Explicit proxy - outgoing interface based on incoming IP

Question

Hello everyone,

I have a multiple public IPs that are all assigned to my WAN1 interface as secondary IPs. I would like setup an explicit proxy such that if I connect to SecIP-A on port 12345, my public IP becomes one of the SecIPs (not specifically SecIP-A). And if I connect to SecIP-B on port 12345, my public IP becomes one of the SecIPs but not the same as with SecIP-A.

Basically the objective is that I'd like to browse internet with all of my public IPs by setting an HTTP proxy, all of that from outside my local network. I describe my research and findings below, any help is appreciated to understand better the issues and potentially finding a solution to achieve the objective. Thanks!

Initial setup

The setup that I initially tried was to configure the explicit proxy on WAN1 (with a whitelist on the allowed IPs to prevent anyone to use the proxy), and set all the SecIPs in an IP Pool. Then my Proxy Policy uses the outgoing source ip = the IP pool configuration. The problem is that somehow no matter which Sec-IP I connect to, my public IP would always be the same. My understanding is that since the public IP of my client is always the same no matter which SecIP:12345 I connect to, the IP pool overload mode will always assign me the same SecIP from the pool (https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/29961/dynamic-snat)

Second setup

To work around the limitation of my client IP always being the same, an article suggested to use loopback interfaces. So I created 192.168.3.45 and 192.168.3.46 as loopback interfaces and moved the explicit proxy to these instead of WAN1. Then I added the Virtual IPs to forward SecIP-A:12345 and SecIP-B:12345 to those loopback interfaces. Finally, I setup the firewall policies to accept connections on WAN1 -> Loopback and NAT by using the outgoing interface address, which in that case should be 192.168.3.45 for SecIP-B and 192.168.3.46 for SecIP-B.

However, the issue stays the same. Looking at the troubleshooting logs:

[ul]

Explicit proxy: most IPs have been changed for privacy. 13.14.15.20 is my external client trying to access [link]https://whatismyipaddress.com/[/link][/ul]

~~wad_http_conn_request_classify(14477): no security profile HTTPS/HTTP, tport=443~~

~~wad_fast_match_is_enable(3444): fast matching is enabled~~

~~wad_fast_match_pol_array(3297): pol_id : 0 get_asyn_info status:1~~

~~wad_http_request_policy_set(24677): match pid=270 policy-id=1 vd=0 in_if=9, out_if=9 13.14.15.20:12345 -> 172.217.194.157:443~~

~~wad_http_conn_request_classify(14493): try to match HTTPS/HTTP/SSH with nport=443~~

~~wad_http_conn_request_classify(14514): HTTP port[0]=80.~~

~~wad_http_sec_proc_policy(24583): policy result:vf_id=0:0 sec_profile=0x7f5ec84255d8 set_cookie=0~~

~~wad_http_check_special_request(23341): policy result:vf_id=0:0 special_type=0~~

~~wad_ippool_get_ip(473): clt:13.14.15.20 got ip:SecIP-C from ip pool, logic/phy intf(9/9)~~

From there, I understand that SecIP-A is assigned to my client directly without considering the loopback interface. SecIP-C is another public IP in the pool that has been chosen by the algorithm I guess - it's not assigned to any loopback interface at the moment.

[ul]

Firewall logs[/ul]


 id=20085 trace_id=10997 func=print_pkt_detail line=5742 msg="vd-root:0 received a packet(proto=6, 13.14.15.20:64849->SecIP-A:12345) from port1. flag [.], seq 2729179222, ack 2785731966, win 2048"
 id=20085 trace_id=10997 func=resolve_ip_tuple_fast line=5823 msg="Find an existing session, id-0002231b, original direction"
 id=20085 trace_id=10997 func=__ip_session_run_tuple line=3500 msg="DNAT SecIP-A:12345->192.168.3.45:12345"
  
 id=20085 trace_id=10998 func=print_pkt_detail line=5742 msg="vd-root:0 received a packet(proto=6, 192.168.3.45:12345-> 13.14.15.20:64849) from local. flag [.], seq 2785732036, ack 2729179257, win 222"
 id=20085 trace_id=10998 func=resolve_ip_tuple_fast line=5823 msg="Find an existing session, id-0002231b, reply direction"
 id=20085 trace_id=10998 func=__ip_session_run_tuple line=3486 msg="SNAT 192.168.3.45-> SecIP-A:12345"
 id=20085 trace_id=10998 func=ipd_post_route_handler line=490 msg="out port1 vwl_zone_id 0, state2 0x0, quality 0.

But from the logs here, I understand that the DNAT/SNAT is properly done between the client IP, the SecIP, and the loopback interface.

I didn't include the logs for SecIP-B but it's the exact same results.

[ul]

Conclusion: it looks like the explicit proxy will use the Client IP instead of the loopback interface IP in order to choose the IP to use from the IP pool. Does anyone know a workaround for that?[ul]

I was initially running on 6.4.2 and then moved on 6.4.6 (because of https://forum.fortinet.com/tm.aspx?m=189456&high=explicit+proxy) - my configuration works with neither[/ul][/ul]

References (some of them):

https://forum.fortinet.com/tm.aspx?m=146710&high=explicit+proxy

https://socpuppet.blogspot.com/2017/08/fortigate-explicit-proxy-with.html

http://socpuppet.blogspot.com/2017/08/turn-around-explicit-proxy-on.html

https://forum.fortinet.com/tm.aspx?m=189456&high=explicit+proxy

I'm not experienced with Fortigate devices so feel free to challenge my conclusions - I likely missed some elements. Thank you everyone in advance for your help!

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded