Explorer

Question

Problem with VIP / Port Forwarding

Forum|Forum|1 year ago
October 20, 2024
6 replies
4976 views

What am I missing here ? My traffic is hitting my WAN address, but is not hitting the LAN. First of all, this is on an old 90D that I am playing with, so it's on it's highest release of 6.0.18

I am trying to hit a server inside my network from the outside. My ISP router is outside the Firewall, and has all ports Port Forwarded. I can see the traffic hit my Firewall

Spirit-FW # diag sniffer pack any "port 22" 4 0 a
interfaces=[any]
filters=[port 22]
2024-10-20 20:10:27.049346 wan1 in 93.107.205.221.41489 -> 192.168.1.17.22: syn 3251867515 
2024-10-20 20:10:28.057670 wan1 in 93.107.205.221.41489 -> 192.168.1.17.22: syn 3251867515

But it won't hit my inside LAN. I have a fully open Any Src / Any Dst / All services rule in place

I have a Virtual IP for 192.168.1.17 --> 10.10.5.100 (TCP: 22 --> 22)

Doing a Packet Capture too confirms the traffic to the WAN, but never his the LAN Interface

I'm sure that this is something stupidly simple that I am overlooking :(

Thanks in advance

FortiGate

AEK

SuperUser

The policy should have the VIP object as destination, and LAN interface as destination interface.

AEK

championc1Author

Explorer

I actually created two rules, one for source specific IP to the VIP object, and then a secondary rule from Any to Any over interfaces WAN1 to LAN. By messing about with things, I'm gradually getting hits.

rahul_p1

Staff

Hi,

Please refer to this article and make sure your configuration is correct :- How to configure VIP access where specifi... - Fortinet Community

championc1Author

Explorer

This example if for a specific destination. What about when a specific port is required ? Suppose I want to route all traffic for HTTPS connections

As I see it, there are two options

Option 1 - Tick the Optional Filters and add HTTPS to Services, and in Port Forwarding, add 443

OR

Option 2 - Leave Optional Unticked, tick Port Forwarding, and add 443 as both External Service Port and the Map to Port

Or is there another way that I have missed ?

Also, regarding filtering for a specific source, is there any way to filter for a specific source DynDNS name FQDN rather than an IP ? If I wanted to allow a specific source only to reach a specific server internally, but if the source IP could change periodically ???

borlinjo1

New Member

VIPs should only really be used for external access I've never used them for internal facing port forwarding. If you're trying to get internal to internal that's segregated via vlan then you just need a simple policy and route setup correctly from destination to destination. Throwing a VIP into the equation makes this a bit more complicated then it needs to be https://tutuapp.uno/ .

championc1Author

Explorer

Why are you saying Internal to Internal ? Even the Diag Sniffer shows it arrives from a public IP on the WAN1 interface. Or am I missing something ?

parthpatel

Staff

Hello,

You can try to run the debug commands with public IP address of your test machine as that will give you clear idea on what is missing on the configuration part.

# diagnose debug reset
# diagnose debug flow filter addr x.x.x.x [public IP address of your test machine]
# diagnose debug flow show function-name enable
# diagnose debug console timestamp enable
# diagnose debug flow trace start 999
# diagnose debug enable

--- try to generate the traffic from test machine to external IP address of VIP ---

# diagnose debug disable ---- to stop the debug

arahman

Staff

Hi also attach your configuration related to vip to make sure the policies are correct and the vip is configured correctly

championc1Author

Explorer

Hi again,

While I have got VIP from any IP working OK, I just cannot get VIP with a specific SOURCE working. The source connects to a Public ISP IP which port forwards All Ports to the WAN1 Ip address of 192.168.1.17. The VIP Points this IP at 10.10.5.111. I am trying to connect on Port 9000

Here is the config

[code]
config firewall vip
edit "Spirit-Portainer"
set uuid 75bbf530-8fc8-51ef-df2a-8a35661cf4f2
set src-filter "193.147.205.221"
set service "TCP-9000"
set extip 192.168.1.17
set extintf "wan1"
set portforward enable
set mappedip "10.10.5.111"
set mappedport 9000
next
end
[/code]

and then

[code]
config firewall policy
edit 17
set name "Spirit-Portainer"
set uuid 73b5e1e0-8fca-51ef-d361-71437267bdf5
set srcintf "wan1"
set dstintf "Mgmt"
set srcaddr "championc"
set dstaddr "Spirit-Portainer"
set action accept
set schedule "always"
set service "TCP-9000"
set logtraffic all
set fsso disable
set comments "Specific Source to port 9000"
next
end
[/code]

and

[code]

config firewall address

edit "championc"
set uuid c3dad6c2-8fd3-51ef-7151-8db0818b9447
set associated-interface "wan1"
set subnet 193.147.205.221 255.255.255.255
next

end

[/code]

hjhajj

Staff

@championc1 Kindly make sure that there is a firewall policy from wan to LAN with destination as VIP .

Please refer to the following document
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Virtual-IP-VIP-port-forwarding-configuration/ta-p/198143

In case the issue persists, kindly provide the following debugs

diagnose debug enable

diagnose debug flow filter addr 192.168.1.17

diagnose debug flow show function-name enable

diagnose debug flow trace start 100

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded