Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Ajt69
New Contributor II

inter vdom from NAT vdom to TP vdom

Hello,

i'am a new user in fortigate world :) with FG-51E


I read some tuto to learn how it works, and i'm stuck with routing between vdom.

it won't work :'(


i'm french, and my isp provider is named free.

To be able to watch tv with their player, it have to get an IPV6 SLAAC without DHCPv6. unfortunately, i don't know how to do that with fortigate. (it's not the subjet but if someone can help me for this point, i will be very happy )


So i create a root vdom in transparent mode, with member interface wan 1, and port 1. my tv player works without problem.

now, i create another "test" vdom in NAT mode, for testing, homelab. the interface member are the others ports

i wish to link this nat vdom with the root transparent vdom, and .... no way to make it works :'(


i miss something but i don't know what.

I relied on these links, for helping

http://socpuppet.blogspot.com/2014/09/a-meshed-vdom-transparent-using-inter.html

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Connect-2-Transparent-VDOMs-with-NAT-VDOM-...

https://www.fortinetguru.com/2017/01/configuring-vdom-links/

none of them help me


i also test this tips, and it works. but it is not what i wish to do

https://docs.fortinet.com/document/fortigate/7.6.0/administration-guide/335646/inter-vdom-routing-co...


could anyone help me to make it work please ?


Thank you very much !

 

1 Solution
DPadula

Default route on HomeLan is wrong, the gateway should not be 0.0.0.0 but the ISP router ip address (192.168.0.254)'. 

Aj69_C.png

 

The right command is 'diagnose sniffer packet any "host 192.168.0.254 and icmp" 4 0', my bad.

 

Can you ping the google after you changed the gateway ip address on the static route?

 

 

View solution in original post

16 REPLIES 16
DPadula
Staff
Staff

Hi Ajt69,


There is this forum topic where someone has asked bout inter-link vdom. Have a look on it:

https://community.fortinet.com/t5/Support-Forum/VDOM-setup-or-FortiManager-setup/m-p/354911/highligh...

 

I hope it helps. 

 

dingjerry_FTNT

Hi @Ajt69 ,

 

Without sharing your configurations, we can't assist you.

Regards,

Jerry
Ajt69
New Contributor II

well seen :)

Thank you for your quick reply

I hope it will help me

sorry for not having seen this topic.

it's past midnight here, i read and try this asap, and reply

Ajt69
New Contributor II

@dingjerry_FTNT 

 

can you help me what i need to supply, for configuration ?

detail schema ? detail from cli ?

 

Let me know

 

thank you

 

dingjerry_FTNT

Hi @Ajt69 ,

 

We need all configurations you used for your case, such as (but not limited):

 

What interfaces?

What firewall policies?

What routing configuration?

Network diagram

Interesting traffic flow

 

And so on, anything you configured for your case.

 

It's better to attach your FGT config.

Regards,

Jerry
Ajt69
New Contributor II

thank you, i will do my best to supply information in order to help me

i also take a look at the topics given by @DPadula 

Ajt69
New Contributor II

Hi,

 

I read the recommended topic, and all vdom are in operation mode NAT. Should i understand it is only in that way it works ? no possible inter vdom routing between TP and NAT ?

 

i create my first root vdom as transparent mode for lack of knowledge about ipv6 for tv box, and also to avoid double NAT. may be i'm wrong.

 

here my network

 

reseau.JPG

 

screenshot from web gui

 

Global_vdom.JPGglobal_interface.JPGregle_Root.JPGregle_homelan.JPGregle_vd-test.JPG

 

and from CLI

 

