Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Not applicable

management vdom with VIP

We are going to be sharing an office with another company. We are going to have two internet connections that we would like to share with each other. Both connections have 5 static IP addresses. We will use three or four of these on each connection and the other company will use the other one or two addresses on each connection. For simplicity sake lets assume only one connection for now as I should be able to make this work on the other connection once I get it figured out on the first one. I have read through the VDOM guide and unfortunately there are no real good examples using a situation like mine. The way I would like to set this up is with a management VDOM and then a VDOM for each company. Both companies require Virtual IPs setup for some external services. I think I will need to use a Vlink connection between the management vdom and our two companies. I am not sure how to translate the external ip addresses using Virtual IP into the correct VDOMs. If anyone could push me in the right direction it would be greatly appreciated.
1 Solution
ejhardin
Contributor

You can keep your setup simple by creating three vdoms. One is the root or wan, and the other two are your two companies. You are doing what we have done as we have two companies sharing our connection. In the root put both our your internet connection and load balance them. Then create a vdom link from your wan to your first company vdom and repeat for the next company. To keep it simple do not use ip address on your vdom links. If you want to connect directly with the two companies you can create another vdom link from company a to company b but it is not necessary. Now create your vip policies from the public to private on the root vdom. On the company vdom you don' t need to create vip just a firewall policy allowing the traffic. On the root vdom you have your internet connections, VPN policies and if you want to WAN opt. The other two vdoms just need firewall policies. Last is your routes. create you default routes on the two company vdom as the vdom link for the device and the gateway is 0.0.0.0. Now create the routes back to the private ip address in the root vdom.

View solution in original post

5 REPLIES 5
Faulty_Male
New Contributor III

I think it will be very difficult to split the outside subnets as suggested. Do you have to use VDOMs? or could you get away with separate VLANs on the inside and apply policies based on the source VLAN address? This obviously wont work if you want to allow an admin user to the box from the other company.
Kenundrum
Contributor III

I have a few locations with a similar setup- but with only one primary wan connection. The VDOM guide is a bit hard to follow, but once I realized how it handled things, it became relatively simple- albeit involved. You have to think of the VDOMs as completely separate firewalls and design your routing around that. The long story short is that the VIP needs to exist in the root VDOM to forward traffic to the internal VDOM, and then the internal VDOM needs another VIP to forward traffic to the final destination. The longer story- which tripped me up a bit was that in my case I needed to assign the VDOM links IP addresses in order for the VIP to work since I had overlapping subnets behind those VDOMs. The documentation doesn' t explain it clearly enough (at least for me perhaps) that the correct way to handle that is to assign the VDOM links some throwaway subnet unique to them and then set the external VIP to forward to the destination vdom link IP. For example- the root VDOM is 192.168.0.1/24, the VDOM1 is 192.168.1.1/24 and VDOM2 is 192.168.2.1/24. You would create a vdom link between the root and VDOM1 with the root side as 10.0.0.1/30 and the VDOM1 side 10.0.0.2/30. The addresses and masks don' t really matter as long as they are unique. The VDOM link between root and VDOM2 could be 10.0.0.101/30 and 10.0.0.102/30 respectively. The outside VIP would forward ports from the external ip address to the VDOM1 link interface to 10.0.0.2. Inside the VDOM1, you would need to set up another VIP to take traffic arriving on the VDOM link to forward to the correct destination such as a web server at 192.168.1.123. The same thing would be repeated for the VDOM2, in the root VDOM you forward a port to 10.0.0.102 to knock on VDOM2' s door, and then inside VDOM2, take that traffic and forward to the appropriate location. On the way out- you set your default gateway on computers inside the VDOM to be the PHYSICAL interface IP of the VDOM (192.168.1.1 in my example above) and the default route inside that vdom points to the root side of the VDOM link (10.0.0.1). Then in the root VDOM you have rules that allow traffic from the VDOM link out to the appropriate external interface with the routing table in the root containing your actual external gateway configuration. Hopefully that all made sense- I worked through that kind of a setup in a test lab for a while before I was able to get it to perform the way I wanted it to for my situation. You may have some more complexity involved with dealing with two external connections and deciding out where you will want to NAT the traffic between interfaces.

CISSP, NSE4

 

CISSP, NSE4
Not applicable

That does make sense. That is kind of how I was thinking it would have to work. One follow up question. How do you handle forwarding multiple external ip addresses? Do you have to create multiple Vlinks for each external ip address? Fortinet' s documentation really leaves something to be desired when it comes to examples. They really could use a few more examples for a few different situations. I understand they can' t write examples for all the different situations but writing a few examples would certainly get people started a lot of the time. Thanks for your help. I will try to play with it a little. After thinking about it more today I am not sure I will even need VDOMs. I still think I may because I want to have two different SSL VPN domains.
ejhardin
Contributor

You can keep your setup simple by creating three vdoms. One is the root or wan, and the other two are your two companies. You are doing what we have done as we have two companies sharing our connection. In the root put both our your internet connection and load balance them. Then create a vdom link from your wan to your first company vdom and repeat for the next company. To keep it simple do not use ip address on your vdom links. If you want to connect directly with the two companies you can create another vdom link from company a to company b but it is not necessary. Now create your vip policies from the public to private on the root vdom. On the company vdom you don' t need to create vip just a firewall policy allowing the traffic. On the root vdom you have your internet connections, VPN policies and if you want to WAN opt. The other two vdoms just need firewall policies. Last is your routes. create you default routes on the two company vdom as the vdom link for the device and the gateway is 0.0.0.0. Now create the routes back to the private ip address in the root vdom.
Not applicable

Thanks for the replies. I finally got around to getting this setup and it is working well. I have one problem that has come up though. How do I get the SSL VPN to work for each company in this setup. I would like to have an SSL VPN setup for each company. I can set it up for one or the other but not for both. Any suggestions would be great.
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors