Skip to main content
NextPc
NextPc
Visitor III
August 20, 2025
Solved

Redirect traffic directed to external IP to an internal IP behind NAT 1:1

  • August 20, 2025
  • 4 replies
  • 1884 views

Hi there, I have an FG40 behind the ISP router (and I can't remove it) whit a NAT 1:1 configuration.

With a phone (connected to WLAN) I have to reach the NVR (connected to LAN) pointing to the public IP of the office.

If the phone is outside of the office, pointing to the public IP, I can reach the NVR because I have created dedicated rules on firewall.

If the phone is in LAN (WLAN but is the same), pointing to the public IP, I can't reach the NVR.

How can I solve this ?

Thank you

 

    Best answer by Igneus

    Hi,

    What you’re facing is a NAT loopback (hairpin NAT) issue. When a client inside the LAN/WLAN tries to reach a local server (your NVR) using the public IP, the FortiGate doesn’t automatically translate that traffic back into the LAN. That’s why it only works from outside.

    To fix this, you need:

    Firewall policy (LAN/WLAN → LAN)

    Source: LAN/WLAN subnet

    Destination: NVR’s internal IP

    Enable NAT, with the correct mapped IP.

    Create a VIP mapping the public IP → internal NVR IP.

    Make sure the firewall policy references this VIP.

    Enable hairpin NAT

    In some FortiOS versions, you need to allow “NAT reflection”. This is done by creating a policy where:

    Incoming interface = LAN/WLAN

    Outgoing interface = LAN

    Destination = VIP (public IP of NVR)

    Enable NAT.

    After this, when an internal device points to the public IP, the FortiGate will loop the traffic through the VIP and send it to the internal NVR.

    4 replies

    funkylicious
    SuperUser
    funkylicious
    SuperUser
    August 20, 2025

    hi,

    since your setup is a little bit more complex and the FGT isnt doing the actual NAT you could try and do a hairpin nat like described in this article, https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-Hairpin-NAT-VIP/ta-p/195448 

    it usually works when the VIP/NAT is actually done on the FGT but you can give it a try.

    "jack of all trades, master of none"
      sw2090
      SuperUser
      sw2090
      SuperUser
      August 20, 2025

      could you draw you setup. I don't quite get it from what you wrote.

      Why do you need to point to th external ip when you are at office (i.e behind your FG40)?

      funkylicious
      SuperUser
      funkylicious
      SuperUser
      August 20, 2025

      I guess the application has a hostname that is resolvable either via hosts file or external DNS with the public IP and it would be a pita to change the hosts file everytime tbh.

      the DNS entry you could solve with a internal DNS to point to the internal IP tho :) 

      "jack of all trades, master of none"
      AEK
      SuperUser
      AEK
      SuperUser
      August 20, 2025

      Either use hairpin NAT as suggested by Funkylicious, or use DNS hostname instead of IP (if possible) with distinct public resolution and private resolution.

      AEK
      Igneus
      IgneusAnswer
      Explorer
      August 20, 2025

      Hi,

      What you’re facing is a NAT loopback (hairpin NAT) issue. When a client inside the LAN/WLAN tries to reach a local server (your NVR) using the public IP, the FortiGate doesn’t automatically translate that traffic back into the LAN. That’s why it only works from outside.

      To fix this, you need:

      Firewall policy (LAN/WLAN → LAN)

      Source: LAN/WLAN subnet

      Destination: NVR’s internal IP

      Enable NAT, with the correct mapped IP.

      Create a VIP mapping the public IP → internal NVR IP.

      Make sure the firewall policy references this VIP.

      Enable hairpin NAT

      In some FortiOS versions, you need to allow “NAT reflection”. This is done by creating a policy where:

      Incoming interface = LAN/WLAN

      Outgoing interface = LAN

      Destination = VIP (public IP of NVR)

      Enable NAT.

      After this, when an internal device points to the public IP, the FortiGate will loop the traffic through the VIP and send it to the internal NVR.

        NextPc
        NextPcAuthor
        Visitor III
        August 25, 2025

        I had already created a VIP where "external IP" was the firewall WAN IP mapped to NVR LAN IP and granted traffic from WAN to LAN LAN in firewall rules.

        To work from LAN pointing to public IP I created a VIP where "external IP" is the router public IP (and not firewall WAN IP) and mapped to the NVR LAN IP, then granted traffic from LAN to LAN firewall rules.

        Terms & ConditionsAccessibility statement