Skip to main content
SayZ
SayZ
New Member
November 30, 2018
Question

Issue : NAT Loopback (hairpinning) | WAN Access routed mode

  • November 30, 2018
  • 1 reply
  • 6065 views

Hello everybody, 

 

I am currently experiencing a problem that is quite blocking for me. I will present the context and the manifestation of the incident.

 

Context WAN : 

 

--2 WANs access : 

- WAN1 : ADSL PPOE --> IP Public know by fortinet 

- WAN2 : 1 VDSL routed mode with the provider modem (No other choice with this provider) --> IP Public unknown by forti (Just Private subnet of routing, and 2 interfaces)

 

After i have been applied this process : https://cookbook.fortinet.com/using-hairpinning/. The hairpinning works great for the 

ADSL (IP Public on the interface WAN1).

 

Issue : On the WAN2, the NAT loopback can't work because the forti can't map the interface with the real @IP_Public (my opinion)

 

Question : 

Is there a way to tag the real @IP_Public on the WAN2 without changing interconnect mode (routed with modem) ?

Or an another process to bypass this issue and permit loopback on the 2 WANs ? 

 

We have considered the solution using DNS cheating on the internal DNS, but may be a source of others problem.. 

 

 

Thanks you in advance for yor help, 

 

Have a nice Day

Brice 

 

 

 

 

1 reply

SayZ
SayZAuthor
New Member
December 5, 2018

Problem solved :

On FortiOS 6.0, there is function for add a "second adress" on a gateway.

This function is accessible in "Network > Interface > [WAN_Int]

It works with the NAT Loopback. (Test with FTP)

 

coskun_ist
coskun_ist
New Member
December 15, 2019

hello

i have same issue 

can you explaint ,how to you resolved this problem

SayZ
SayZAuthor
New Member
December 19, 2019

Hi,    To solve issue u just need to create 2 virtual IP, on with external public address, and the other with the external routed address. In fact the forti used the second VIP for NAT Loopback and the first VIP is used by the real PAT One example is more simple :    WAN interface forti : 192.168.0.200    1. First VIP (classical)   interface : any  external : 192.168.0.200 internal : X.X.X.X  Port source & port dest

2. Second VIP with the external public address   interface : any  external : 82.178.23.25 (for example) internal : X.X.X.X  Port source & port dest   3. Combine the two VIPs on a inbound policy     Have a nice day

Terms & ConditionsAccessibility statement