Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Not applicable

VDOM internet access

Hello guys, Hope you can help me. I use a Fortigate 110C with FortiOS 4.03 I try to get internet access on my " Internal" VDOM. When i log in to cli i can ping to for examle www.google.com from the root VDOM. When i try to ping from the Internal VDOM he resolves the hostname but i can' t ping the host. This is my conf: edit " InternalLin0" set vdom " Intern" set ip 10.0.1.1 255.255.255.0 set allowaccess ping https ssh telnet set type vdom-link next edit " InternalLin1" set vdom " root" set ip 10.0.1.1 255.255.255.0 set allowaccess ping https ssh telnet set type vdom-link edit " port5" set vdom " Intern" set ip 192.168.10.1 255.255.255.0 set allowaccess ping https ssh snmp telnet set type physical set alias " internal" next edit " port6" set vdom " Intern" set type physical set alias " internal" next edit " port7" set vdom " Intern" set type physical set alias " internal" next edit " port8" set vdom " Intern" set type physical set alias " internal" next config firewall address edit " all" next edit " Internal_local" set associated-interface " INTERNAL" set subnet 192.168.10.0 255.255.255.0 next edit " InternalManagement" set associated-interface " InternalLin0" set subnet 10.0.1.0 255.255.255.255 next end config firewall address edit " all" next edit " Internal_local" set associated-interface " INTERNAL" set subnet 192.168.10.0 255.255.255.0 next edit " InternalManagement" set associated-interface " InternalLin0" set subnet 10.0.1.0 255.255.255.255 next end config system interface edit " InternalLin0" set vdom " Intern" set ip 10.0.1.1 255.255.255.0 set allowaccess ping https ssh telnet set type vdom-link next end ----------------------------- show system interface InternalLin1 config system interface edit " InternalLin1" set vdom " root" set ip 10.0.1.1 255.255.255.0 set allowaccess ping https ssh telnet set type vdom-link next FG100C3G09602495 (root) # show system interface InternalLin0 config system interface edit " InternalLin0" set vdom " Intern" set ip 10.0.1.1 255.255.255.0 set allowaccess ping https ssh telnet set type vdom-link next end FG100C3G09602495 (root) # show system interface InternalLin1 config system interface edit " InternalLin1" set vdom " root" set ip 10.0.1.1 255.255.255.0 set allowaccess ping https ssh telnet set type vdom-link next config firewall address edit " all" next edit " InternalManagement" set associated-interface " InternalLin1" set subnet 10.0.1.0 255.255.255.255 next config firewall policy edit 2 set srcintf " InternalLin1" set dstintf " wan1" set srcaddr " InternalManagement" set dstaddr " all" set action accept set schedule " always" set service " ANY" next Hope you can help me out. Kind Regards
9 REPLIES 9
ede_pfau
SuperUser
SuperUser

Hi, welcome to the forums. I think InternalLin0 and InternalLin1 shouldn' t have the same IP (oops). Otherwise, return traffic will not be delivered to the originating interface.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Not applicable

Hi Ede, Thanks for the reply. I thought of that but i did exactly what was written in de vdom howto.pdf(http://docs.forticare.com/fgt/techdocs/fortigate-vlans-vdoms.pdf). I changed the ip of internallin1 tot 10.0.1.2 but it didn' t help. Hope you help me out
ede_pfau
SuperUser
SuperUser

sorry my fault 2 things: only if you want to route traffic BETWEEN the VDOMs you need different IPs. Actually you didn' t mention that you wanted to do that, so no point here. second: there is no policy for InternalLin0 to wan1 so there is no traffic going out: config firewall policy edit 2 set srcintf " InternalLin0" set dstintf " wan1" set srcaddr " all" (* or whatever *) set dstaddr " all" set action accept set schedule " always" set service " ANY" next what about the default route for VDOM " Intern" ? Set?
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Not applicable

I made a policy for that see the last policy in my conf: config firewall policy edit 2 set srcintf " InternalLin1" set dstintf " wan1" set srcaddr " InternalManagement" set dstaddr " all" set action accept set schedule " always" set service " ANY" next I had configured the default route for VDOM Intern but i deleted it because i didn' t find it in the manual. What ip must i configure as default route?
ede_pfau
SuperUser
SuperUser

nope, I mean a policy for InternalLin0 (ZERO) to wan1! use any index other than 2 (edit 3)... re. default gw: I' ve got no idea what your next hop router is. What is the root default route then? Make one similar to it.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Not applicable

Ede, Thanks for your reply. When i want to add the policy I get this: FG100C3G09602495 (vdom) # edit root current vf=root:0 FG100C3G09602495 (root) # config firewall policy FG100C3G09602495 (policy) # edit 3 new entry ' 3' added FG100C3G09602495 (3) # set srcintf InternalLin0 node_check_object fail! for srcintf InternalLin0 value parse error before ' InternalLin0' Command fail. Return code -651 I add 10.0.1.1, 10.0.1.2 and the route i use in the root VDOM but no luck
ede_pfau
SuperUser
SuperUser

Keep steady. InternalLin0 belongs to and exists only in VDOM Internal. Not root.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Not applicable

Hi Ede, This is the policy i' ve got now in the Internal VDOM: config firewall policy edit 1 set srcintf " INTERNAL" set dstintf " InternalLin0" set srcaddr " Internal_local" set dstaddr " InternalManagement" set action accept set schedule " always" set service " ANY" next end
ede_pfau
SuperUser
SuperUser

Fine. And what? You started this thread because you couldn' t ping to the internet from VDOM Internal. How does this policy affect your goal?? Frankly, you' re wasting time.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors