Configuring VDOM links
Once VDOMs are configured on your FortiGate unit, configuring inter-VDOM routing and VDOM-links is very much like creating a VLAN interface. VDOM-links are managed through the web-based manager or CLI. In the web-based manager, VDOM link interfaces are managed in the network interface list.
This section includes the following topics:
- Creating VDOM links
- IP addresses and inter-VDOM links
- Deleting VDOM links
- NAT to Transparent VDOM links
Creating VDOM links
VDOM links connect VDOMs together to allow traffic to pass between VDOMs as per firewall policies. Inter- VDOM links are virtual interfaces that are very similar to VPN tunnel interfaces except inter-VDOM links do not require IP addresses.
To create a VDOM link, you first create the point-to-point interface, and then bind the two interface objects associated with it to the virtual domains.
In creating the point-to-point interface, you also create two additional interface objects by default. They are called vlink10 and vlink11 – the interface name you chose with a 1 or a 0 to designate the two ends of the link.
Once the interface objects are bound, they are treated like normal FortiGate interfaces and need to be configured just like regular interfaces.
The assumptions for this example are as follows:
- Your FortiGate unit has VDOMs enabled and you have 2 VDOMs called customer1 and customer2 already configured. For more information on configuring VDOMs see Configuring Virtual Domains.
- You are using a super_admin account.
To configure an inter-VDOM link – web-based manager:
1. Go to Global > Network > Interfaces.
2. Select Create New > VDOM link, enter the following information, and select OK.
Name vlink1
(The name can be up to 11 characters long. Valid characters are letters, numbers, “-”, and “_”. No spaces are allowed.)
Interface #0
| Virtual Domain customer1 | |
| IP/Netmask 10.11.12.13/255.255.255.0 | |
| Administrative Access HTTPS, SSL | |
| Interface #1 | |
| Virtual Domain customer2 | |
| IP/Netmask 172.120.100.13/255.255.255.0 | |
| Administrative Access HTTPS, SSL | |
To configure an inter-VDOM link – CLI:
config global
config system vdom-link edit vlink1
end
config system interface edit vlink10
set vdom customer1 next
edit vlink11
set vdom customer2 end
Once you have created and bound the interface ends to VDOMs, configure the appropriate firewall policies and other settings that you require. To confirm the inter-VDOM link was created, find the VDOM link pair and use the expand arrow to view the two VDOM link interfaces. You can select edit to change any information.
IP addresses and inter-VDOM links
Besides being virtual interfaces, here is one main difference between inter-VDOM links and regular interfaces— default inter-VDOM links do not require IP addresses. IP addresses are not required by default because an inter- VDOM link is an internal connection that can be referred to by the interface name in firewall policies, and other system references. This introduces three possible situations with inter-VDOM links that are:
- unnumbered – an inter-VDOM link with no IP addresses for either end of the tunnel
- half numbered – an inter-VDOM link with one IP address for one end and none for the other end
- full numbered – an inter-VDOM link with two IP addresses, one for each end.
Not using an IP address in the configuration can speed up and simplify configuration for you. Also you will not use up all the IP addresses in your subnets if you have many inter-VDOM links.
Half or full numbered interfaces are required if you are doing NAT, either SNAT or DNAT as you need an IP number on both ends to translate between.
You can use unnumbered interfaces in static routing, by naming the interface and using 0.0.0.0 for the gateway. Running traceroute will not show the interface in the list of hops. However you can see the interface when you are sniffing packets, which is useful for troubleshooting.
Deleting VDOM links
When you delete the VDOM link, the two link objects associated with it will also be deleted. You cannot delete the objects by themselves. The example uses a VDOM routing connection called “vlink1”. Removing vlink1 will also remove its two link objects vlink10 and vlink11.
Before deleting the VDOM link, ensure all policies, firewalls, and other configurations that include the VDOM link are deleted, removed, or changed to no longer include the VDOM link.
To remove a VDOM link – web-based manager:
1. Go to Global > Network > Interfaces.
2. Select Delete for the VDOM link vlink1.
To remove a VDOM link – CLI:
config global
config system vdom-link delete vlink1
end
NAT to Transparent VDOM links
Inter-VDOM links can be created between VDOMs in NAT mode and VDOMs in Transparent mode, but it must be done through the CLI, as the VDOM link type must be changed from the default PPP to Ethernet for the two VDOMs to communicate. The below example assumes one vdom is in NAT mode and one is Transparent.
An IP address must be assigned to the NAT VDOM’s interface, but no IP address should be assigned to the Transparent VDOM’s interface.
To configure a NAT to Transparent VDOM link – CLI:
config global
config system vdom-link edit vlink1
set type ethernet end
config system interface edit vlink10
set vdom (interface 1 name)
set ip (interface 1 ip)
next
edit vlink11
set vdom (interface 2 name)
end
Ethernet-type is not recommended for standard NAT to NAT inter-VDOM links, as the default PPP-type link does not require the VDOM links to have addresses, while Ethernet-type does. VDOM link addresses are explained in IP addresses and inter-VDOM links.