Issue with port forwarding

Forum|Forum|10 years ago
November 25, 2015
2 replies
7723 views

Hi,

i am running latest version of the FortiOS. I had this issue on both a 60D and a 100D.

This is the issue:

- i want to port forward, for example 3389 public to an internal host. With 3389 everything works. In fact with any STANDARD port it seems to work. So i create a VIP 3389 to 3389, and a firewall rule with the VIP as destination, and service 3389

- If i do the same with port translation because 3389 is already used, it does not work. I set the VIP with translation from 3390 to 3389, and a firewall rule to point the the VIP, then service set to 3390.

Debug shows that the i hit the DNAT (i can see the translation happening), but then i hit the default deny policy.

I have opened a ticket with Fortinet, and they said i need set the service to ALL and the VIP will take care of filtering the port. This for me is a horrible solution, and i dont understand why with 3389 it works. I have triple checked the custom service 3390 and it is exaclty configured as the 3389 one.

Thoughts?

thanks

MattM

New Member

I'd agree with support on that. The VIP does the port filtering for you so you don't need to do it again in the firewall rule. P

If it is important to you though you can still do it. Just remember that you are using two different ports: 3389 and 3390. You must allow both in the firewall rule and it should work. I tested this with port 33333 forwarded to 3389. With just custom service TCP 33333 listed as a service in the firewall rule it doesn't work. With 33333 and RDP listed as a service I am able to connect. Of course with All as the service in the firewall rule it also works.

Matt

myrdinAuthor

New Member

now, i might disagree on that. The firewall should see only traffic hitting 3390 not 3389. Then the firewall does the translation to 3389, but that is internal. If i am putting a rule on the ext interface to allow 3390 that should be it i shouldnt allow 3389 as well.

From a firewall when i see the firewall table it should be very clear what is allowed and what not, this way i am obliged to double check firewall AND VIPs, which is very confusing.

neonbit

New Member

You shouldn't need an ALL policy. For the firewall policy your service port needs to only be the destination port used in the VIP.

For your example that uses the VIP translation from 3390 to 3389, the firewall policy should have the service as 3389, not 3390.

I've tested this in the lab using VNC and it works fine. My VNC VIP translates 59001 > 59000. My policy that references the VIP only has port 59000 as the service. I'm able to connect to the VNC server using 59001. There is no requirement for me to add 59001 or ALL to the firewall service.

gschmitt

New Member

myrdin wrote:
I have opened a ticket with Fortinet, and they said i need set the service to ALL and the VIP will take care of filtering the port. This for me is a horrible solution, and i dont understand why with 3389 it works. I have triple checked the custom service 3390 and it is exaclty configured as the 3389 one.

Try setting the service to your custom 3390 Port AND RDP

ede_pfau

SuperUser

No need for all this confusion - NAT is processed before policy matching. So you need to specify the "real" service which you connect to using a non-standard port.

If you look at it from an inside perspective, the firewall policies show the services (destination ports) actually used within the network, no matter what fancy ports are used from outside.

Finally, if you look at the reply traffic it makes sense that RDP traffic on port 3389 is called "RDP" and accepted by a policy with service "RDP".

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded