Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jr14
New Contributor III

VDOM ROUTING

Hi
I am working with 2 (vdom internet and vdom interno) vdom, i created intervdom routing through the Intervdom link, i have a device conected to Internal VDOM.
When i do a capture packet on the device, i see that source IP of the packet is the IP address of the IVL interface. 
Can some know why fortigate change the source IP (I AM NOT DOINT NAT ON THE POLICY), or where can i find information about this behavior?????

5 REPLIES 5
AEK
Honored Contributor

Hello

  • Where are you doing packet capture? on the external VDOM? on the internal VDOM? or on the device itself?
  • Which IVL's IP do you see as source? the IP of internal VDOM's IVL interface? or the IP of external VDOM's IVL interface?
AEK
AEK
jr14
New Contributor III

1- The packet capute in my pc conected to the internal VDOM.

2- Between VDOM have /30. I see the IP of the VDON LINK Interface of the internal VDOM. 

AEK
Honored Contributor

FortiGate doesn't change the source IP unless you use NAT.

AEK
AEK
jr14
New Contributor III

the behavior of using the IP of the Inter-VDOM Link (IVL) interface as the source IP during inter-VDOM routing is typically a fundamental design choice in Fortinet FortiGate devices. This behavior is often intentional and aligned with the concept of maintaining separation and control between Virtual Domains (VDOMs) within the same FortiGate device.

If you have a specific use case or requirement where you need to change this behavior, you should be aware that altering the internal workings of inter-VDOM routing may not be directly supported or recommended by Fortinet.

I found this info.

Toshi_Esumi
Esteemed Contributor III

I don't think so. Please share below in CLI:
- vdom-link interface config on both internet and internal vdom sides.

- set up two admin sessions (hopefully SSH, but you can get in via GUI then open command prompt) and get in each vdom. Then run "diag sniffer packet <vdom-link-internet-vdom-interface>" and "diag sniffer packet <vdom-link-intranal-vdom-interface>" in each session.
Then send some packets from either LAN side or from the internet side(? This wouldn't be possible unless LAN side has public subnet).
Then compare those outputs.

 

Toshi

Labels
Top Kudoed Authors