Skip to main content
ravenlord
ravenlord
New Member
November 9, 2016
Solved

remote to a server on DMZ

  • November 9, 2016
  • 2 replies
  • 7017 views

I want to remote to a server on DMZ. Here is my scenario: As shown in the attached image, We have a fortigate 100D firewall which gets its internet from ADSL TP-link modem. There is also a valid IP set on the modem and the modem itself is connected to fortigate's WAN1 interface. The server which I want to remote to is located on DMZ. Please help me configuring and getting my scenario work properly.

thank u 

    Best answer by ede_pfau

    hi,

     

    the double NAT is what is making this a bit complicated. So I would recommend to switch the modem into 'bridge mode' and put all WAN/ISP configuration onto the FGT. Hopefully, your line is not fast (>= 100 Mbps) and using PPPoE - in this case, the modem hardware needs to do the dial in as the FGT CPU will not be strong enough for this.

     

    So, 2 scenarios:

    1- modem is bridging

    Now the FGT WAN port gets the public IP address (which is good for many reasons, FortiGuard updates for one). Now you create a VIP on the WAN interface, mapping the public IP to the private LAN IP of the server. No port forwarding needed if you do not use the public IP for anything else. Put the VIP as the destination address object into a policy from 'WAN' to 'internal', set service and/or schedule, done.

     

    2- modem does the dial-in

    Now you have double NAT. The VIP part on the FGT side stays the same, but now you translate from the private WAN IP of the FGT to the server's address. In order to get the traffic across the modem, you need to configure a 'DMZ' or 'pass-through' on it so that traffic from the WAN will reach the inside of the modem. Depends on make and model.

     

    2 replies

    ede_pfau
    SuperUser
    ede_pfauAnswer
    SuperUser
    November 9, 2016

    hi,

     

    the double NAT is what is making this a bit complicated. So I would recommend to switch the modem into 'bridge mode' and put all WAN/ISP configuration onto the FGT. Hopefully, your line is not fast (>= 100 Mbps) and using PPPoE - in this case, the modem hardware needs to do the dial in as the FGT CPU will not be strong enough for this.

     

    So, 2 scenarios:

    1- modem is bridging

    Now the FGT WAN port gets the public IP address (which is good for many reasons, FortiGuard updates for one). Now you create a VIP on the WAN interface, mapping the public IP to the private LAN IP of the server. No port forwarding needed if you do not use the public IP for anything else. Put the VIP as the destination address object into a policy from 'WAN' to 'internal', set service and/or schedule, done.

     

    2- modem does the dial-in

    Now you have double NAT. The VIP part on the FGT side stays the same, but now you translate from the private WAN IP of the FGT to the server's address. In order to get the traffic across the modem, you need to configure a 'DMZ' or 'pass-through' on it so that traffic from the WAN will reach the inside of the modem. Depends on make and model.

     

    ravenlord
    ravenlordAuthor
    New Member
    November 9, 2016

    thank u ede

    in second scenario i have valid ip that get from isp

    is that true i set in tp-link modem in NAT tab virtual server ip to 192.168.1.3 that fortigate wan1's ip and then in VIP i set external interface to wan1 and external ip to 192.168.1.1 that modem ip and mapped ip to 10.28.0.227 and mapped port to 3389 or do i have to set external ip to my valid ip ????

    ravenlord
    ravenlordAuthor
    New Member
    November 9, 2016

    thank u ede in second scenario i have valid ip that get from isp is that true i set in tp-link modem in NAT tab virtual server ip to 192.168.1.3 that fortigate wan1's ip and then in VIP i set external interface to wan1 and external ip to 192.168.1.1 that modem ip and mapped ip to 10.28.0.227 and mapped port to 3389 or do i have to set external ip to my valid ip ????

    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    November 10, 2016

    Nope. You set the TP-Link NAT to 192.168.1.4, an unused IP that denotes your internal server (not the FGT). On the FGT, the VIP has

    external IP = 192.168.1.4

    mapped to IP = 10.28.0.227   <== your server's real IP

    and start without port mapping to test. Added advantage: you can ping the server to test the VIP.

    Don't forget the policy on the FGT.

    ravenlord
    ravenlordAuthor
    New Member
    November 10, 2016

    in tp link modem in virtual servers i set local host ip 192.168.1.3 that FGT wan ip and then in FGT create VIP that external ip 192.168.1.3 and mapped ip 10.28.0.227 that my server ip and create policy. i success to remote from internet

    Terms & ConditionsAccessibility statement