只需要配置VALN10网段到WAN的策略即可实现,配置很简单,可以忽略VLAN-TAG接口和Forward-Domain等透明模式下需要考虑的因素。
拓扑2:多VLAN透传,以及VLAN之间互访:
1、SW交换机/Internet_R路由器的基础配置
新增SW的配置:
interface Ethernet0/0
switchport trunk allowed vlan 1,10,20
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface Ethernet0/1
switchport access vlan 10
switchport mode access
!
interface Ethernet0/2
switchport access vlan 20
switchport mode access
!
Internet_R路由器的基本配置:
hostname Internet_R
!
interface Ethernet0/0
ip address 192.168.1.99 255.255.255.0
no shutdown
ip nat inside
!
interface Ethernet0/0.10
encapsulation dot1Q 10
ip address 192.168.10.99 255.255.255.0
no shutdown
ip nat inside
!
interface Ethernet0/0.20
encapsulation dot1Q 20
ip address 192.168.20.99 255.255.255.0
no shutdown
ip nat inside
!
interface Ethernet0/1
ip address 202.100.1.179 255.255.255.0
no shutdown
ip nat outside
!
ip route 0.0.0.0 0.0.0.0 202.100.1.192
!
access-list 101 permit ip any any
ip nat inside source list 101 interface Ethernet0/1 overload
2、配置虚拟接口对(Port1&Port2)
第一步:防火墙处于路由模式的情况下,直接创建虚拟接口对:将port1和port2加入到虚拟接口对中并开启通配符VLAN,识别VLAN-Tag的数据
虚拟接口对通道正式打通,可以认为port1和port2之间可以透明的传输数据了。
对应的命令行:
config system virtual-wire-pair
edit "VWP1"
set member "port1" "port2"
set wildcard-vlan enable (这个命令很关键,识别VLAN-TAG,VWP模式下无需再到本地创建对应的VLAN接口和Forwar-Domain了,大大的简化了策略的配置量)
next
end
3、配置安全策略允许内网PC(VLAN10和VLAN20内主机)访问互联网
策略的位置会多出“IPv4虚拟接口对策略”配置项(如果没有看到,则注销管理登陆,重新登陆FGT即可看到)
其实配置上上述两条策略数据就已经通了,因为两条策略的目的IP都是any,包括了192.168.20.0/24和192.168.10.0/24,如果要明细配置策略则需要这样配置:
并放置到策略的最前面,以便优先匹配:
只需要配置VALN10/VLAN20网段相互之间的策略即可,配置很简单,可以忽略VLAN-TAG接口和Forward-Domain等透明模式下需要考虑的因素。配置相对很简单。
五、验证效果
拓扑1:单VLAN10透传:
VLAN10内的PC通过透明模式的FortiGate访问互联网:
拓扑2:多VLAN10/20透传,以及VLAN之间互访:
VLAN20内的PC访问互联网:
VLAN10内的PC访问VLAN20的PC:
FortiGate_VWP # diagnose sniffer packet any "host 192.168.20.10 and icmp" 4
interfaces=[any]
filters=[host 192.168.20.10 and icmp]
6.970084 Inside_VLAN10 in 192.168.10.10 -> 192.168.20.10: icmp: echo request
6.970111 Outside_VLAN10 out 192.168.10.10 -> 192.168.20.10: icmp: echo request
6.970114 port2 out 192.168.10.10 -> 192.168.20.10: icmp: echo request
6.970623 Outside_VLAN20 in 192.168.10.10 -> 192.168.20.10: icmp: echo request
6.970642 Inside_VLAN20 out 192.168.10.10 -> 192.168.20.10: icmp: echo request
6.970643 port1 out 192.168.10.10 -> 192.168.20.10: icmp: echo request
6.971737 Inside_VLAN20 in 192.168.20.10 -> 192.168.10.10: icmp: echo reply
6.971753 Outside_VLAN20 out 192.168.20.10 -> 192.168.10.10: icmp: echo reply
6.971754 port2 out 192.168.20.10 -> 192.168.10.10: icmp: echo reply
6.972072 Outside_VLAN10 in 192.168.20.10 -> 192.168.10.10: icmp: echo reply
6.972078 Inside_VLAN10 out 192.168.20.10 -> 192.168.10.10: icmp: echo reply
6.972080 port1 out 192.168.20.10 -> 192.168.10.10: icmp: echo reply
^C
12 packets received by filter
0 packets dropped by kernel
FortiGate_VWP #
#diagnose debug flow filter addr 192.168.20.10
#diagnose debug flow filter proto 1
#diagnose debug flow show console enable
#diagnose debug flow show function-name enable
#diagnose debug flow trace start 10
#diagnose debug enable
id=20085 trace_id=43 func=print_pkt_detail line=5428 msg="vd-root:0 received a packet(proto=1, 192.168.10.10:1->192.168.20.10:2048) from Inside_VLAN10. type=8, code=0, id=1, seq=247."
