How can I share an external WAN interface between two VDOMs? For example, on a 100D, I wish to have two policies under different VDOMs send traffic to my WAN facing interface "wan1".
How can I share an external WAN interface between two VDOMs? For example, on a 100D, I wish to have two policies under different VDOMs send traffic to my WAN facing interface "wan1".
Short answer: No, I don't think it is possible to share a physical interface between two VDOMs.
For inter-VDOM communication, you can use inter-VDOM routing, ie. VDOM-link. You can find full documentation here.
It depends on what you want to achieve. If your goal is to have only one single external interface from the FGT to the internet, you can use the 'Management VDOM' configuration, which works even if you have more than 2 VDOMs. This older doc gives a really good explanation for the Management VDOM:
In the management VDOM configuration, the management VDOM is located between the other VDOMs and the Internet. The other VDOMs connect to the management VDOM with inter-VDOM links, with no other inter-VDOM connections.
In this configuration, the management VDOM has full control over access to the Internet, including what types of traffic are allowed in both directions. There is no communication directly between the non-management VDOMs. Security is greatly increased with only one point of entry and exit. Only the management VDOM needs to be fully managed to ensure network security in this case. Each client network can manage its own configuration without compromising security or bringing down another client network.
This configuration can be used for MSSPs, allowing the service provide to administer the management VDOM with the other VDOMs as managed by their customers. The service provider controls the traffic and can prevent the customers from using banned services and prevent Internet connections from initiating those same banned services. Firewall policies control the traffic between the customer VDOM and the management VDOM and can be customized for each customer.
The management VDOM configuration is limited in that the customer VDOMs have no inter-connections. In many situations, this limitation is ideal because it maintains proper security. However, some situations may require customers to communicate with each other, which would be easier if the customer VDOMs were inter-connected.
One interface cannot be "shared" by multiple VDOM's. You have a couple of options, however.
1. Use a 3rd VDOM
You can put wan1 into a 3rd VDOM and have it be your 'public facing' VDOM. Create Inter VDOM Links (IVL) from this VDOM to your other two VDOM's. Make the IVLs your new "wan" links from each VDOM.
2. Use VLANs
If your upstream provider supports VLANs and you just have a need/want to use WAN1 from a physical perspective, you can keep WAN1 physical interface in root or whatever VDOM, then each VLAN can be in your individual VDOMs.
