Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Gordan_Grgurina
New Contributor

VDOM adding i routing

Hi, need help about VDOM configuration (NAT). I have configured FG 100D with several networks and now i need to add new network in the same range as network already configured on FG. As I see it, new VDOOM is only solution. Createing new VDOM in not a problem but configuring second VDOM to access the internet on WAN1 port which is already in root VDOM. If I want to access internet from VDOM2 that would mean that destination, or interface #1 in VDOM link, are all the networks on root VDOM (0.0.0.0/0.0.0.0). I don't want "network 4" access any of that networks, just the internet, but i want to access "network 4" from "network 2" (they don't have the same IP range).

 

 

I want set all the changes without interrupting networks 1, 2 and 3 in their work if possible. If the best practice is createing Management root VDOM and move networks 1, 2, 3 in VDOM1 or VDOM3, so be it, but rather not.

http://help.fortinet.com/fos50hlp/52data/index.htm#FortiOS/fortigate-virtual-domains-52/inter-VDOM.h...

 

2 REPLIES 2
Jack_Gerbs
New Contributor

There are several ways this could be accomplished.  The easiest would be to install a new switch and attach it directly to the Internet.  Each VDOM has a LAN and WAN port.  The LAN ports can be on the same IP range.  Each VDOM will use NAT on the WAN interface to surf.  Each WAN interface will be connected to the new switch and will have separate external addresses.  Think of each VDOM as a separate Fortigate.  Is network 4 and network 2 on the same IP address range.  If they are then you will have to use the WAN ports to route traffic between them.  If they are not, add a 3rd port to each VDOM with one port in network 4 and the other in network 2 and simply route between the two networks.  If you want to save ports you could use inter-vdom links which are virtual connections (interfaces). 

    Jack

CISSP, FCNSP 4.0
CISSP, FCNSP 4.0
echo

I want to achieve the same thing and with as little NAT as possible. Unfortunately, so far I can get access from one vdom to internet through the root vdom only when using double NAT. (I had to number the vdom link interfaces with some random intermediate /30 network; without this, I didn't get internet access from inside out.) Port forward from internet (connected to root vdom) to a separate vdom -- also double NAT. Now I will test ipsec tunnel that has been configured to root vdom, how can that separate vdom access that tunnel, with or without NAT. If that needs also NAT, it is almost useless in our case. The workaround with more physical ports does not sound reasonable. I am not sure if I should use that separate vdom in transparent mode, I think then it won't work at all for internet access in different directions. I wonder if I would want to use IPv6 in that separate vdom, do I really have to use NAT also there? But this is not my priority at the moment. (I have a test 60D router wiht FortiOS v5.4.0 on my table which I use for testing.)

 

Edit: After finding this post https://forum.fortinet.com/tm.aspx?m=125276 and link http://socpuppet.blogspot.com/2014/09/a-stacked-vdom-concept-with-fortigate.html in it, that helped me to get "stacked" vdoms working without above-mentioned double NAT! Also ipsec tunnel from root vdom was accessible without NAT which is good.

 

Edit: It turned out that after I removed IP-addresses from intervdom-link interfaces and also in routing tables I used only devices, I mean for IP-addresses of gateways I used 0.0.0.0, it still kept working, even after restarting of the router and the test-computer behind it in the separate new vdom. So portforward from internet & root-vdom to client-vdom worked, connectivity from client-vdom to internet (through root-vdom) and to the other side of ipsec tunnel (which was made in root-vdom) all worked.

Top Kudoed Authors