IP is public, i cannot create any static or policy routing to return the packet to the inter-vdom.
  • if i enable sNAT, the packet is accepted, but the trafic coming from inter-vdom has the source IP of the inter-vdom interface : so i cannot make any firewall rules. The idea is to concentrate our configuration on our vdom only, and let the ISP-vdom with the fewest config possible

Thanks in advance

Arnaud

 

 

10 REPLIES 10
infrasigrp
New Contributor II

@gfleming Yes, i was thinking about the fact that creating a 2nd default route could have an impact... We manage the Fortigates but they belong to the ISP, i definitely need to involve them to make this change ;). Thanks anyway ! I'll do a little feedback in a couple of days.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors