Technical Tip: How to apply Source NAT (SNAT) to local-out traffic (FortiGuard, DNS) when the WAN interface is assigned a private IP by the ISP

Description

This article describes a scenario where FortiGuard services, such as Web Filter lookups, firmware updates, etc., cannot be reached by the FortiGate.

This issue is typically observed when a private IP address is assigned to the WAN interface by the Internet Service Provider (ISP), and a requirement is set by the ISP to NAT all traffic to a specific public IP address for internet access.

Scope

FortiGate.

Solution

In this particular setup, while internet connectivity is successfully achieved for internal users through the application of NAT within the firewall policies, local-out traffic (traffic originated by the FortiGate itself) is not evaluated against standard firewall policies. Consequently, local-out packets egress from the WAN interface with the private IP address as the source, resulting in a failure to communicate with public FortiGuard servers.

Non-working scenario:

To ensure that NAT is applied to local-out traffic, the system-generated packets must be forced through the firewall policy engine. This is achieved by implementing a Multi-VDOM architecture where the management VDOM is separated from the WAN VDOM.

Working scenario:

The following steps are performed to implement this solution:

1. Multi-VDOM mode is activated via the Global configuration.

config system global

set vdom-mode multi-vdom

end

2. A dedicated WAN VDOM is created to handle the external connectivity.

config vdom

edit WAN

next

end

3. The physical WAN interface is moved to the new VDOM.

config global

config system interface

edit "port1"

set vdom "WAN"

next

end

4. An Inter-VDOM link is established to facilitate traffic flow between the root VDOM and the WAN VDOM.

config global

config system vdom-link

edit "vlink"

set type ethernet

next

end

config system interface

edit "vlink0-0"

set vdom "root"

set ip 10.255.255.1 255.255.255.252

next

edit "vlink0-1"

set vdom "WAN"

set ip 10.255.255.2 255.255.255.252

next

end

5. Routing is configured in the root VDOM.

A default static route is configured in the root VDOM, pointing to the Inter-VDOM link IP address. This ensures that all transit and local-out traffic is steered toward the WAN VDOM.

config vdom

edit root

config router static

edit 1

set gateway 10.255.255.2

set device "vlink0-0"

next

end

Note: The following static routes are configured in the WAN VDOM:

config vdom

edit WAN

config router static

edit 1

set gateway 192.168.100.1

set device "port1"

next

edit 2

set dst 10.10.20.0 255.255.255.0

set gateway 10.255.255.1

set device "vlink0-1"

next

end

6. A Firewall Policy with NAT is created in the WAN VDOM.

A policy is defined in the WAN VDOM to allow traffic from the Inter-VDOM link to the WAN interface. In this policy, SNAT is enabled using an IP Pool that contains the public IP address provided by the ISP.

Because the traffic enters the WAN VDOM via an interface, it is treated as transit traffic rather than local-out traffic, allowing the NAT engine to be engaged.

config vdom

edit VDOM-WAN

config firewall ippool

edit "Public-IP_Provided_from_ISP"

set startip 203.0.115.10

set endip 203.0.115.10

next

end

config firewall policy

edit 1

set srcintf "vlink0-1"

set dstintf "port1"

set srcaddr "all"

set dstaddr "all"

set action accept

set schedule "always"

set service "ALL"

set nat enable

set ippool enable

set poolname "Public-IP_Provided_from_ISP"

next

end

Note: On the root VDOM, the following firewall policy is configured to allow LAN to WAN traffic:

config firewall policy

edit 1

set srcintf "port2"

set dstintf "vlink0-0"

set srcaddr "all"

set dstaddr "all"

set action accept

set schedule "always"

set service "ALL"

next

end

By utilizing this architecture, the FortiGate's management traffic (FortiGuard, DNS, NTP) is successfully translated to the public IP address, and connectivity to Fortinet services is restored.