Hello,
i'am a new user in fortigate world :) with FG-51E
I read some tuto to learn how it works, and i'm stuck with routing between vdom.
it won't work :'(
i'm french, and my isp provider is named free.
To be able to watch tv with their player, it have to get an IPV6 SLAAC without DHCPv6. unfortunately, i don't know how to do that with fortigate. (it's not the subjet but if someone can help me for this point, i will be very happy )
So i create a root vdom in transparent mode, with member interface wan 1, and port 1. my tv player works without problem.
now, i create another "test" vdom in NAT mode, for testing, homelab. the interface member are the others ports
i wish to link this nat vdom with the root transparent vdom, and .... no way to make it works :'(
i miss something but i don't know what.
I relied on these links, for helping
http://socpuppet.blogspot.com/2014/09/a-meshed-vdom-transparent-using-inter.html
https://www.fortinetguru.com/2017/01/configuring-vdom-links/
none of them help me
i also test this tips, and it works. but it is not what i wish to do
could anyone help me to make it work please ?
Thank you very much !
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Default route on HomeLan is wrong, the gateway should not be 0.0.0.0 but the ISP router ip address (192.168.0.254)'.
The right command is 'diagnose sniffer packet any "host 192.168.0.254 and icmp" 4 0', my bad.
Can you ping the google after you changed the gateway ip address on the static route?
Let's start with simple tests.
Can you ping the gateway 192.168.0.254 from HomeLan vdom?
If you can, great, routing is working fine between HomeLan and root. If you cannot run the command 'diag sniffer packet any "host 192.168.0.254 and icmp" 4 0' on HomeLan vdom and also on root vdom while you are trying to ping the gateway.
We need to understand what is happening to the traffic if you cannot ping the gateway from HomeLan vlink interface ip address 192.168.0.201
Also, try to ping the mgmt ip on root vdom (192.168.0.200) from the HomeLan. What is the outcome?
i made some change on HomeLan vdom, i switch to link "root2lan1" instead of "vdomlink0" and set an ip of subnet 192.168.0.x/24.
and add this static route to reach the other test vdom
With this, i can ping my other device on this subnet, and vdom test.
Good point i think, but cannot ping the gateway 192.168.0.254
i try to add wan1 in firewall policy (I feel like it's a bit twisted)
and this way, i can ping the gateway.
but i cannot ping outside network like 8.8.8.8.... It's starting to drive me crazy !!
i don't have this command 'diag debug packet any "host 192.168.0.254 and icmp" 4 0' , May be not implement ine FW 6.2.15
Default route on HomeLan is wrong, the gateway should not be 0.0.0.0 but the ISP router ip address (192.168.0.254)'.
The right command is 'diagnose sniffer packet any "host 192.168.0.254 and icmp" 4 0', my bad.
Can you ping the google after you changed the gateway ip address on the static route?
this time, i hope it's ok :)
first of all, i set the gateway ip adress on the static route, in vdom HomeLan
and adjust also ip address destination to reach my other test vdom
use sniffer command
don't know where come from eth0 ?
next, I realized that I had forgotten to set nat enable in firewall ipv4 policy
but not able to reach internet
ping ok, but nok with resolve name ? so i check interface and set my gateway as dns
now, all it's ok i think :)
may be i can set ip defaut gateway here, in interface ? instead of static routes ?
also trouble with fact i have to add another interface in root vdom firewall policy to access device in subnet 192.168.0.x
it's probably an expect behavior
now, i will test with device in subnet 192.168.0.x to go to vdom with 10.10.0.1
Really a big thank you for helping me to achieve this !! for the tips, etc
I didn't dare ask for too much help for fear that my subject had already been covered and that I would be directed towards a tutorial to adapt. But this is really great, thanks again!!
May be i can post another topic to help me to achieve how i can get an ipv6 slaac without dhcpv6 behind a vdom nat :p
Great news, glad that you could solve the issue with our help. :)
Answering your last question:
may be i can set ip defaut gateway here, in interface ? instead of static routes ?
A.: If interface is setup as DHCP then it will get the gateway automatically, but because the IP was assigned statically you need the static route. That is a normal configuration, don't worry just enjoy it now. :)
Hi,
I think i am close to the goal
I'll be back with some additional information by this evening
Exactly, divide and conquer. ;)
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1734 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.