Technical Tip: Configuring Virtual IPs (VIP) mapping different public IP addresses on the same port, to the same real server
Description
This article describes the steps to configure Virtual IPs (VIP) mapped from different public IP addresses on the same port to the same real server and the same TCP ports.
The following diagram illustrates this example:
wan2
192.168.101.100 == [ FortiGate ] == dmz == Server 10.1.1.1 / TCP port 80
192.168.101.101
external TCP port
8080
- 192.168.101.100 and 192.168.101.101 are the public Virtual IP addresses reachable on wan2, and 8080 is the external TCP port.
- Both public IP addresses allow to reach the same real server 10.1.1.1 / TCP port 80.
Scope
FortiGate.
Solution
The CLI-based configuration (only relevant parts are provided):
config firewall vip
edit "public1"
set extip 192.168.101.100
set extintf "wan2"
set portforward enable
set mappedip 10.1.1.1
set extport 8080
set mappedport 80
next
edit "public2"
set extip 192.168.101.101
set extintf "wan2"
set portforward enable
set mappedip 10.1.1.1
set extport 8080
set mappedport 80
next
end
config firewall vipgrp
edit "all_public"
set interface "wan2"
set member "public1" "public2"
next
end
config firewall policy
edit 1
set srcintf "wan2"
set dstintf "dmz"
set srcaddr "all"
set dstaddr "all_public"
set action accept
set schedule "always"
set service "ANY"
next
end
Related article: