Next Generation Firewall (NGFW)

Expand all | Collapse all

Is there a way for two vdoms to share a physical interface?

Jump to Best Answer
  • 1.  Is there a way for two vdoms to share a physical interface?

    Posted Jan 14, 2021 07:28 PM
    Hello, expert of everyone.

    I have something to try with the FGT50E.
    Is it possible for two vdoms to share the same physical interface?
    vdom-A uses physical interfaces LAN1 and LAN2 as "virtual wire pair". Next, vdom-B uses physical interfaces LAN1 and LAN3 as "virtual wire pair".
    In other words, the physical interface LAN1 is shared by different vdoms.
    The configuration looks like this.
    192.168.10.0/24 ---- LAN1 ---- vdom-A ---- LAN2
    192.168.20.0/24 ---- LAN1 ---- vdom-B ---- LAN3
    Is it possible?

    thank you for reading.


  • 2.  RE: Is there a way for two vdoms to share a physical interface?
    Best Answer

    Posted Jan 15, 2021 08:41 AM

    "virtual wire pair is two dedicated interfaces that have no IP addresses, with all traffic received by one interface being forwarded out the other, controlled by your firewall policies."

    An interface that is used for a virtual wire pair can only be used for that virtual wire pair, so you can not use it for anything else including two VDOMs. 




  • 3.  RE: Is there a way for two vdoms to share a physical interface?

    Posted Jan 15, 2021 09:07 AM
    For a virtual wire pair, it does not make sense to me.
    But with emac vlan, you can share the same vlan of the same physical interface with 2 different vdoms.

    May this could help you figuring out an other solution for your project.

    https://help.fortinet.com/fos60hlp/60/Content/FortiOS/fortigate-networking/Interfaces/Enhanced%20MAC%20VLANs.htm

    Regards,

    Dominik


  • 4.  RE: Is there a way for two vdoms to share a physical interface?

    GROUP ADMIN
    Posted Jan 19, 2021 06:19 AM
    Hello atsuo

    They are probably many ways to design this - but please don't go to FortiGate torture - it will end-up bloody hell =)
    Maybe you should consider transparent mode.
    Sharing ports or chaining virtual wire pair is not properly handle by FortiGate kernel (due to L2 swaping and CAM table mishandling).

    Can you give us an "anonymized"  diagram of current network infrastructure ?
    What goals are you trying to accomplish ?
    Did you look at intra-switch policy as well ?
    Are you using the remaining ports ? LAN4, LAN5 and WAN ports ? or are they available ?
    Do you have a manageable switch on internal side ? could you set-up VLANs for example ?

    If you want to stick with 2 VDOMs, just do the following:
    192.168.10.0/24 ---- LAN1 ---- vdom-A ---- LAN2
    192.168.20.0/24 ---- LAN4 ---- vdom-B ---- LAN3

    I presumed both 192.168. subnets are broadcasted into the same VLANs (or broadcast domain or unmanaged switch)
    then connect both LAN1 and LAN4 to your internal switch
    Don't worry, it won't create a spanning tree issue if you have properly break down interfaces as L3 itf.

    However, with this design, you won't be able to route traffic between 192.168.10.0/24 and 192.168.20.0/24

    Maxime
    NSE8 and Trainer