id=20085 trace_id=43 func=init_ip_session_common line=5593 msg="allocate a new session-0000244c"
id=20085 trace_id=43 func=br_fw_forward_handler line=577 msg="Allowed by Policy-3:"
id=20085 trace_id=43 func=__if_queue_push_xmit line=393 msg="send out via dev-Outside_VLAN10, dst-mac-aa:bb:cc:00:20:00"
id=20085 trace_id=44 func=print_pkt_detail line=5428 msg="vd-root:0 received a packet(proto=1, 192.168.10.10:1->192.168.20.10:2048) from Outside_VLAN20. type=8, code=0, id=1, seq=247."
id=20085 trace_id=44 func=resolve_ip_tuple_fast line=5508 msg="Find an existing session, id-0000244c, original direction"
id=20085 trace_id=44 func=br_fw_forward_dirty_handler line=330 msg="Found a reflect session: pro=1, 192.168.10.10/1=>192.168.20.10/8, dev=16->15" //注意这个reflect,再一次进的ping请求不需要再查策略,而是查reflect会话即可
id=20085 trace_id=44 func=__if_queue_push_xmit line=393 msg="send out via dev-Inside_VLAN20, dst-mac-50:00:00:05:00:00"
id=20085 trace_id=45 func=print_pkt_detail line=5428 msg="vd-root:0 received a packet(proto=1, 192.168.20.10:1->192.168.10.10:0) from Inside_VLAN20. type=0, code=0, id=1, seq=247."
id=20085 trace_id=45 func=resolve_ip_tuple_fast line=5508 msg="Find an existing session, id-0000244c, reply direction"
id=20085 trace_id=45 func=br_fw_forward_dirty_handler line=330 msg="Found a reflect session: pro=1, 192.168.20.10/1=>192.168.10.10/0, dev=15->16"
id=20085 trace_id=45 func=__if_queue_push_xmit line=393 msg="send out via dev-Outside_VLAN20, dst-mac-aa:bb:cc:00:20:00"
id=20085 trace_id=46 func=print_pkt_detail line=5428 msg="vd-root:0 received a packet(proto=1, 192.168.20.10:1->192.168.10.10:0) from Outside_VLAN10. type=0, code=0, id=1, seq=247."