FG-51E (global) #
set gui-ipv6 enable
set hostname "FG-51E"
set management-vdom "HomeLAN"
set switch-controller enable
set vdom-mode multi-vdom
end
config system vdom-link
edit "vdomlink"
next
edit "root2lan"
set type ethernet
next
end
config system interface
edit "wan1"
set vdom "root"
set allowaccess ping
set type physical
set alias "Freebox"
set role wan
set snmp-index 1
next
edit "wan2"
set vdom "root"
set allowaccess ping fgfm
set type physical
set snmp-index 2
next
edit "modem"
set vdom "root"
set type physical
set snmp-index 3
next
edit "lan2"
set vdom "HomeLAN"
set type physical
set snmp-index 4
next
edit "lan3"
set vdom "HomeLAN"
set type physical
set snmp-index 9
next
edit "lan4"
set vdom "VD-Test"
set ip 10.10.0.1 255.255.255.0
set allowaccess ping https ssh
set type physical
set device-identification enable
set lldp-transmission enable
set role lan
set snmp-index 8
next
edit "lan5"
set vdom "TPvdom"
set allowaccess ping https ssh
set type physical
set device-identification enable
set lldp-transmission enable
set role lan
set snmp-index 7
next
edit "lan"
set vdom "root"
set allowaccess ping https ssh
set type hard-switch
set alias "Pop"
set stp enable
set device-identification enable
set lldp-reception enable
set lldp-transmission enable
set role lan
set snmp-index 5
next
edit "LACP"
set vdom "HomeLAN"
set ip 10.0.0.1 255.255.255.0
set allowaccess ping https ssh
set type aggregate
set member "lan2" "lan3"
set alias "Home"
set device-identification enable
set lldp-transmission enable
set role lan
set snmp-index 6
next
edit "ssl.HomeLAN"
set vdom "HomeLAN"
set type tunnel
set alias "SSL VPN interface"
set snmp-index 10
next
edit "ssl.VD-Test"
set vdom "VD-Test"
set type tunnel
set alias "SSL VPN interface"
set snmp-index 11
next
edit "vdomlink0"
set vdom "HomeLAN"
set ip 0.0.0.0 255.255.255.255
set allowaccess ping
set type vdom-link
set description "homelanlink"
set snmp-index 12
next
edit "vdomlink1"
set vdom "VD-Test"
set ip 0.0.0.0 255.255.255.255
set allowaccess ping
set type vdom-link
set description "vdtestlink"
set snmp-index 13
next
edit "root2lan0"
set vdom "root"
set allowaccess ping https http
set type vdom-link
set snmp-index 14
set macaddr 1a:b5:6a:a3:00:33
next
edit "root2lan1"
set vdom "HomeLAN"
set allowaccess ping https http
set type vdom-link
set snmp-index 15
set macaddr 42:d7:5c:5a:00:34
next
end

 


FG-51E (root) #
config system settings
set opmode transparent
set manageip 192.168.0.200/255.255.255.0
end

config firewall policy
edit 1
set uuid 4d93bd88-a6b0-51ee-3735-98ffa0ae402f
set srcintf "lan"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
edit 2
set uuid b3205dac-a6b8-51ee-e9a5-513d62a1a0a1
set srcintf "wan1"
set dstintf "lan"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic disable
next
edit 3
set uuid 7c4621f4-a9dc-51ef-c0ca-edac476ec261
set srcintf "wan1"
set dstintf "root2lan0"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
edit 4
set uuid 8c708eac-a9dc-51ef-7436-53afa1525e9d
set srcintf "root2lan0"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
end
config firewall policy6
edit 1
set uuid 61c2b6ec-a6b5-51ee-1a5b-270d916165f2
set srcintf "lan"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
end

config router static
edit 1
set gateway 192.168.0.254
next
end

 

 

FG-51E (HomeLAN) #
config firewall policy
edit 1
set uuid ec31c09a-a9e1-51ef-8d46-d006a8e9eaf7
set srcintf "vdomlink0"
set dstintf "LACP"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
edit 2
set uuid 41073616-a9e4-51ef-5276-2bccbd489cc0
set srcintf "LACP"
set dstintf "root2lan1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
edit 3
set uuid 5260fd16-a9e4-51ef-646c-25ba2fc68ab8
set srcintf "root2lan1"
set dstintf "LACP"
set srcaddr "all"

 

FG-51E (VD-Test) #
config firewall policy
edit 1
set name "vdtest2homelan"
set uuid 703de03c-a91d-51ef-141e-28c108dfe72d
set srcintf "vdomlink1"
set dstintf "lan4"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
edit 2
set name "out"
set uuid f5dc6582-a91e-51ef-db89-c4452393a6df
set srcintf "lan4"
set dstintf "vdomlink1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
end

config router static
edit 1
set device "vdomlink1"
next
endset dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
end

config router static
edit 1
set device "vdomlink0"
set comment "linkvdom"
next
edit 2
set device "root2lan1"
next
end

 

 

Hope it's enough to help me in order to achieve inter vdom routing from vdom NAT to vdom TP

 

Thank's a lot

DPadula

Hi Ajt69,

 

The difference between a transparent vdom and a NAT vdom is the layer they operate. In a very simple way a transparent vdom 'works' like a L2 switch. A NAT vdom operates like a router. So if you want o keep the network diagram like your draw you need to add a IP address on the 'vdomlink0', the ip address must be on the same subnet of the GW (192.168.0.0/24) and the default route should point to the GW ip address. 

Aj69.png

 

Another way to see your diagram would be like that:

 

Aj69_B.png

 

Give it a try and let us know about the results. 

Ajt69
New Contributor II

hi @DPadula 

 

Thank you for your explanation, and the time you take.

I thought I understood and it was clear, but I don't know how to get around it, it doesn't work :'(

it's a shame for me

 

here is what i did in vdom B

 

vdom_homelan.JPGstatic_route_homelan.JPG

my firewall policy could be bad too ?

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors