Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
leif
New Contributor II

Created on ‎12-08-2014 07:02 AM

VDOM connecctivity issue

I've got the following setup that I want to accomplish:

 

I've managed to successfully setup this if I use physical (port1, port2 etc) and assign them to the different vdoms, but I'm trying to set this up so that the Wan for the VDOM NAT and the WAN for the ROOT VDOM are software solved and doesn't use the physical ports. I've tried to setup Inter VDom-connections between the transparent vdom and ex the Root vdom, but feel that I lack the virtual wan interface of the root vdom to connecto to the virtual inter-vdom connection between the vdoms.

 

What am I missing / how do one connect example root vdom to the transparent vdom (that has the internet wan-connection) without physical connections except the wan1 for the transparent vdom to the cisco router, and the lan side of the root vdom?

 

To make it simple my "internet connection" is a 10.10.10.90/24 with 10.10.90.1 as gateway (cisco router).

 

Root vdom: 192.168.1.0/24 192.168.1.99 as gateway with NAT

 

VDOM NAT:

vlan 7 192.168.7.0/24 - 192.168.7.1 GW

vlan 20 192.168.20.0/24 - 192.168.20.1 GW

 

 Firewall: Fortigate 100D with 5.2.1 (if I remember Correct - the newest software-edition)

 

 

Preview file
39 KB
7777
0 Kudos
5 REPLIES 5
MVIOX
New Contributor

Created on ‎12-08-2014 07:50 AM

For the most part, I believe you have it. What you are not fully realising (and if I am correct) is that different VDOMs are completely different environments. That being said, one VDOM cannot speak to another without physically being connected.

IE:

VDOM (default) has WAN1 > Port 1, 2

VDOM2 has WAN2 > Port 3, 4

VDOM3 has DMZ (WAN3) > Port 5, 6...

To gain connectivity, a separate physical connection must be given to each of the 3 WAN interfaces. This is not the same as creating VLANs and trunks. You are most likely going to have to add a switch between your router and FW.

 

You may correct me if I am wrong 

2406
0 Kudos
leif
New Contributor II

Created on ‎12-08-2014 07:56 AM

The way I've understood it is that a VDOM is a isolated firewall. Given that I've got three VDOMs, I've got tree firewalls that each need its own interfaces. In the easy example that is one wan interface and one lan interface.

 

To connect one VDOM(firewall) to another one setup the Inter-vdom. What I don't understand is how do I define a interface or a switch to the end of the inter-vdom so I have a wan-interface that get the DHCP from the Cisco router.

 

Edit: Forgot to thank for the replay! Thats great :D

2406
0 Kudos
MVIOX
New Contributor
In response to leif

Created on ‎12-08-2014 08:04 AM

Sorry about the misunderstanding, Have you tried this reference?

http://docs-legacy.fortinet.com/fos50hlp/50/index.html#page/FortiOS%25205.0%2520Help/inter-VDOM.180....

It is part of a inter-vdom example.

 

leif wrote:

The way I've understood it is that a VDOM is a isolated firewall. Given that I've got three VDOMs, I've got tree firewalls that each need its own interfaces. In the easy example that is one wan interface and one lan interface.

 

To connect one VDOM(firewall) to another one setup the Inter-vdom. What I don't understand is how do I define a interface or a switch to the end of the inter-vdom so I have a wan-interface that get the DHCP from the Cisco router.

 

Edit: Forgot to thank for the replay! Thats great :D

2406
0 Kudos
leif
New Contributor II
In response to leif

Created on ‎12-08-2014 08:07 AM

Yes, have read it. Thats why I was posting here... :)

2406
0 Kudos
emnoc
Esteemed Contributor III

Created on ‎12-08-2014 11:45 AM

That being said, one VDOM cannot speak to another without physically being connected. IE: VDOM (default) has WAN1 > Port 1, 2 VDOM2 has WAN2 > Port 3, 4 VDOM3 has DMZ (WAN3) > Port 5, 6... To gain connectivity, a separate physical connection must be given to each of the 3 WAN interfaces. This is not the same as creating VLANs and trunks. You are most likely going to have to add a switch between your router and FW.

 

Not 100% correct. You can use vdom-links beween routed and transparent vdoms which are vritual interfaces.

 

Op check out my  blog post;

 

http://socpuppet.blogspot.com/2014/09/a-meshed-vdom-transparent-using-inter.html

 

Now I'm scratching my heads as you have a transparent vdom  ( 1 ) and want links to 2  route-vdoms? I never seen or done this in the past, but have you tried to set 2 vdom-links to the 2 routed-nat vdoms?

 

Typically in a transparent vdom is one outside + inside interfaces ( 2 interfaces total ). I never seen a transparent firewall with 2 internals nor how would you write fwpolicies to achieve filtering? Could you re-design the topology and place the routed-nat vdom at the top of the stack/mesh?

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
2406
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.