Skip to main content
dan231
dan231
New Member
April 28, 2017
Question

Looking for help with a hairpin route/policy

  • April 28, 2017
  • 2 replies
  • 36998 views
Setup: Internal MS Exchange Server FortiWIFI (vlan'd from the internal network for guest access to the Internet) Fortigate FW Iphone with ActiveSync email access to MS Exchange   Internet = WAN1 Internal Network = WAN2 Public-WIFI = VLAN on WAN2 VIP = External IP --> Mail server (any int)   I have all my routes and policies setup so from my iPhone I can get WIFI internet AND not see any internal devices. The problem is that I cannot get email access on my iPhone.  I now have a hairpin that I believe should work but doesn't.  From my iPhone, I can ping my mail server by name, but a tracert stops at the first hop: the FortiWIFI.   Current Hairpin policy: Public-WIFI (VLAN on WAN2) --> WAN2 (internal) with Destination of my VIP   I've been stuck at this for over a week and I can't wrap my head around this. I have a support ticket open and have reviewed the Fortigate docs on hairpin set.

    2 replies

    rwpatterson
    rwpatterson
    New Member
    April 28, 2017

    What are the services in this hairpin policy?

    dan231
    dan231Author
    New Member
    April 28, 2017

    Source = ALL

    Services = ALL

    NAT = OFF

    Carl_Wallmark
    Carl_Wallmark
    New Member
    April 28, 2017

    config firewall policy

    edit <policy ID>

    set match-vip enable

    end

     

    localhost
    localhost
    Visitor III
    April 28, 2017

    Your policies do look fine to me as well - if your configuration really matches your description.

     

    dan231 wrote:

    From my iPhone, I can ping my mail server by name, but a tracert stops at the first hop: the FortiWIFI.

     

    Do the ping packets really go out to your mail server? Have you confirmed this by sniffing on the Fortigate?

    What happens to the HTTPS packets?

    dan231
    dan231Author
    New Member
    April 28, 2017

    localhost wrote:

    Do the ping packets really go out to your mail server? Have you confirmed this by sniffing on the Fortigate?

    What happens to the HTTPS packets?

    When I do sniffer traffic with my iphone IP, I see no traffic listed. 

    dan231
    dan231Author
    New Member
    April 28, 2017
    2017-04-28 10:13:15 id=20085 trace_id=137 func=print_pkt_detail line=4793 msg="vd-root received a packet(proto=6, MailserverIP:443->192.168.201.3:52631) from internal. flag [S.], seq 1020708212, ack 2966908897, win 8192" 2017-04-28 10:13:15 id=20085 trace_id=137 func=vf_ip_route_input_common line=2586 msg="find a route: flag=04000000 gw-192.168.201.3 via Guest WiFi" 2017-04-28 10:13:15 id=20085 trace_id=137 func=fw_forward_dirty_handler line=324 msg="no session matched"
      This is from my FortiWIFI.  192.168.201.3 is my iphone.  Does this state it can't route back from my mailserver to my vlan?
    Terms & ConditionsAccessibility statement