Forward-Domain(有VLAN的场景建议配上)

组网需求

内部网络有两个vlan(trunk环境),网关在路由器上,防火墙工作在透明模式,部署在核心交换与核心路由之间,允许两个vlan访问外网,同时两个vlan之间需要互访,并且对这两个vlan进行保护,开启反病毒过滤。

网络拓扑

拓扑1:单VLAN透传

image-20240103145114361

拓扑2:多VLAN透传,VLAN之间互访

image-20240103144614360

配置要点

拓扑1:单VLAN透传

  • SW交换机/Internet_R路由器的基础配置
  • 将防火墙配置为透明模式并开启网管
  • 配置LAN和WAN接口的VLAN子接口并加入到forward-domain
  • 配置安全策略允许内网PC(VLAN10内主机)访问互联网

拓扑2:多VLAN透传,以及VLAN之间互访

  • SW交换机/Internet_R路由器的基础配置
  • 新增Inside和Outside关于VLAN20的子接口并加入到Forward-domain
  • 配置Inside_VLAN20 到 Outside_VLAN20的安全策略允许内网PC(VLAN20内主机)访问互联网
  • 配置VLAN10与VLAN20之间互访的策略

配置步骤

拓扑1:单VLAN透传

  1. SW交换机/Internet_R路由器的基础配置(以思科为例)。

    SW:

    SW:
    interface Ethernet0/0
    switchport trunk allowed vlan 1,10
    switchport trunk encapsulation dot1q
    switchport mode trunk
    !
    interface Ethernet0/1
    switchport access vlan 10
    switchport mode access
    !
    

    Router:

    Router:
    hostname Internet_R
    !
    interface Ethernet0/0
    ip address 192.168.1.99 255.255.255.0
    no shutdown
    ip nat inside
    !
    interface Ethernet0/0.10
    encapsulation dot1Q 10
    ip address 192.168.10.99 255.255.255.0
    no shutdown
    ip nat inside
    !
    interface Ethernet0/1
    ip address 202.100.1.179 255.255.255.0
    no shutdown
    ip nat outside
    !
    ip route 0.0.0.0 0.0.0.0 202.100.1.192
    !        
    access-list 101 permit ip any any
    ip nat inside source list 101 interface Ethernet0/1 overload
    
  2. 将防火墙配置为透明模式并开启网管(参考网络管理→透明模式→传统透明模式→开启透明模式防火墙并保护上网流量)。

  3. 新建LAN和WAN接口的VLAN10子接口并加入到forward-domain。

    image-20221102182254119

    image-20221102182435716

    image-20221102182729811

    image-20221102182903771

    config system interface
        edit "Inside_VLAN10"
            set vdom "root"
            set alias "LAN_Inside_VLAN10"
            set interface "port1"
            set vlanid 10
        next
        edit "Outside_VLAN10"
            set vdom "root"
            set alias "WAN_Outside_VLAN10"
            set interface "port2"
            set vlanid 10
        next
    end
    
    注意:建议在不需要的情况下关闭接口配置下的“设备探测”(Device detection)功能,该功能用于MAC地址厂商设备信息识别及MAC地址过滤,会消耗较多的设备资源。
  4. 为Inside_VLAN10和Outside_VLAN10接口配置forward-domain。

    FortiGate_Transparent # config system interface
    FortiGate_Transparent (interface) # edit Inside_VLAN10
    FortiGate_Transparent (Inside_VLAN10) # set forward-domain 10
    FortiGate_Transparent (Inside_VLAN10) # next
    
    FortiGate_Transparent (interface) # edit Outside_VLAN10
    FortiGate_Transparent (Outside_VLAN10) # set forward-domain 10
    FortiGate_Transparent (Outside_VLAN10) # end
    