id=20085 trace_id=46 func=resolve_ip_tuple_fast line=5508 msg="Find an existing session, id-0000244c, reply direction"
id=20085 trace_id=46 func=br_ipv4_fast_cb line=68 msg="enter fast path"
id=20085 trace_id=46 func=__if_queue_push_xmit line=393 msg="send out via dev-Inside_VLAN10, dst-mac-50:00:00:04:00:00"
FortiGate_VWP # diagnose sys session filter proto 1
FortiGate_VWP # diagnose sys session list
session info: proto=1 proto_state=00 duration=17 expire=43 timeout=0 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=4
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/0
state=may_dirty br
statistic(bytes/packets/allow_err): org=60/1/1 reply=60/1/1 tuples=2
tx speed(Bps/kbps): 3/0 rx speed(Bps/kbps): 3/0
orgin->sink: org pre->post, reply pre->post dev=13->14/14->13 gwy=0.0.0.0/0.0.0.0
hook=pre dir=org act=noop 192.168.10.10:1->192.168.20.10:8(0.0.0.0:0)
hook=post dir=reply act=noop 192.168.20.10:1->192.168.10.10:0(0.0.0.0:0)
src_mac=50:00:00:04:00:00
misc=0 policy_id=3 auth_info=0 chk_client_info=0 vd=0
serial=00004e96 tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id = 00000000
dd_type=0 dd_mode=0
reflect info 0:
dev=16->15/15->16
total reflect session num: 1
total session 1
FortiGate_VWP # diagnose sys device list root
list virtual firewall root info:
ip4 route_cache: table_size=65536 max_depth=1 used=18 total=18
arp: table_size=8 max_depth=1 used=2 total=2
proxy_arp: table_size=256 max_depth=0 used=0 total=0
arp6: table_size=16 max_depth=2 used=2 total=3
proxy_arp6: table_size=256 max_depth=0 used=0 total=0
local table version=00000000 main table version=00000009
vf=root dev=port1 index=3 vrf=0
vf=root dev=port2 index=4 vrf=0
vf=root dev=port3 index=5 vrf=0
vf=root dev=port4 index=6 vrf=0
vf=root dev=root index=7 vrf=0
vf=root dev=root.b index=11 vrf=0
vf=root dev=Inside_VLAN10 index=13 vrf=0
vf=root dev=Outside_VLAN10 index=14 vrf=0
vf=root dev=Inside_VLAN20 index=15 vrf=0
vf=root dev=Outside_VLAN20 index=16 vrf=0
ses=0/0 ses6=0/0 rt=0/0 rt6=0/0
FortiGate_VWP # diagnose sniffer packet any "none" 4
interfaces=[any]
filters=[icmp]
2.229734 port2 in 802.1Q vlan#20 P0 (注意入方向携带VLAN-TAG的数据sniffer无法正常的显示明细数据)
2.229767 port1 out 192.168.20.10 -> 192.168.10.10: icmp: echo request
2.230277 port1 in 802.1Q vlan#10 P0
2.230292 port2 out 192.168.20.10 -> 192.168.10.10: icmp: echo request
2.240309 port2 in 802.1Q vlan#10 P0
2.240323 port1 out 192.168.10.10 -> 192.168.20.10: icmp: echo reply
2.240815 port1 in 802.1Q vlan#20 P0
2.240828 port2 out 192.168.10.10 -> 192.168.20.10: icmp: echo reply
2.252111 port2 in 802.1Q vlan#20 P0
#diagnose debug flow filter addr 192.168.20.10
#diagnose debug flow filter proto 1
#diagnose debug flow show console enable
#diagnose debug flow show function-name enable
#diagnose debug flow trace start 10
#diagnose debug enable
id=20085 trace_id=125 func=print_pkt_detail line=5494 msg="vd-root:0 received a packet(proto=1, 192.168.20.10:1->192.168.10.10:2048) from port2. type=8, code=0, id=1, seq=37."
id=20085 trace_id=125 func=init_ip_session_common line=5654 msg="allocate a new session-000036a5"
id=20085 trace_id=125 func=br_fw_forward_handler line=539 msg="Allowed by Policy-3:"
id=20085 trace_id=125 func=__if_queue_push_xmit line=417 msg="send out via dev-port1, dst-mac-aa:bb:cc:00:20:00"
id=20085 trace_id=126 func=print_pkt_detail line=5494 msg="vd-root:0 received a packet(proto=1, 192.168.20.10:1->192.168.10.10:2048) from port1. type=8, code=0, id=1, seq=37."
