New Member

Solved

Multiple IP forwarding

Forum|Forum|9 years ago
October 4, 2016
1 reply
15185 views

Multiple incoming static IPs @ WAN1, forwarding to specific servers. VIPs / VGroup / Port Forwarding set up (No NAT), and forwarding works internally using secondary IP (can connect to web server), but can't access from outside... times out. My experience with this is limited, so I am not prone to experiment too much.. ;)

Read somewhere that specifying a secondary IP on the WAN1 interface should not be necessary, is that true? That's the only idea I have left, so if that's not it, maybe someone can point me in the right direction..

Thanks!

CW Jones

Best answer by yckoh

cwjones wrote:
Multiple incoming static IPs @ WAN1, forwarding to specific servers. VIPs / VGroup / Port Forwarding set up (No NAT), and forwarding works internally using secondary IP (can connect to web server), but can't access from outside... times out. My experience with this is limited, so I am not prone to experiment too much.. ;)

Read somewhere that specifying a secondary IP on the WAN1 interface should not be necessary, is that true? That's the only idea I have left, so if that's not it, maybe someone can point me in the right direction..

Thanks!
CW Jones

You do not need to specify secondary IP for VIP configuration. However you need to make sure that you have setup the policy from outside to inside. For the destination address, select the VIP that you have created.

YC

yckohAnswer

New Member

cwjones wrote:
Multiple incoming static IPs @ WAN1, forwarding to specific servers. VIPs / VGroup / Port Forwarding set up (No NAT), and forwarding works internally using secondary IP (can connect to web server), but can't access from outside... times out. My experience with this is limited, so I am not prone to experiment too much.. ;)

Read somewhere that specifying a secondary IP on the WAN1 interface should not be necessary, is that true? That's the only idea I have left, so if that's not it, maybe someone can point me in the right direction..

Thanks!
CW Jones

You do not need to specify secondary IP for VIP configuration. However you need to make sure that you have setup the policy from outside to inside. For the destination address, select the VIP that you have created.

YC

ede_pfau

SuperUser

The way to use multiple public IPs is to create a VIP for each and to create 'wan' -> 'internal' policies, one for each VIP. You could use a VIP group if all forwarded services ('service' field in the policy) are the same.

If I understand your post correctly you've done just this. How did you test it? Remember you cannot use ping to test a port-forwarding VIP, only the service on that port is serviced.

The FGT will proxy-arp for each VIP, and use the translation defined by it to source-NAT traffic in the other direction, from (internal) server to outside.

If you still have problems post the VIP config for one VIP and it's policy.

cwjonesAuthor

New Member

As far as I can tell, yes, I have done the steps correctly.

Testing - I can reach the server from inside the lan using the public IP.. it is forwarded to that server. However from outside, I cannot (from my phone sans wifi, or from home).

I did create a Firewall Address policy -

Incoming - wan1

Source - all

Outgoing - internal

Destination - VIP Group

Schedule - always

Service - Service group (+HTTP / HTTPS/ SSH just in case)

Accept

Group elements are typically

VIP - WebAccess80

External - wan1

Type Static NAT

IP Range - public_IP

Mapped IP - 10.10.100.204

Port Forwarding checked

Protocol TCP

External service port 80 / 443 / 22 (separate VIPs)

Map to port 80 / 433 / 22

Created VIP Group from these to use in policy

I can post screen caps if that is preferable

Thanks!

CW

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded