Skip to main content
FWY001
FWY001
New Member
November 28, 2024
Solved

nat hairpin does not work

  • November 28, 2024
  • 6 replies
  • 4312 views

 

Hi everyone, I have a LAN user wants to connect to a LAN server from the public address that is in the same subnet as the fortigate external address. I have setup VIP and firewall policies but it does not seem to work, debug flow shows it was DNATed to the server's internal address but the traffic does not go through(my server does not receive any traffic), the final log of the pakcet was "allowed by policy" then followed with nothing. My topo and configs are as follow, any idea is appreciated.


config firewall vip
edit "vip"
set extip "10.1.1.2"
set mappedip "192.168.8.200"
set extintf "wan" # have tried with "any" but also not working
set portforward enable
set extport 443
set mappedport 443

config firewall policy
edit 1
set name "lan1-to-lan2"
set srcintf "lan1"
set dstintf "lan2"
set action accept
set srcaddr "all"
set dstaddr "vip"
set schedule "always"
set service "ALL"
edit 2
set name "wan-to-lan2"
set srcintf "wan"
set dstintf "lan2"
set action accept
set srcaddr "all"
set dstaddr "vip"
set schedule "always"
set service "ALL"
edit 3
set name "lan2-to-wan"
set srcintf "lan2"
set dstintf "wan"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set nat enable
edit 4
set name "lan1-to-wan"
set srcintf "lan1"
set dstintf "wan"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set nat enable

Best answer by FWY001

OK I figured out what happened, configs are correct in fortigate, the problem is the image I posted earlier is not exactly true, there is an active route between SW1 and SW2, so when fortigate DNATed the packet received from client and sent it to the server, the server received the packet as if it was sent from the client, and it sent response directly to the client without passing it to fortigate, so the tcp connection is never established(that's why there is no access logs in the server, but tcpdump can see those packets). I added a static route in SW1, forcing it to send traffic to fortigate, problem resolved.

6 replies

FWY001
FWY001Author
New Member
November 28, 2024

the topology is here

 

1.png

sjoshi
Staff
sjoshi
Staff
November 28, 2024

Hi FWY001,

 

Please refer and follow below article for Hairpin NAT.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-Hairpin-NAT-VIP/ta-p/195448

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Using-hairpins-with-a-server-application-to-browse/ta-p/247027

Thanks, Salon
    FWY001
    FWY001Author
    New Member
    November 28, 2024

    Hi, I followed example 1 in the 1st link, but it does not work

    sjoshi
    Staff
    sjoshi
    Staff
    November 28, 2024

    The config looks fine

    Please verify if any policy route is in place

     

    Also try to collect debug flow

    https://docs.fortinet.com/document/fortigate/7.6.0/administration-guide/54688/debugging-the-packet-flow

    Thanks, Salon
      dingjerry_FTNT
      Staff
      dingjerry_FTNT
      Staff
      November 28, 2024

      Hi @FWY001 ,

       

      Please try the following:

       

      1) In VIP settings, set the external interface to "any";

      2) Disable firewall policy 1, or remove the VIP as the destination address in policy 1 (use all instead).

      FWY001
      FWY001Author
      New Member
      November 28, 2024

      Hi, tried but still the same

      FWY001
      FWY001Author
      New Member
      November 28, 2024

      For some reason I can access this server with the public ip from LAN2 (LAN2 hairpin to LAN2, not with LAN1) before, I checked debug flows the difference is previously the last 2 logs are "Allowed by policy-N: SNAT" and "SNAT: 192.168.8.100 -> 192.168.2.1", no idea what I have changed caused this difference.

      Renante_Era
      Staff
      Renante_Era
      Staff
      November 28, 2024

      The easiest solution is to add "Stop Policy Routing"

      Screenshot 2024-11-28 155856.png

       

      FWY001
      FWY001AuthorAnswer
      New Member
      December 2, 2024

      OK I figured out what happened, configs are correct in fortigate, the problem is the image I posted earlier is not exactly true, there is an active route between SW1 and SW2, so when fortigate DNATed the packet received from client and sent it to the server, the server received the packet as if it was sent from the client, and it sent response directly to the client without passing it to fortigate, so the tcp connection is never established(that's why there is no access logs in the server, but tcpdump can see those packets). I added a static route in SW1, forcing it to send traffic to fortigate, problem resolved.

      Terms & ConditionsAccessibility statement