    Forward-Domain说明: 默认所有的接口都属于Forward-Doamin 0,可以理解为同一个广播域,在FortiGate的概念中,Forward-Domain才代表真正的广播域,并非VLAN,而一般的理解交换机的常识都是VLAN隔离广播域,因此如果需要使用VLAN则务必将VLAN-ID和Fortiward-Domain ID关联起来,这样就可以以正常的交换机VLAN隔离广播域的思维去考虑FortiGate的透明模式。Forward-Domain是一个FGT透明模式下比较特别的东西,记住:只要有VLAN-ID的场景就需要配置对应的Forward-Domain ID这样就不会出现什么问题。
  5. 配置防火墙策略允许内网PC(VLAN10内主机)访问互联网,注意这里要选择VLAN接口。

    image-20221111142622126

    image-20221111142708972

拓扑2:多VLAN透传,VLAN之间互访

  1. SW交换机/Internet_R路由器的基础配置(以思科为例)。

    SW:

    interface Ethernet0/0
    switchport trunk allowed vlan 1,10,20
    switchport trunk encapsulation dot1q
    switchport mode trunk
    !
    interface Ethernet0/1
    switchport access vlan 10
    switchport mode access
    !
    interface Ethernet0/2
    switchport access vlan 20
    switchport mode access
    !
    

    Router:

    hostname Internet_R
    !
    interface Ethernet0/0
    ip address 192.168.1.99 255.255.255.0
    no shutdown
    ip nat inside
    !
    interface Ethernet0/0.10
    encapsulation dot1Q 10
    ip address 192.168.10.99 255.255.255.0
    no shutdown
    ip nat inside
    !
    interface Ethernet0/0.20
    encapsulation dot1Q 20
    ip address 192.168.20.99 255.255.255.0
    no shutdown
    ip nat inside
    !
    interface Ethernet0/1
    ip address 202.100.1.179 255.255.255.0
    no shutdown
    ip nat outside
    !
    ip route 0.0.0.0 0.0.0.0 202.100.1.192
    !        
    access-list 101 permit ip any any
    ip nat inside source list 101 interface Ethernet0/1 overload
    
  2. 新增Inside和Outside关于VLAN20的子接口并加入到Forward-domain。

    image-20221111143605066

    image-20221111143721868

    image-20221111143757704

    config system interface
        edit "Inside_VLAN20"
            set vdom "root"
            set alias "LAN_Inside_VLAN20"
            set interface "port1"
            set vlanid 20
        next
        edit "Outside_VLAN20"
            set vdom "root"
            set alias "WAN_Outside_VLAN20"
            set interface "port2"
            set vlanid 20
        next
    end
    
  3. 为Inside_VLAN20和Outside_VLAN20接口配置forward-domain。

    FortiGate_Transparent # config system interface
    FortiGate_Transparent (interface) # edit Inside_VLAN20
    FortiGate_Transparent (Inside_VLAN20) # set forward-domain 20
    FortiGate_Transparent (Inside_VLAN20) # next
    
    FortiGate_Transparent (interface) # edit Outside_Vlan20
    FortiGate_Transparent (Outside_VLAN20) # set forward-domain 20
    FortiGate_Transparent (Outside_VLAN20) # end
    
  4. 配置Inside_VLAN20到Outside_VLAN20的上网安全策略,允许VLAN20内的主机访问Internet。

    image-20221111144220541

    image-20221111144331417

  5. 此时VLAN 10下的PC已经可以和VLAN 20下的PC互访,不需要配置其他策略。

    不同Forward-Domain下的VLAN接口是不能配置在同一条安全策略的源目接口中的。在VLAN 10下的PC访问VLAN 20下的PC(192.168.10.10→192.168.20.10)时,流量会经过2次FortiGate:
    • 流量先从Inside_VLAN10送到Outside_VLAN10(匹配VLAN 10的上网策略)。此时FortiGate创建192.168.10.10→192.168.20.10(Inside_VLAN10→Outside_VLAN10)的会话。
    • 同时,FortiGate会自动创建192.168.10.10→192.168.20.10(Outside_VLAN20→Inside_VLAN20)的辅助会话(上述创建会话的Reflect会话),流量第二次经过FortiGate时,从Outside_VLAN20进入并送到Inside_VLAN20,匹配辅助会话送到VLAN 20下的PC。

结果验证

拓扑1:单VLAN10透传

  1. VLAN10内的PC通过透明模式的FortiGate访问互联网。

    image-20221111150730257

拓扑2:多VLAN透传,VLAN之间互访

  1. VLAN20内的PC访问互联网。

    image-20221111151547205

  2. VLAN10内的PC访问VLAN20的PC。

    image-20221111153737186

  3. 查看对应sniffer抓包,VLAN 10主机访问VLAN 20主机的Ping Request从Inside_VLAN10进,从Outside_VLAN10出,随后从Outside_Vlan20进,从Inside_VLAN20出。

