Explorer II

Question

self hosting stopped working after switching to 30E

Forum|Forum|4 years ago
April 2, 2022
3 replies
7181 views

Hi,

I'm hosting my websites on ispconfig3 server from my home, i was using pfsense as gateway and 2 days ago i've switched to 30E (Unlicenced), so forwarded necessary ports to my ispconfig3 server but my websites are not reachable, when i plug my old pfsense it works but when i switch to fortigate it stops working.

Checked ports over and over again through ping.eu it seems like all ports (specially 53 dns port) are open and reachable from outer world but when i check A record through https://dnschecker.org/#A/fscdepo.com (it's one of my domains runs on my server) it's not reachable.

Any ideas ?

FortiGate

Yurisk

SuperUser

VIP (port forwarding) is too basic of a feature on the Fortigate to cause problems, so 99% probability it is misconfiguration. Have you followed docs in configuring VIPs (e.g. https://community.fortinet.com/t5/FortiGate/Technical-Tip-Using-Virtual-IPs-to-configure-port-forwarding/ta-p/198195) ?

In security policy you have in the upper bar "Policy lookup" button to simulate packets passing the firewall - use it putting src Ip of some client on the Internet, dst external IP of the server and see if match is done on the correct policy.

sheshmanAuthor

Explorer II

Hi Yuri,

First of all thanks for sharing your blog's url there are lots of information for me :)

Let me explain how my connection works, i'm using fiber modem to reach to the internet so my fortigate is connected to the my modem, i can't connect forti to the fiber directly because i'm also getting ip tv service from ISP and isp's iptv service is not working if i don't connect to modem to fiber directly ;

-Fiber Modem : 192.168.1.254

-Forti 30E: 192.168.2.254

-ISPCONFIG3 Web server : 192.168.2.245

I'm forwarding port 53 from modem to fortigate first, after that forwarding from forti to ispconfig3 server as below;

When i check from ping.eu port 53 seems open, but when i check through https://dnschecker.org/ my web sites are not reachable. If i connect my ipconfig3 server directly to the modem and forward ports to the server or if i connect my server to my old pfsense gw it works without any problem.

I also tested "Policy Lookup" as you mentioned and it seems like my policy works without any problem, i really don't know what causing this.

Strange thing is we are using similiar configuration at the company i work, with 600E + ispconfig3 and it works the same way i'm trying to do at home, there is no problem on 600E, the only difference between 600E and my 30E is the licence, 600E is licenced and my 30E is not. Is that makes a different? As far as i know i can use my 30E with basic operations without licence.

Debbie_FTNT

Staff & Editor

Hey sheshman,

can you also share the policy?

The VIP itself looks fine, so I would want to double-check that you have the correct policy from WAN -> LAN in place with VIP as destination object

In addition, you might want a policy in the reverse direction (LAN -> WAN) and ensure the traffic from your server is NATed to the VIP's external IP properly

Also, a question for my understanding:

- your Fiber modem translates the public IP to 192.168.1.254

- FortiGate translates that IP 192.168.1.254 to 192.168.2.245?

- if the modem translated to 192.168.2.245 directly, FortiGate wouldn't need any VIP configuration, it could just route and require a simple IPv4 policy

Yurisk

SuperUser

Hi again, thanks.

Configs seem OK.

Unlicensed - for hardware models it may matter for Application Control/IPS/AV features, but basic functions like VPN, NAT, routing, FW work just fine. So, no - license cannot cause traffic problems.

When switching to PFsense and it starts to work - is it possible the fiber modem is set to work with PFsense's MAC address?

Anyway, the best way to proceed is to run packet sniffer while trying to reach servers behind the FGT. You can do it while connected via SSH or use web Applet in the FGT GUI - right upper corner you have ">_" to open applet based CLI .

The syntax would be: dia sni pa any 'host Source_IP_of_client_here' 4

Where Source_IP_of_client_here is the IP address of some external (on the INternet) client trying to access server(s) on open port. The desired output will contain packet coming in on wan interface and going out on lan interface with proper NAT translations.

sw2090

SuperUser

you coud also use the flow debug on cli to see if there is any incoming traffic there:

diag debug enable

diag debug flow filter clear

diag debug flow filter saddr=<ip> (for source address)

or/and

diag debug flow filter daddr=<ip> (for destination address)

diag debung flow trace start <numberofpacketstotrace>

Then cli will show you if the traffic reaches the FGT and which policy it hits and what happens to it.

sheshmanAuthor

Explorer II

thanks for the tip, by the way can i use this method for another problem? For example can i use those commands to find out why i can't ping computers on SSLVPN from a specific computer?

Debbie_FTNT

Staff & Editor

You certainly can - that set of debug commands simply shows what FortiGate does with the traffic (accepting it, routing check, policy matching). The commands can at least help rule out the FortiGate as a cause of traffic issues.

We have a more detailed document:
https://docs.fortinet.com/document/fortigate/6.2.3/cookbook/54688/debugging-the-packet-flow

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded