Skip to main content
elad_b
elad_b
New Member
November 30, 2020
Question

Port Forwarding with static route to IPSEC tunnel

  • November 30, 2020
  • 1 reply
  • 5551 views

Hi all,

 

A new Fortigate 40F, i configured a Virtual IP with port forwarding and a policy for Cameras NVR and it worked, i succeeded to reach them from outside the network.

 

The problem is, that all the computers from the Lan should access the internet via IPSEC tunnel (to be recognized by different external IP address) so i configured a static route to 0.0.0.0/0 with the IPSEC interface and then policies from Lan to IPSEC interface and vice versa with NAT disabled.

The IPSEC Phase 2 is from the Lan subnet to 0.0.0.0/0 as well.

 

The computers can access the internet successfully but the cameras aren't reachable and i can't access the web management interface of the firewall as well from outside.

I tried to configure some route policy but still not working.

 

Anyone have an idea how can i make this work?

 

Thanks!

    1 reply

    rwpatterson
    rwpatterson
    New Member
    November 30, 2020

    My first thought here would be to check the routing table and ensure that all local routes have a lower distance than the default gateway. A traceroute from a non-working source should confirm the bad route.

    brycemd
    brycemd
    New Member
    November 30, 2020

    You've created asymmetrical routing. The traffic is coming into the fortigate and being port forwarded, but the return traffic is going across the tunnel and out via a different public IP.

     

    You either need to setup policy routes for the camera(s) to go direct out to the internet, or setup the port forwarding on the other side of the tunnel.

     

    Same reason for not being able to externally manage it anymore. Traffic is being returned over the ipsec tunnel. As it is(unless you have other routes) it cannot access the internet unless that tunnel is up. And, if you didn't create a static route for the IP of the other end of the tunnel, if may not come back up if it goes down.

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    November 30, 2020

    Or, the local static default route with a high number of priority in addition to the default route toward the tunnel (priority 0 by default). So that the incoming access to the camera from the local wan interface via VIP can go back out to the local wan instead of going across the tunnel.

    Terms & ConditionsAccessibility statement