Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Rodney
New Contributor

"Transparent" Port or Inter-VDOM setup

I am trying to segment the network into 2 part:

 

1) 2 ports (ie: Port 1, Port 2) each on a different private LAN

    private IP: 192.168.1.0/24, 192.168.2.0/24

    wan: 123.123.123.0-123.123.123.127

2) 1 port (ie: Port 3) on "transparent mode"

    private IP: 123.123.123.128-123.123.123.255

    wan: 123.123.123.128-123.123.123.255

 

I am wondering if it I should (or if possible to) setup my Fortigate as follow:

1) Set it up to run in NAT/Routing mode

    Setup Virtual IP for Port 1 and Port 2 to take care of the IP translation.

    Setup Routing Policy to direct data going to 123.123.123.128-123.123.123.255 to Port 3

    (Is this even possible?)

 

OR

 

2) Setup 3 V-DOM (ie:Root, Private_VDOM, Public_VDOM)

    Connect WAN to Root and set it up as NAT/Routing mode

    Setup Private_VDOM in transparent mode

    Setup Routing Policy to direct data going to 123.123.123.128-123.123.123.255 to Private_VDOM

    Setup Private_VDOM in NAT/Routing mode

    Setup Routing Policy to direct data going to 123.123.123.0-123.123.123.127 to Private_VDOM

    Setup Virtual IP on Public_VDOM

 

I am very new in setting up these things. Thank you very much for your help in advance

2 Solutions
emnoc
Esteemed Contributor III

I don't think you can do #1  but #2 could be done if you set vips for the hosts,  but do you really need transparent  link ? I think you could do  this with less complexity  if you  could you just place VIPs 123.123.123.128-123.123.123.255 /25 and set the machine behind the VIPs

 

 or

 

 

Just create a 3rd lan-interface that houses the 23.123.123.128/25

 

 

This could be  a sub-interface  that's tagged like a 802.1q interface if your limited on physical ports.

 Please check out my stack vdom blog for other ideals & suggestions;

 

http://socpuppet.blogspot...pt-with-fortigate.html

 

PCNSE 

NSE 

StrongSwan  

View solution in original post

PCNSE NSE StrongSwan
emnoc
Esteemed Contributor III

I hear you, but the upper end  of the /25 ( .128-255 )  has what as a gatwate today? Can't you just lift that network and install it on a another interface on the fortigate & still meet your needs? Or bind  two interfaces as a inbound & outbound interface for he lan segment that needs the transparent  mode of operation?

 

e.g

 

port3 and port4 ( transparent vdom )

 

About the NAT in transparent vdoms, it can be done. I never have done this tho.  You can configure ip-pools and set fwpolices to allow NAT, but be careful in your topology & design and remember that a interface can only be in one vdom regardless of  the vdom mode of operation ( nat/routed or transparent ).

 

I would suggest you drafted out the details before diving in and ensure that the design encompass the goals and functionality that your looking for.

PCNSE 

NSE 

StrongSwan  

View solution in original post

PCNSE NSE StrongSwan
5 REPLIES 5
emnoc
Esteemed Contributor III

I don't think you can do #1  but #2 could be done if you set vips for the hosts,  but do you really need transparent  link ? I think you could do  this with less complexity  if you  could you just place VIPs 123.123.123.128-123.123.123.255 /25 and set the machine behind the VIPs

 

 or

 

 

Just create a 3rd lan-interface that houses the 23.123.123.128/25

 

 

This could be  a sub-interface  that's tagged like a 802.1q interface if your limited on physical ports.

 Please check out my stack vdom blog for other ideals & suggestions;

 

http://socpuppet.blogspot...pt-with-fortigate.html

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Rodney
New Contributor

Thank you very much for your information.

 

I am hoping to setup "transparent link" is because this part of the network has already been in place. Such setup will reduce the amount of changes to the existing network.

 

I have read through your Stacked VDOM blog. However, I am still no sure about your 2nd suggestion:

"Just create a 3rd lan-interface that houses the 23.123.123.128/25"

 

Is it possible for you to further elaborate on it?

 

 

Also, in your Stacked VDOM blog post, is it possible to push to NAT down to the custA and custB VDOM instead of doing it in the root VDOM?

 

 

 

Thank you very much for your help in advance !

 

 

 

emnoc wrote:

I don't think you can do #1  but #2 could be done if you set vips for the hosts,  but do you really need transparent  link ? I think you could do  this with less complexity  if you  could you just place VIPs 123.123.123.128-123.123.123.255 /25 and set the machine behind the VIPs

 

 or

 

 

Just create a 3rd lan-interface that houses the 23.123.123.128/25

 

 

This could be  a sub-interface  that's tagged like a 802.1q interface if your limited on physical ports.

 Please check out my stack vdom blog for other ideals & suggestions;

 

http://socpuppet.blogspot...pt-with-fortigate.html

 

emnoc
Esteemed Contributor III

I hear you, but the upper end  of the /25 ( .128-255 )  has what as a gatwate today? Can't you just lift that network and install it on a another interface on the fortigate & still meet your needs? Or bind  two interfaces as a inbound & outbound interface for he lan segment that needs the transparent  mode of operation?

 

e.g

 

port3 and port4 ( transparent vdom )

 

About the NAT in transparent vdoms, it can be done. I never have done this tho.  You can configure ip-pools and set fwpolices to allow NAT, but be careful in your topology & design and remember that a interface can only be in one vdom regardless of  the vdom mode of operation ( nat/routed or transparent ).

 

I would suggest you drafted out the details before diving in and ensure that the design encompass the goals and functionality that your looking for.

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Rodney
New Contributor

Thank you very much emnoc.

 

I guess my original plan is not a recommended approach. I guess I will follow the topology that is similar to the one in your post:

http://socpuppet.blogspot.com.es/2014/09/a-stacked-vdom-concept-with-fortigate.html

 

However, I am wondering how I can set the Virtual IP to allow computer from WAN and custB to access a computer in custA (ie:10.100.10.123)?

Is this Virtual IP setting has to be done in VDOM:root? It can't be set in custA?

 

I tried to set the Virtual IP in VDOM:root with the following settings:

Interface: WAN

External IP: 123.123.123.123-123.123.123.123

Internal IP: 10.100.10.123-10.100.10.123

 

I have also set static route such that

Destination IP: 10.100.10.0/255.255.255.0

Device: root2custA0

Gateway: 192.168.0.2

 

For testing, I have allowed all tracffic to route from any interface to any interface in both VDOM. However, I still not able to ping the machine with ip 10.100.10.123 from the outside.

 

Is there anything I have missed?

 

Thanks.

 

Rodney
New Contributor

Packets are able to pass through after setting a policy to allow traffic to reach the specific Virtual IP as destination with NAT turned on.

 

Thank you very much for all your help!

Labels
Top Kudoed Authors