id=20085 trace_id=126 func=resolve_ip_tuple_fast line=5569 msg="Find an existing session, id-000036a5, original direction"
id=20085 trace_id=126 func=br_fw_forward_dirty_handler line=318 msg="Found a reflect session: pro=1, 192.168.20.10/1=>192.168.10.10/8, dev=3->4"
id=20085 trace_id=126 func=__if_queue_push_xmit line=417 msg="send out via dev-port2, dst-mac-50:00:00:0c:00:00"
id=20085 trace_id=127 func=print_pkt_detail line=5494 msg="vd-root:0 received a packet(proto=1, 192.168.10.10:1->192.168.20.10:0) from port2. type=0, code=0, id=1, seq=37."
id=20085 trace_id=127 func=resolve_ip_tuple_fast line=5569 msg="Find an existing session, id-000036a5, reply direction"
id=20085 trace_id=127 func=br_fw_forward_dirty_handler line=318 msg="Found a reflect session: pro=1, 192.168.10.10/1=>192.168.20.10/0, dev=4->3"
id=20085 trace_id=127 func=__if_queue_push_xmit line=417 msg="send out via dev-port1, dst-mac-aa:bb:cc:00:20:00"
id=20085 trace_id=128 func=print_pkt_detail line=5494 msg="vd-root:0 received a packet(proto=1, 192.168.10.10:1->192.168.20.10:0) from port1. type=0, code=0, id=1, seq=37."
id=20085 trace_id=128 func=resolve_ip_tuple_fast line=5569 msg="Find an existing session, id-000036a5, reply direction"
id=20085 trace_id=128 func=__if_queue_push_xmit line=417 msg="send out via dev-port2, dst-mac-50:00:00:04:00:00"
FortiGate_VWP # diagnose sys session filter proto 1
FortiGate_VWP # diagnose sys session list
session info: proto=1 proto_state=00 duration=11 expire=59 timeout=0 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=4
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/0
state=may_dirty br
statistic(bytes/packets/allow_err): org=660/11/1 reply=660/11/1 tuples=2
tx speed(Bps/kbps): 59/0 rx speed(Bps/kbps): 59/0
orgin->sink: org pre->post, reply pre->post dev=4->3/3->4 gwy=0.0.0.0/0.0.0.0
hook=pre dir=org act=noop 192.168.20.10:1->192.168.10.10:8(0.0.0.0:0)
hook=post dir=reply act=noop 192.168.10.10:1->192.168.20.10:0(0.0.0.0:0)
misc=0 policy_id=3 auth_info=0 chk_client_info=0 vd=0
serial=00003747 tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id = 00000000
vlanid=20 dd_type=0 dd_mode=0
total session 1
VWP转发VLAN,简单总结来说:
config system virtual-wire-pair
edit "VWP1"
set member "port1" "port2"
set wildcard-vlan enable (这个命令很关键,识别VLAN-TAG,VWP模式下无需再到本地创建对应的VLAN接口和Forward-Domain了,大大的简化了策略的配置量)
next
end
VWP开启wildcard-vlan之后,直接配置策略就可以了,其他的透明模式下的不一样的细节可以忽略,对于有vlan的组网VWP要简单很多很多。
补充说明:
关于VLAN-forward参数。
默认在VWP的环境下:
config system interface
edit "port1"
set vdom "root"
set vlanforward enable //默认开启
set type physical
set alias "WAN"
set snmp-index 1
next
end
FortiGate_VWP (port1) # next
FortiGate_VWP (interface) # edit port2
FortiGate_VWP (port2) # show
config system interface
edit "port2"
set vdom "root"
set vlanforward enable //默认开启
set type physical
set alias "LAN"
set snmp-index 2
next
end
但是此参数在set wildcard-vlan enable 开启的情况下是不生效的。set wildcard-vlan enable的优先级比vlanforward要高,优先使用set wildcard-vlan enable。
总结:
1.开启了wildcard-vlan enable,vlanforward不生效,wildcard-vlan优先,识别VLAN-TAG,并上送到FGT的CPU上去策略处理。这是推荐的配置。(推荐)
2.如果关闭了wildcard-vlan disable,则vlanforward生效,则携带了vlan-tag的数据会直接穿透VWP接口,不再匹配策略,直接bypass可通。(不推荐这样使用,流量不可见也不可控,这不是安全设备想要的结果)
具体的现象我们看看:
config system virtual-wire-pair
edit "VWP1"
set member "port1" "port2"
set wildcard-vlan disable //关闭wildcard
next
end
config system interface
edit "port1"
set vdom "root"
set vlanforward enable
set type physical
set alias "WAN"
set snmp-index 1
next
edit "port2"
set vdom "root"
set vlanforward enable
set type physical
set alias "LAN"
set snmp-index 2
next
end
FortiGate_VWP # config firewall policy
FortiGate_VWP (policy) # purge (清除策略,让设备没有任何策略)
This operation will clear all table!
