- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
VDOM ROUTING
Hi
I am working with 2 (vdom internet and vdom interno) vdom, i created intervdom routing through the Intervdom link, i have a device conected to Internal VDOM.
When i do a capture packet on the device, i see that source IP of the packet is the IP address of the IVL interface.
Can some know why fortigate change the source IP (I AM NOT DOINT NAT ON THE POLICY), or where can i find information about this behavior?????
- Labels:
-
FortiGate
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello
- Where are you doing packet capture? on the external VDOM? on the internal VDOM? or on the device itself?
- Which IVL's IP do you see as source? the IP of internal VDOM's IVL interface? or the IP of external VDOM's IVL interface?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
1- The packet capute in my pc conected to the internal VDOM.
2- Between VDOM have /30. I see the IP of the VDON LINK Interface of the internal VDOM.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FortiGate doesn't change the source IP unless you use NAT.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
the behavior of using the IP of the Inter-VDOM Link (IVL) interface as the source IP during inter-VDOM routing is typically a fundamental design choice in Fortinet FortiGate devices. This behavior is often intentional and aligned with the concept of maintaining separation and control between Virtual Domains (VDOMs) within the same FortiGate device.
If you have a specific use case or requirement where you need to change this behavior, you should be aware that altering the internal workings of inter-VDOM routing may not be directly supported or recommended by Fortinet.
I found this info.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't think so. Please share below in CLI:
- vdom-link interface config on both internet and internal vdom sides.
- set up two admin sessions (hopefully SSH, but you can get in via GUI then open command prompt) and get in each vdom. Then run "diag sniffer packet <vdom-link-internet-vdom-interface>" and "diag sniffer packet <vdom-link-intranal-vdom-interface>" in each session.
Then send some packets from either LAN side or from the internet side(? This wouldn't be possible unless LAN side has public subnet).
Then compare those outputs.
Toshi