    FortiGate_Transparent # diagnose sniffer packet any "host 192.168.20.10 and icmp" 4
    Using Original Sniffing Mode
    interfaces=[any]
    filters=[host 192.168.20.10 and icmp]
    3.530807 Inside_VLAN10 in 192.168.10.10 -> 192.168.20.10: icmp: echo request
    3.530823 Outside_VLAN10 out 192.168.10.10 -> 192.168.20.10: icmp: echo request
    3.530826 port2 out 192.168.10.10 -> 192.168.20.10: icmp: echo request
    3.531120 Outside_Vlan20 in 192.168.10.10 -> 192.168.20.10: icmp: echo request
    3.531129 Inside_VLAN20 out 192.168.10.10 -> 192.168.20.10: icmp: echo request
    3.531130 port1 out 192.168.10.10 -> 192.168.20.10: icmp: echo request
    
    3.531696 Inside_VLAN20 in 192.168.20.10 -> 192.168.10.10: icmp: echo reply
    3.531703 Outside_Vlan20 out 192.168.20.10 -> 192.168.10.10: icmp: echo reply
    3.531703 port2 out 192.168.20.10 -> 192.168.10.10: icmp: echo reply
    3.531856 Outside_VLAN10 in 192.168.20.10 -> 192.168.10.10: icmp: echo reply
    3.531859 Inside_VLAN10 out 192.168.20.10 -> 192.168.10.10: icmp: echo reply
    3.531859 port1 out 192.168.20.10 -> 192.168.10.10: icmp: echo reply
    
  4. 查看Request方向与Reply方向对应的debug flow。

    • Ping Request第1次从Inside_VLAN10送到Outside_VLAN10(匹配VLAN 10的上网策略)。此时FortiGate创建192.168.10.10→192.168.20.10(Inside_VLAN10→Outside_VLAN10)的会话。

      Request方向第1次过FortiGate:
      id=65308 trace_id=10 func=print_pkt_detail line=5857 msg="vd-root:0 received a packet(proto=1, 192.168.10.10:2->192.168.20.10:2048) tun_id=0.0.0.0 from Inside_VLAN10. type=8, code=0, id=2, seq=2879."
      id=65308 trace_id=10 func=init_ip_session_common line=6043 msg="allocate a new session-00000386, tun_id=0.0.0.0"
      id=65308 trace_id=10 func=br_fw_forward_handler line=578 msg="Allowed by Policy-1:"
      id=65308 trace_id=10 func=__if_queue_push_xmit line=392 msg="send out via dev-Outside_VLAN10, dst-mac-aa:bb:cc:00:30:00"
      
    • 同时,FortiGate会自动创建192.168.10.10→192.168.20.10(Outside_VLAN20→Inside_VLAN20)的辅助会话(上述创建会话的Reflect会话),流量第二次经过FortiGate时,从Outside_VLAN20进入并送到Inside_VLAN20,匹配辅助会话送到VLAN 20下的PC。

      Request方向第2次过FortiGate:
      id=65308 trace_id=11 func=print_pkt_detail line=5857 msg="vd-root:0 received a packet(proto=1, 192.168.10.10:2->192.168.20.10:2048) tun_id=0.0.0.0 from Outside_VLAN20. type=8, code=0, id=2, seq=2879."
      id=65308 trace_id=11 func=resolve_ip_tuple_fast line=5945 msg="Find an existing session, id-00000386, original direction"
      id=65308 trace_id=11 func=br_fw_forward_dirty_handler line=282 msg="auxiliary ses proto=1 dev=19->18 192.168.10.10/2=>192.168.20.10/8"
      id=65308 trace_id=11 func=npu_handle_session44 line=1322 msg="Trying to offloading session from Outside_VLAN20 to Inside_VLAN20, skb.npu_flag=00000400 ses.state=00008200 ses.npu_state=0x00000100"
      id=65308 trace_id=11 func=__if_queue_push_xmit line=392 msg="send out via dev-Inside_VLAN20, dst-mac-00:0c:29:39:f3:ac"
      