Do you want to continue? (y/n)y
FortiGate_VWP (policy) # end
具体的数据转发现象呢?
会发现,所有的携带了VLAN-TAG的数据都是通的,VLAN10/20的PC可以上网,VLAN10和VLAN20的PC相互可通信。但是在FGT上看不到任何的信息,抓不到任何的包,直接bypass掉携带了VLAN-TAG的数据。VWP不处理携带了VLAN-TAG的数据。而不携带VLAN-TAG的数据(VLAN1)将会上送到FGT的CPU进行策略匹配处理。携带了VLAN-TAG的数据被bypass掉了,直接可通。
(vlan1的不携带vlan-tag的数据会上送到CPU进行处理,需要策略放通才可以正常通信。)
FortiGate_VWP # diagnose sniffer packet any "host 192.168.20.10" 4
interfaces=[any]
filters=[host 192.168.20.10]
抓不到相应的报文。但是数据是可通的。
实际上可以抓到VLAN-TAG的数据:
FortiGate_VWP # diagnose sniffer packet any "none" 4
interfaces=[any]
filters=[none]
1.189503 port2 in 802.1Q vlan#20 P0
1.475067 port2 in 802.1Q vlan#20 P0
1.475081 port1 out 802.1Q vlan#20 P0
1.475749 port1 in 802.1Q vlan#20 P0
1.475756 port2 out 802.1Q vlan#20 P0
1.568623 port2 in 802.1Q vlan#10 P0
1.568668 port1 out 802.1Q vlan#10 P0
2.211987 port2 in 802.1Q vlan#10 P0
2.226707 port2 in 802.1Q vlan#10 P0
2.226719 port1 out 802.1Q vlan#10 P0
2.246979 port2 in 802.1Q vlan#10 P0
2.246985 port1 out 802.1Q vlan#10 P0
2.248370 port2 in 802.1Q vlan#10 P0
2.248377 port1 out 802.1Q vlan#10 P0
2.356281 port2 in 802.1Q vlan#10 P0
2.356287 port1 out 802.1Q vlan#10 P0
2.357778 port2 in 802.1Q vlan#10 P0
2.357784 port1 out 802.1Q vlan#10 P0
2.468629 port2 in 802.1Q vlan#10 P0
2.468643 port1 out 802.1Q vlan#10 P0
2.489493 port2 in 802.1Q vlan#20 P0
2.489500 port1 out 802.1Q vlan#20 P0
2.490062 port1 in 802.1Q vlan#20 P0
2.490067 port2 out 802.1Q vlan#20 P0
3.290091 port2 in 802.1Q vlan#20 P0
3.502555 port2 in 802.1Q vlan#20 P0
3.502570 port1 out 802.1Q vlan#20 P0
3.503316 port1 in 802.1Q vlan#20 P0
3.503322 port2 out 802.1Q vlan#20 P0
只是FGT由于开启了vlanforward,不处理携带了VLAN-TAG的数据,直接bypass掉了。(不推荐这样的部署)
总结:
推荐开启 wildcard-vlan (set wildcard-vlan enable),让FGT可以识别VLAN-TAG的数据,然后使用策略控制所有的携带和不携带VLAN-TAG的数据流。
