Purpose
This article describes how to forward the traffic from one Vdom to another one using the inter VDOM link connection.
Expectations, Requirements
When VDOM feature is enabled on the FortiGate, ensure the communication between both VDOM is working.
Even when IP addresses are not required for inter VDOM links, define one IP used for each end.
IP addresses are not required for inter VDOM links.
Virtual interfaces is one of the main difference between inter VDOM links and regular interfaces.
Inter VDOM links do not require IP addresses.
This introduces three possible situations with inter VDOM line:
An IP address is not required for inter VDOM links because it is an internal connection that can be referred to the interface name in firewall policies, and other system references.
1) Unnumbered: an inter VDOM link with no IP addresses for either end of the tunnel.
2) Half numbered: an inter VDOM link with one IP address for one end and none for the other end.
3) Full numbered: an inter VDOM link with two IP addresses, one for each end.
Not using an IP address in the configuration can speed up and simplify the configuration.
Use up all the IP addresses in subnets.
Half or full numbered interfaces are required for NAT, either SNAT or DNAT as an IP number is needed on both ends to translate between.
Use unnumbered interfaces in static routing, by naming the interface and using 0.0.0.0 for the gateway.
Running tracer route will not show the interface in the list of hops.
However the interface is visible when sniffing packets, which is useful for troubleshooting.
Define the Inter-VDOM routing and firewall policies on each VDOM to allow the traffic.
Internal VDOM:
The default gateway for the Internal VDOM communication will be the External VDOM (VDOM root in this example) .
Configure the static route using the following command:
# config router static
edit 1
set gateway 10.10.10.1 >>>> It is necssary to point to the Inter-Vdom link External VDOM Ip
set device "Root_to_Int1" >>>> Traffic will be routed over the Inter-VDOM link interface
next
end
Configure the firewall policy to allow the traffic from the Internal LAN to the Inter-VDOM link using the following command:
# config firewall policy
edit 1
set srcintf "internal2"
set dstintf "Root_to_Int1"
set srcaddr "LAN_Internal_VDOM"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
next
end
External VDOM:
Configure the static route to send back the traffic to the Internal VDOM using the following command:
# config router staticAnd the firewall policy to allow the traffic from the Inter-Vdom Link to the WAN Interface:
edit <id>
set dst 10.254.0.0 255.255.255.0 >>>> Set the Internal VDOM network
set gateway 10.10.10.2 >>>>>>> It is necessary to point to the Inter-Vdom link Internal VDOM Ip
set device "Root_to_Int0" >>>>>> Traffic will be sent back over the Inter-VDOM link interface
next
end
# config firewall policy
edit 6
set srcintf "Root_to_Int0"
set dstintf "wan1"
set srcaddr "LAN_VDOM_Internal"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
set nat enable
next
end
Verification
Validate the connection between the VDOMs using the inter Vdom links IP:
From Internal VDOM:
# execute ping 10.10.10.1
PING 10.10.10.1 (10.10.10.1): 56 data bytes
64 bytes from 10.10.10.1: icmp_seq=0 ttl=255 time=0.3 ms
64 bytes from 10.10.10.1: icmp_seq=1 ttl=255 time=0.2 ms
64 bytes from 10.10.10.1: icmp_seq=2 ttl=255 time=0.2 ms
64 bytes from 10.10.10.1: icmp_seq=3 ttl=255 time=0.2 ms
64 bytes from 10.10.10.1: icmp_seq=4 ttl=255 time=0.2 ms
--- 10.10.10.1 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.2/0.2/0.3 ms
From External VDOM:
# execute ping 10.10.10.2The connection from the Internal LAN (Internal VDOM) to Internet:
PING 10.10.10.2 (10.10.10.2): 56 data bytes
64 bytes from 10.10.10.2: icmp_seq=0 ttl=255 time=0.4 ms
64 bytes from 10.10.10.2: icmp_seq=1 ttl=255 time=0.2 ms
64 bytes from 10.10.10.2: icmp_seq=2 ttl=255 time=0.2 ms
64 bytes from 10.10.10.2: icmp_seq=3 ttl=255 time=0.2 ms
64 bytes from 10.10.10.2: icmp_seq=4 ttl=255 time=0.2 ms
--- 10.10.10.2 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.2/0.2/0.4 ms
# execute ping-options source 10.254.0.1
(Internal_VD) # execute ping 4.2.2.2
PING 4.2.2.2 (4.2.2.2): 56 data bytes
64 bytes from 4.2.2.2: icmp_seq=0 ttl=55 time=54.3 ms
64 bytes from 4.2.2.2: icmp_seq=1 ttl=55 time=54.1 ms
64 bytes from 4.2.2.2: icmp_seq=2 ttl=55 time=57.0 ms
64 bytes from 4.2.2.2: icmp_seq=3 ttl=55 time=55.2 ms
64 bytes from 4.2.2.2: icmp_seq=4 ttl=55 time=53.5 ms
--- 4.2.2.2 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 53.5/54.8/57.0 ms
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.