Friday, February 23, 2018

Inter-VDOM routing



In this example we will be setting up inter-VDOM links between a VDOM named "root" and another VDOM named "untrust". This will allow bidirectional traffic to traverse the 2 VDOMs without any additional cabling.

Prerequisites:

  • Tested on FortiOS 6
  • VDOMs created
  • Links up


Process:

  • Configure interfaces
  • Configure policies
  • Configure static routes





### Interfaces
config global
config system interface
    edit "internal1"
        set vdom "root"
        set ip 10.0.0.254 255.255.255.0
  set allowaccess ping https #This is your choice
        set type physical
    next
    edit "internal2"
        set vdom "untrust"
        set ip 192.168.1.254 255.255.255.0
        set allowaccess ping https  #This is your choice
        set type physical
    next
    edit "root-to-un0"
        set vdom "root"
        set ip 10.10.10.1 255.255.255.252
        set allowaccess ping
        set type vdom-link
    next
    edit "root-to-un1"
        set vdom "untrust"
        set ip 10.10.10.2 255.255.255.252
        set allowaccess ping
        set type vdom-link
    next
end
end

config vdom
edit root
### Policies
config firewall policy
    edit 1                         
        set name "int1-to-root-to-un0"
  set srcintf "internal1"     #this is your WAN intf
        set dstintf "root-to-un0"
        set srcaddr "all"           #Do not leave as all. Lock down.
        set dstaddr "all"           #Do not leave as all. Lock down.
        set action accept
        set schedule "always"
        set service "ALL"           #Do not leave as all. Lock down.
        set logtraffic disable
    next
    edit 2                         
        set name "root-to-un0-to-int1"
  set srcintf "root-to-un0"
        set dstintf "internal1"     #this is your WAN intf
        set srcaddr "all"           #Do not leave as all. Lock down.
        set dstaddr "all"           #Do not leave as all. Lock down.
        set action accept
        set schedule "always"
        set service "ALL"           #Do not leave as all. Lock down.
        set logtraffic disable
    next
    end
    ### Static Routes
    config router static
    edit 1
        set dst 192.168.1.0 255.255.255.0
        set gateway 10.10.10.2      #This is the OPPOSITE side of the VLink
        set device "root-to-un0"
    next
    end
    end

config vdom
edit untrust
### Policies
config firewall policy
    edit 1                         
        set name "int1-to-root-to-un0"
  set srcintf "internal2"     #this is your WAN intf
        set dstintf "root-to-un1"
        set srcaddr "all"           #Do not leave as all. Lock down.
        set dstaddr "all"           #Do not leave as all. Lock down.
        set action accept
        set schedule "always"
        set service "ALL"           #Do not leave as all. Lock down.
        set logtraffic disable
    next
    edit 2                         
        set name "root-to-un0-to-int1"
  set srcintf "root-to-un1"
        set dstintf "internal2"     #this is your WAN intf
        set srcaddr "all"           #Do not leave as all. Lock down.
        set dstaddr "all"           #Do not leave as all. Lock down.
        set action accept
        set schedule "always"
        set service "ALL"           #Do not leave as all. Lock down.
        set logtraffic disable
    next
    end
    ### Static Routes
    config router static
    edit 1
        set dst 10.0.0.0 255.255.255.0
        set gateway 10.10.10.1      #This is the OPPOSITE side of the VLink
        set device "root-to-un1"
    next
    end
-->
    end

No comments: