Policy Routing and Port Forwarding

Question

Hi,I'm Andrea and I'm trying to configure a new Fortigate in my company. I have a Fortigate 60D with FortiOS 5.2.1. Below the network topology:  I set the policy routing so the traffic from the GuestNetwork is sent to wan2 and other traffic is sent to wan1 and all works fine. Now I have to set a internal WebServer and a port forwarding to make it available from Public IP on wan1. I can reach the WebServer from interent and from the network 192.172.0.0/16 with the Public IP.  The problem is with the GuestNetwork, the devices in the GuestNetwork network cannot reach the WebServer with the Public IP. I think that the problem is in the Policy Routing, in fact if I remove the policy and I put the two "wan" in Load Balancing all works fine. Is there an error in my settings? Is it a known bug? Could you please help me? Tank you. Best Regards,Andrea  Below the Fortigate settings: #ROUTING Static Routes:    Static Route 01:         Destination IP/Mask: 0.0.0.0/0.0.0.0         Device: wan1         Gateway: 87.153.237.177         Distance: 10          Priority: 1            Static Route 02:          Destination IP/Mask: 0.0.0.0/0.0.0.0          Device: wan2          Gateway: 192.168.1.254          Distance: 10          Priority: 10        Policy Routes:       Policy Route 01:          Protocol: ANY          Incoming Interface: internal          Source address/mask: 192.172.1.10/255.255.255.255          Destination/mask: 0.0.0.0/0.0.0.0          Forward Traffic: true          Outgoing interface: wan2          Gateway Address: 192.168.1.254  #PORT FORWARDING      Virtual IPs          Name: WebServer          Interface: wan1          Type: Static NAT          Soure Address Filter: false          External IP Address: 84.153.237.178-84.153.237.178          Mapped IP Address: 192.172.3.45-192.172.3.45          Port Forwarding: True          Protocol: TCP          External Service Port: 4040-4040          Map to Port: 8080-8080     Policy IPv4          Incoming Interface: Wan1          Source Address: all          Outgoing Interface: internal          Destination Address: WebServer          Schedule: always          Service: ALL          Action: ACCEPT          NAT: off

gschmitt · Answer

Are you really using 192.172.0.0/16 as your internal IP address range? This is not a private network

Please read this to learn more about private/reserved IP address ranges: https://en.wikipedia.org/wiki/Private_network https://en.wikipedia.org/wiki/Reserved_IP_addresses

As a workaround you can try creating the following policy in Policy&Objects > Policies > IPv4

Incoming Interface: GuestNetwork

Source Address: You Guest Network (or all if you don't have an object for it)

Outgoing Interface: Internal

Destination Address: WebServer VIP object

Configure the rest as needed

If your WebServer virtual IP is not selectable go to Policy&Objects > Objects > Virtual IPs and edit the WebServer Object

Select Interface: Any

If this is not possible please remove all references to it first (your wan>internal policy)

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded