Hello,
i'am a new user in fortigate world :) with FG-51E
I read some tuto to learn how it works, and i'm stuck with routing between vdom.
it won't work :'(
i'm french, and my isp provider is named free.
To be able to watch tv with their player, it have to get an IPV6 SLAAC without DHCPv6. unfortunately, i don't know how to do that with fortigate. (it's not the subjet but if someone can help me for this point, i will be very happy )
So i create a root vdom in transparent mode, with member interface wan 1, and port 1. my tv player works without problem.
now, i create another "test" vdom in NAT mode, for testing, homelab. the interface member are the others ports
i wish to link this nat vdom with the root transparent vdom, and .... no way to make it works :'(
i miss something but i don't know what.
I relied on these links, for helping
http://socpuppet.blogspot.com/2014/09/a-meshed-vdom-transparent-using-inter.html
https://www.fortinetguru.com/2017/01/configuring-vdom-links/
none of them help me
i also test this tips, and it works. but it is not what i wish to do
could anyone help me to make it work please ?
Thank you very much !
Solved! Go to Solution.
Default route on HomeLan is wrong, the gateway should not be 0.0.0.0 but the ISP router ip address (192.168.0.254)'.
The right command is 'diagnose sniffer packet any "host 192.168.0.254 and icmp" 4 0', my bad.
Can you ping the google after you changed the gateway ip address on the static route?
Hi Ajt69,
There is this forum topic where someone has asked bout inter-link vdom. Have a look on it:
I hope it helps.
well seen :)
Thank you for your quick reply
I hope it will help me
sorry for not having seen this topic.
it's past midnight here, i read and try this asap, and reply
can you help me what i need to supply, for configuration ?
detail schema ? detail from cli ?
Let me know
thank you
Hi @Ajt69 ,
We need all configurations you used for your case, such as (but not limited):
What interfaces?
What firewall policies?
What routing configuration?
Network diagram
Interesting traffic flow
And so on, anything you configured for your case.
It's better to attach your FGT config.
thank you, i will do my best to supply information in order to help me
i also take a look at the topics given by @DPadula
Hi,
I read the recommended topic, and all vdom are in operation mode NAT. Should i understand it is only in that way it works ? no possible inter vdom routing between TP and NAT ?
i create my first root vdom as transparent mode for lack of knowledge about ipv6 for tv box, and also to avoid double NAT. may be i'm wrong.
here my network
screenshot from web gui
and from CLI
FG-51E (global) #
set gui-ipv6 enable
set hostname "FG-51E"
set management-vdom "HomeLAN"
set switch-controller enable
set vdom-mode multi-vdom
end
config system vdom-link
edit "vdomlink"
next
edit "root2lan"
set type ethernet
next
end
config system interface
edit "wan1"
set vdom "root"
set allowaccess ping
set type physical
set alias "Freebox"
set role wan
set snmp-index 1
next
edit "wan2"
set vdom "root"
set allowaccess ping fgfm
set type physical
set snmp-index 2
next
edit "modem"
set vdom "root"
set type physical
set snmp-index 3
next
edit "lan2"
set vdom "HomeLAN"
set type physical
set snmp-index 4
next
edit "lan3"
set vdom "HomeLAN"
set type physical
set snmp-index 9
next
edit "lan4"
set vdom "VD-Test"
set ip 10.10.0.1 255.255.255.0
set allowaccess ping https ssh
set type physical
set device-identification enable
set lldp-transmission enable
set role lan
set snmp-index 8
next
edit "lan5"
set vdom "TPvdom"
set allowaccess ping https ssh
set type physical
set device-identification enable
set lldp-transmission enable
set role lan
set snmp-index 7
next
edit "lan"
set vdom "root"
set allowaccess ping https ssh
set type hard-switch
set alias "Pop"
set stp enable
set device-identification enable
set lldp-reception enable
set lldp-transmission enable
set role lan
set snmp-index 5
next
edit "LACP"
set vdom "HomeLAN"
set ip 10.0.0.1 255.255.255.0
