Skip to main content
thegreatwhay
thegreatwhay
New Member
August 10, 2016
Solved

Port Forwarding not working on 110c

  • August 10, 2016
  • 3 replies
  • 12542 views

Good afternoon. I am not a networking guru, so I hope ask these questions in the correct manner. I have a port that I want open and forwarding to a specific client machine. I have gone through and done the VIP, VIP Group and entered the policy. Everything seems good according to what I read in the cookbook. Running v4.0 MR3 Patch 12. 

When I do an external port test, I get a time out error, and that the port is not available.  Subscriptions are not up to date. Am I missing something to open this specific port?  Lets say it is port 4080.  Is there a specific area in the panel that I need to specifically open that port before port forwarding will even work, or is the set up of port forwarding essentially opening that port?

 

I just know there is also the Services\Custom set up, and I have done nothing in that area...

 

Help is deeply appreciated.

    Best answer by ede_pfau

    hi,

     

    if you've set up the VIP correctly and use it in a policy 'wan' -> 'internal' it should just work. If you post your config (' config firewall vip' and 'config firewall policy', only the relevant parts) I'll check it for you.

    Having no subscription is a pity as the AV signatures will be not old but ancient. But that won't prevent the firewalling from working.

    One thing, though hard to do without a current contract: upgrade from v4.3.12 to the latest v4.3.18. v4.3 is very mature and stable in the latest patches, not sure which quirks patch 12 had. Just in case you've got access to the firmware.

    3 replies

    ede_pfau
    SuperUser
    ede_pfauAnswer
    SuperUser
    August 11, 2016

    hi,

     

    if you've set up the VIP correctly and use it in a policy 'wan' -> 'internal' it should just work. If you post your config (' config firewall vip' and 'config firewall policy', only the relevant parts) I'll check it for you.

    Having no subscription is a pity as the AV signatures will be not old but ancient. But that won't prevent the firewalling from working.

    One thing, though hard to do without a current contract: upgrade from v4.3.12 to the latest v4.3.18. v4.3 is very mature and stable in the latest patches, not sure which quirks patch 12 had. Just in case you've got access to the firmware.

    thegreatwhay
    thegreatwhayAuthor
    New Member
    August 11, 2016

    Ede,

    Thank you for your reply. You are indeed correct, the settings ended up being correct. Because I am new at reading packet information and certainly green when it comes to diagnosing firewalls, I was not confident in what I found. I had a friend come by last night who was able to show me some things and actually found that despite the ports being open on the firewall of the specific server that I was forwarding to, the packets were being dropped.  Turned off the firewall on that specific server, and everything worked fine.

    Now to figure out what is causing that!

     

    thegreatwhay
    thegreatwhayAuthor
    New Member
    August 11, 2016

    Bob,

    I was using an externally hosted telnet service to test ports. But your information is still helpful. Thank you for sharing with me the points that you did. 

     

    rwpatterson
    rwpatterson
    New Member
    August 11, 2016

    thegreatwhay wrote:
    When I do an external port test, I get a time out error, and that the port is not available.

    What type of external test are you performing, if I may ask? For example, if the port forward is for HTTP, then only HTTP will work. A PING test will always fail. Also, in the policy, the service needs to be the native service for the server's IP port, not the presented external VIP port. (80 in my prior example, not 4080)

     

    Hope that all helps

    sophea89
    sophea89
    New Member
    August 17, 2016

    Hi and good day,

    Currently i am working on port forwarding for fortigate 1000D v5.2.4. We have codian MCU for video conferencing (internal server) and all i need to do is to let the public user access to one public ip instead of the internal ip. So, the port forwarding might be the solution to work on that. Already gone through all the step shown on the youtube and cookbook but however, when i try to access thru http, I got a time out error,even with the icmp also got request timed out. I have done the configuration shown as below:

     

    Add virtual Ips:

    Name: server-http

    interface: wan1

    external ip addrs/range: 1.2.3.4 - 1.2.3.4

    mapped ip addrs/range: 192.16.1.100 - 192.16.1.100

    port forwarding:

    Protocol: tcp

    External service port: 80 - 80

    Map to port: 80-80

     

    *also do the same for icmp

    *Put in the Virtual IP Group name webserver

     

    Policy IPV4:

    Incoming interface: wan1

    source address: all

    outgoing interface: lan

    destination interface: webserver

    schedule: always

    service: http & icmp

    Action: Accept

    Firewall/Network Option: NAT

    Logging options: Log allowed traffic All session

     

    I really hope someone can figure out how to solve this problem. Thank you in advance.

     

     

    rwpatterson
    rwpatterson
    New Member
    August 17, 2016

    @Sophea

     

    Please start your own post as opposed to hijacking a current one. Your requirements and parameters are different from those of the OP, and you will lack the exposure you want if you tag along at the end of a mature post.

    Terms & ConditionsAccessibility statement