We need to configure Vdom for our project. but we have only one isp provider.ISP given /30 and /29 ip address. we configured /30 ip with fortigate firewall wan interface and created vlan1 in cisco switch and its worked fine. for vdom wan interface, we need to use this /29 ip address so I create one interface with this ISP /29 Ip address and configured as lan and connect this with cisco switch as vlan 2 and created the policy from vlan2 to wan(/30 ip address) and disabled the NAT and its worked fine. and from another vlan2 interface in switch connected to FortiGate firewall I configured as wan ip address with this /29 ip address and create a separate lan interface Vlan3 for the vdom and created a policy for this and its worked.
but in vdom wan ip address /29 ip address, we cant able to access this interface ip address from remote and ssl and ip sec vpn is also not connecting from rem ote network. but sslvpn can connect when the the laptop is in vlan3 segment. i need to know whether this configuration is wrong if yes, then how i can use /29 Ip address with vdom wan interface and need to access ssl vpn with this vdom network.
Solved! Go to Solution.
Created on 06-11-2024 11:35 PM Edited on 06-11-2024 11:35 PM
If you NAT just like in my diagram, only static routes you would need is default route at root vdom and test vdom to the other side of the interfaces.
Again, test with ping&traceroute&sniffer and find where the breaking point is. It doesn't take a rocket scientist to figure it out yourself.
It wouldn't affect to ping out but at the root vdom you need to have another policy for out-to-in direction without NAT. Otherwise, nobody on the internet can reach the test vdom interface IP.
Toshi
As I said before, did you crate a policy at root vdom from physical wan interface to npu_vlink0? Otherwise nobody can reach/ping npu_vlink1 IP from the internet.
You would see it's coming in from wan interface but never hit npu_vlink0 when you sniff like "diag sniffer packet any 'icmp and host npu_vlink1_IP' 4 0 l (last letter is lower case 'L')".
Toshi
Unless those two /30 and /29 subnets are assigned to two different physical (or logical like different VLANs on the same circuit) circuits by the ISP, the traffic to any IP to the /29 IPs are routed through the /30 interface IP. And the ISP expects the traffic from the /29 IPs are coming over the /30 interface IP. This means to route trafffc into/out of a new VDOM, you have to use either vdom-link or npu-vlink. Unless your FGT is old entry class modesl, like 30E, 50E, your FGT should have at least one NPU built-in. So no reason to use vdom-link (npu-vlink is much faster).
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Difference-and-understanding-between-NPU-V...
You can create as many links as you want as VLAN subinterfaces on top of npu0_vdom0/1 interface.
You should draw a diagram like below, which I drew for another post in this forum some time ago.
In my diagram, you can terminate SSL VPN at both 1.1.2.1 and 1.1.2.3 for two client VDOMs.
And obviously you need to split the /29 to multiple /31s for the npu_vlink.
Toshi
Created on 06-11-2024 06:54 AM Edited on 06-11-2024 06:55 AM
Hi Thanks for your variable support. sorry to disturb you again. as per your post. i have created new vdom interface under global - vdom and create a vdom named as Test. and in the global network interface, in the NPUVDOM link. under the npu_vlink0( Test npu0) I created an interface and created vlanid4 and in virtual domain I pointed to root and in the address mode I assign the ip address to 1.2.2.4/31 and enabled the status. same in npu_vlink1(test npu1) I created vlanid4 and in virtual domain I pointed to the created vdom ie Test.and assigned the IP address 1.2.2.5/31. and in vdom network I created a lan interface in port No 5 and assigned the ip address 10.1.0.10/24.
and I created a policy in the vdom test. for incoming port is port No 5 to outgoing port to the created npu_vlink1(test npu1) and I allowed all to source and destination and enabled nat.
and same I created the policy in root, incoming port is npu_vlink0( Test Npu0) to wan ip address( which is /30 ip address) and I allowed all for source and destination and enabled Nat.
now I created static route in vdom test by pointing the gateway to 1.2.2.4 and interface as (Testnpu1).
but when I connect the laptop in vlan 4 segment internet is not working. can you guide me.
ISP provided IP 1.2.2.4/29.and 1.2.3.0/30
I have spitted /29 Ip in to 1.2.2.4/31 and 1.2.2.5/31
What do you mean by "I connect the laptop in vlan 4 segment internet"?
The VLAN id 4 is for npu-vlink between the VDOMs. Not for the internet to a device connected to a physical port.
But first 1.2.2.4 is not the subnet IP of the /29. It's supporsed to be 1.2.2.0/29. Are you sure about that?
You need to use ping/traceroute(tracert for windows) and "diag sniffer packet" at each interface on the path to find out how far it's getting to and where it breaks, then look for why.
Toshi
hi Toshi, sorry its not an vlan 4 segment. i means the device which we connect in vdom Lan segment is not getting connected with internet. and i mention 1.2.2.4/29 its for example.
do i need to add any static route for this npu_link0 in the root? i have configured static route in vdom and configured the interface to Testnpu1 and default gate way to Testnpu0 ip address (1.2.2.4).
Created on 06-11-2024 11:35 PM Edited on 06-11-2024 11:35 PM
If you NAT just like in my diagram, only static routes you would need is default route at root vdom and test vdom to the other side of the interfaces.
Again, test with ping&traceroute&sniffer and find where the breaking point is. It doesn't take a rocket scientist to figure it out yourself.
It wouldn't affect to ping out but at the root vdom you need to have another policy for out-to-in direction without NAT. Otherwise, nobody on the internet can reach the test vdom interface IP.
Toshi
Hi Toshi,
Thanks for your support. the vdom root policy is not updated properly. After recreating it now i can able to access internet. thank you so much
Hi Toshi,
Now i can able to access internet with this configuration. but remote access ipsec vpn is not working. i configured ipsec vpn in testvdom. in the policy i created incoming port from the create vpn and out going interface to npu_vlink1. but its not working. and the npu_vlink1 ip address is also cant able access from remote newtork. ipsec vpn can connect only in the lan network. but in remote network is not getting connected.
As I said before, did you crate a policy at root vdom from physical wan interface to npu_vlink0? Otherwise nobody can reach/ping npu_vlink1 IP from the internet.
You would see it's coming in from wan interface but never hit npu_vlink0 when you sniff like "diag sniffer packet any 'icmp and host npu_vlink1_IP' 4 0 l (last letter is lower case 'L')".
Toshi
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.