Skip to main content
looney1977
looney1977
New Member
June 26, 2017
Question

Issue multiple wan - multiple IP - multiple port forwarding

  • June 26, 2017
  • 1 reply
  • 12930 views

Hi,

 

I'm quite new in Fortinet world, I'm currently facing some difficulties to configure a fortinet correctly.

 

It's a Fortinet 80E with release 5.6.

 

Here is my actual setup :

 

Got 3 WAN interface configured in a virtual-wan-link.

 

One of those WAN interface has multiple subnet configured because it's also used to accept incoming trafic, it's configured as second interface in the virtual-wan-link interface.

 

Outgoing trafic is working fine over the 3 interfaces (failover is working properly)

 

For my incoming traffic I created all VIP necessary, and all policy-rules. But my server aren't responding. I guess it's caused by the default route to the virtual-wan-link. So how can I configure another default route specific for the VIP and this interface when it's used for incoming trafic ?

 

Thanks for your tips.

 

Dominique

 

 

1 reply

ede_pfau
SuperUser
ede_pfau
SuperUser
June 26, 2017

hi,

 

and welcome to the forums.

Your problem should only occur on incoming traffic, not outgoing from the serves nor reply traffic. Is that right?

I don't see how the default route would influence incoming traffic - maybe you could give us more details on that idea.

 

Could you please post the config of one VIP, and the WAN llink config, from CLI (in text form)? So we can see the implementation details.

looney1977
looney1977Author
New Member
June 26, 2017

Hi Ede,

 

Thanks a lot for your quick answer.

 

I actually have a lab running, and I'm trying to work with one vip for test :

 

Got a WAN emulated network with one device, from this device I'm constantly pinging yy.yyy.yyy.yy1, and I'm also trying to reach port 80 from yy.yyy.yyy.yy1 address.

 

I've got a tcpdump running on the destination internal server, but no packet are found on port 80

I've got a diag sniffer packet on the correct interface, I can see incoming request on port 80 and icmp packetq, but no reply are emitted.

 

My suspiscion is that the fortigate answers but to the incorrect default gateway which should be actually the multi-wan-link interface (active wan interface).

 

Thanks a lot for you time.

 

here is the dump you're asking for (sry for evident reasons, I replaced public IP by letters) :

 

config system interface
    edit "ORANGE_SDSL"
        set vdom "root"
        set ip xx.xxx.xxx.xx1 255.255.255.248
        set allowaccess ping
        set role wan
        set snmp-index 29
        set secondary-IP enable
        set interface "port5"
        set vlanid 61
        config secondaryip
            edit 1
                set ip xx.xxx.xxx.xx2 255.255.255.248
            next
            edit 2
                set ip xx.xxx.xxx.xx3 255.255.255.248
            next
            edit 3
                set ip xx.xxx.xxx.xx4 255.255.255.248
            next
            edit 4
                set ip xx.xxx.xxx.xx5 255.255.255.248
            next
            edit 5
                set ip yy.yyy.yyy.yy1 255.255.255.248
                set allowaccess ping
            next
            edit 6
                set ip yy.yyy.yyy.yy2 255.255.255.248
            next
            edit 7
                set ip yy.yyy.yyy.yy3 255.255.255.248
            next
            edit 8
                set ip yy.yyy.yyy.yy4 255.255.255.248
            next
            edit 9
                set ip yy.yyy.yyy.yy5 255.255.255.248
            next
        end
    next
end

config system virtual-wan-link
    set status enable
    config members
        edit 1
            set interface "wan1"
            set gateway 10.75.176.1
        next
        edit 2
            set interface "PROXIMUS_VDSL"
            set gateway 192.168.250.1
        next
        edit 3
            set interface "ORANGE_SDSL"
            set gateway xx.xxx.xxx.xx0
        next
    end
end

config firewall vip
    edit "test-vip-ws002-vm-port-80"
        set uuid bcafc936-5a5f-51e7-acfa-36481a536169
        set extip yy.yyy.yyy.yy1
        set extintf "ORANGE_SDSL"
        set portforward enable
        set mappedip "172.16.2.222"
        set extport 80
        set mappedport 80
    next
end


ede_pfau
SuperUser
ede_pfau
SuperUser
June 26, 2017

OK, so you've got a VLAN port, sub-port of "port5" physical port, with 9 secondary addresses...didn't know that a VLAN port could have those.

VIP: remove the port forwarding to enable ping across the VIP. You can narrow down the port with service=HTTP in the policy. As ICMP is portless it will not be forwarded by a port-forwarding VIP (makes sense, right?).

 

Now, how do you use the sniffer? You should see pings on port "ORANGE_SDSL" and on the DMZ port. That is, requests. Then you should have replies on the DMZ port - so your server has seen the pings and is responding.

 

To see how the NAT is working use "diag deb flow" with filters, see the forums for detailed commands. It's one of the most used diag commands after 'sniffer'.

 

I still can't make out where the routing comes in - what default route does the server have? You could enable NAT in the incoming policy to make the traffic appear as 'internal'. If this helps your routing is incorrect, but probably not on the FGT.

Terms & ConditionsAccessibility statement