set allowaccess ping https ssh
set type aggregate
set member "lan2" "lan3"
set alias "Home"
set device-identification enable
set lldp-transmission enable
set role lan
set snmp-index 6
next
edit "ssl.HomeLAN"
set vdom "HomeLAN"
set type tunnel
set alias "SSL VPN interface"
set snmp-index 10
next
edit "ssl.VD-Test"
set vdom "VD-Test"
set type tunnel
set alias "SSL VPN interface"
set snmp-index 11
next
edit "vdomlink0"
set vdom "HomeLAN"
set ip 0.0.0.0 255.255.255.255
set allowaccess ping
set type vdom-link
set description "homelanlink"
set snmp-index 12
next
edit "vdomlink1"
set vdom "VD-Test"
set ip 0.0.0.0 255.255.255.255
set allowaccess ping
set type vdom-link
set description "vdtestlink"
set snmp-index 13
next
edit "root2lan0"
set vdom "root"
set allowaccess ping https http
set type vdom-link
set snmp-index 14
set macaddr 1a:b5:6a:a3:00:33
next
edit "root2lan1"
set vdom "HomeLAN"
set allowaccess ping https http
set type vdom-link
set snmp-index 15
set macaddr 42:d7:5c:5a:00:34
next
end
FG-51E (root) #
config system settings
set opmode transparent
set manageip 192.168.0.200/255.255.255.0
end
config firewall policy
edit 1
set uuid 4d93bd88-a6b0-51ee-3735-98ffa0ae402f
set srcintf "lan"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
edit 2
set uuid b3205dac-a6b8-51ee-e9a5-513d62a1a0a1
set srcintf "wan1"
set dstintf "lan"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic disable
next
edit 3
set uuid 7c4621f4-a9dc-51ef-c0ca-edac476ec261
set srcintf "wan1"
set dstintf "root2lan0"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
edit 4
set uuid 8c708eac-a9dc-51ef-7436-53afa1525e9d
set srcintf "root2lan0"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
end
config firewall policy6
edit 1
set uuid 61c2b6ec-a6b5-51ee-1a5b-270d916165f2
set srcintf "lan"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
end
config router static
edit 1
set gateway 192.168.0.254
next
end
FG-51E (HomeLAN) #
config firewall policy
edit 1
set uuid ec31c09a-a9e1-51ef-8d46-d006a8e9eaf7
set srcintf "vdomlink0"
set dstintf "LACP"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
edit 2
set uuid 41073616-a9e4-51ef-5276-2bccbd489cc0
set srcintf "LACP"
set dstintf "root2lan1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
edit 3
set uuid 5260fd16-a9e4-51ef-646c-25ba2fc68ab8
set srcintf "root2lan1"
set dstintf "LACP"
set srcaddr "all"
FG-51E (VD-Test) #
config firewall policy
edit 1
set name "vdtest2homelan"
set uuid 703de03c-a91d-51ef-141e-28c108dfe72d
set srcintf "vdomlink1"
set dstintf "lan4"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
edit 2
set name "out"
set uuid f5dc6582-a91e-51ef-db89-c4452393a6df
set srcintf "lan4"
set dstintf "vdomlink1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
end
config router static
edit 1
set device "vdomlink1"
next
endset dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
end
config router static
edit 1
set device "vdomlink0"
set comment "linkvdom"
next
edit 2
set device "root2lan1"
next
end
Hope it's enough to help me in order to achieve inter vdom routing from vdom NAT to vdom TP
Thank's a lot
Hi Ajt69,
The difference between a transparent vdom and a NAT vdom is the layer they operate. In a very simple way a transparent vdom 'works' like a L2 switch. A NAT vdom operates like a router. So if you want o keep the network diagram like your draw you need to add a IP address on the 'vdomlink0', the ip address must be on the same subnet of the GW (192.168.0.0/24) and the default route should point to the GW ip address.
Another way to see your diagram would be like that:
Give it a try and let us know about the results.
hi @DPadula
Thank you for your explanation, and the time you take.
I thought I understood and it was clear, but I don't know how to get around it, it doesn't work :'(
it's a shame for me
here is what i did in vdom B
my firewall policy could be bad too ?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1735 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.