Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

VRF access to Internet



If you have different LAN sub-interfaces in different VRF's but the same VDOM, what is the best way to provide internet access to them?


So port 1 is a trunk with multiple VLANs assigned to VRF's

Port 2 is connected to the ISP router which is in the main VRF 0


On some other vendors you can configure a default route within the VRF pointing to the main one, but I don't see that as an option here


Can anyone advise please?




Not applicable

Hello @Mnz160889  , 


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible. 



   Fortinet Community Team 


You would need to setup a vdom-link (even if you are not using vdoms).  For the vdom link you can create vlan sub-interfaces and assign them to the correct VRF.  This document has an overview of how it works:


You will probably want to allow over-lapping subnets so the vdom links can be in the same subnet similar to this:


 By default, it will not be allowed.
# config system setting
set allow-subnet-overlap enable
# config system interface
    edit "npu0_vlink0"
        set vdom "root"
        set vrf 10
        set ip
        set allowaccess ping https ssh snmp http
    edit "npu0_vlink1"
        set vdom "root"
        set vrf 20
        set ip
        set allowaccess ping https ssh snmp http telnet

In the end you would have a static route in each VRF that points to a vdom link that is tied into VRF 0 and then the necessary policies to allow the traffic from the vdom link out the WAN connection you have.


Hope this helps.


Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors