Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Mnz160889
New Contributor

Created on ‎06-24-2022 07:10 AM

VRF access to Internet

Hi

 

If you have different LAN sub-interfaces in different VRF's but the same VDOM, what is the best way to provide internet access to them?

 

So port 1 is a trunk with multiple VLANs assigned to VRF's

Port 2 is connected to the ISP router which is in the main VRF 0

 

On some other vendors you can configure a default route within the VRF pointing to the main one, but I don't see that as an option here

 

Can anyone advise please?

 

Thanks

 

Labels:
2512
0 Kudos
2 REPLIES 2
Anonymous
Not applicable

Created on ‎06-26-2022 07:46 PM

Hello @Mnz160889  , 

 

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible. 

 

Thanks, 

   Fortinet Community Team 

2497
0 Kudos
GDiFi
Staff
Staff

Created on ‎06-28-2022 07:46 AM

You would need to setup a vdom-link (even if you are not using vdoms).  For the vdom link you can create vlan sub-interfaces and assign them to the correct VRF.  This document has an overview of how it works:

 

https://docs.fortinet.com/document/fortigate/6.4.5/administration-guide/342655/route-leaking-between...

 

You will probably want to allow over-lapping subnets so the vdom links can be in the same subnet similar to this:

 

 By default, it will not be allowed.
 
# config system setting
set allow-subnet-overlap enable
 
# config system interface
    edit "npu0_vlink0"
        set vdom "root"
        set vrf 10
        set ip 172.16.201.1 255.255.255.0
        set allowaccess ping https ssh snmp http
    next
    edit "npu0_vlink1"
        set vdom "root"
        set vrf 20
        set ip 172.16.201.2 255.255.255.0
        set allowaccess ping https ssh snmp http telnet
    next
end

In the end you would have a static route in each VRF that points to a vdom link that is tied into VRF 0 and then the necessary policies to allow the traffic from the vdom link out the WAN connection you have.

 

Hope this helps.

2478
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.