    • Reply方向的流量匹配辅助会话和主会话返回。

      Reply方向:
      id=65308 trace_id=12 func=print_pkt_detail line=5857 msg="vd-root:0 received a packet(proto=1, 192.168.20.10:2->192.168.10.10:0) tun_id=0.0.0.0 from Inside_VLAN20. type=0, code=0, id=2, seq=2879."
      id=65308 trace_id=12 func=resolve_ip_tuple_fast line=5945 msg="Find an existing session, id-00000386, reply direction"
      id=65308 trace_id=12 func=br_fw_forward_dirty_handler line=282 msg="auxiliary ses proto=1 dev=19->18 192.168.10.10/2=>192.168.20.10/8"
      id=65308 trace_id=12 func=npu_handle_session44 line=1322 msg="Trying to offloading session from Inside_VLAN20 to Outside_VLAN20, skb.npu_flag=00000000 ses.state=00008200 ses.npu_state=0x00000100"
      id=65308 trace_id=12 func=__if_queue_push_xmit line=392 msg="send out via dev-Outside_VLAN20, dst-mac-aa:bb:cc:00:30:00"
      id=65308 trace_id=13 func=print_pkt_detail line=5857 msg="vd-root:0 received a packet(proto=1, 192.168.20.10:2->192.168.10.10:0) tun_id=0.0.0.0 from Outside_VLAN10. type=0, code=0, id=2, seq=2879."
      id=65308 trace_id=13 func=resolve_ip_tuple_fast line=5945 msg="Find an existing session, id-00000386, reply direction"
      id=65308 trace_id=13 func=__if_queue_push_xmit line=392 msg="send out via dev-Inside_VLAN10, dst-mac-00:0c:29:ae:55:70"
      
  5. 查看对应会话,可以看到主会话为192.168.10.10→192.168.20.10(Inside_VLAN10→Outside_VLAN10),辅助会话有reflect标记,Outside_VLAN20→ Inside_VLAN20。

    session info: proto=1 proto_state=00 duration=38 expire=21 timeout=0 flags=00000000 socktype=0 sockport=0 av_idx=0 use=4
    origin-shaper=
    reply-shaper=
    per_ip_shaper=
    class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/0
    state=may_dirty br 
    statistic(bytes/packets/allow_err): org=120/2/1 reply=120/2/1 tuples=2
    tx speed(Bps/kbps): 3/0 rx speed(Bps/kbps): 3/0
    orgin->sink: org pre->post, reply pre->post dev=16->17/17->16 gwy=0.0.0.0/0.0.0.0
    hook=pre dir=org act=noop 192.168.10.10:2->192.168.20.10:8(0.0.0.0:0)
    hook=post dir=reply act=noop 192.168.20.10:2->192.168.10.10:0(0.0.0.0:0)
    misc=0 policy_id=1 pol_uuid_idx=15744 auth_info=0 chk_client_info=0 vd=0
    serial=00000386 tos=ff/ff app_list=0 app=0 url_cat=0
    rpdb_link_id=00000000 ngfwid=n/a
    npu_state=0x000100
    no_ofld_reason:  npu-flag-off
    reflect info 0:
    dev=19->18/18->19
    npu_state=0x000100
    npu info: flag=0x00/0x00, offload=0/0, ips_offload=0/0, epid=0/0, ipid=0/0, vlan=0x0000/0x0000
    vlifid=0/0, vtag_in=0x0000/0x0000 in_npu=0/0, out_npu=0/0, fwd_en=0/0, qid=0/0
    total reflect session num: 1
    total session 1
    
  6. 查看当前接口列表,可以看到4个VLAN接口的index,与会话中的dev对应。

    FortiGate # diagnose netlink interface list | grep VLAN
    if=Inside_VLAN10 family=00 type=1 index=16 mtu=1500 link=0 master=0
    if=Outside_VLAN10 family=00 type=1 index=17 mtu=1500 link=0 master=0
    if=Inside_VLAN20 family=00 type=1 index=18 mtu=1500 link=0 master=0
    if=Outside_VLAN20 family=00 type=1 index=19 mtu=1500 link=0 master=0
    
  7. 使用VLAN20下的PC访问VLAN 10下的PC,也可以正常访问。

    image-20221111160205839

Forward-Domain参考文档:

https://community.fortinet.com/t5/FortiGate/Technical-Note-Configure-a-FortiGate-unit-in-Transparent-mode/ta-p/194458

Copyright © 2024 Fortinet Inc. All rights reserved. Powered by Fortinet TAC Team.
📲扫描下方二维码分享此页面👇
该页面修订于: 2024-01-03 14:51:24

results matching ""

    No results matching ""