SMTP to the mail server from 2 WAN

AFIAK you can a static NAT on both WAN Interfaces, not sure whether this works with port forwardiung (but shouldn' t it as well?)

Hi, you can create 2 VIPs from different public IPs to the same internal IP. In case of emergency you' d have to change the DNS MX record to specify your WAN2 public IP instead of the WAN1 IP. Of course you need the same set of policies from WAN2 to internal and vice versa.

@ede: You are rightm, but a short test shows that when you do port forwarding it says duplicate Entry, when having WAN1/0.0.0.0:443 and you try to created WAN2/0.0.0.0:443 This may work when you have static ip adresses, and therefore a static external Adress but fails (at least in my test ) when you have two dial-up- lines. (tested with 4.1.9)

yes, there seems to always be an exception. I had no clue that the OP was talking about dynamic WAN IPs. Juraj, do you?

@ede_pfau no, both WAN addresses are static @rwpatterson that' s because of the port, not the address. I' ve found that no matter what device, you can only setup one VIP for one port so if I have 25 on WAN1 I can' t setup 25 on WAN2...

I just configured both WAN lines to map a higher port to port 22 for ssh, to the same internal host. No problem. You cannot specify the wildcard ' 0.0.0.0' on both interfaces but you can use one wildcard and one static IP. And even with 3 identical mappings to the same host and port I do not have any problems - just added a VIP on ' internal' . So I have VIPs on one wildcard IP and 2 static IPs.

aha, OK. but the problem is that I need to be able to receive emails from everyone, not just one IP address which means that I need to have both as 0.0.0.0 or something that' ll guarantee me to receive emails from everyone. Is there a wildcard that' ll give me such option?

Maybe there' s a little confusion about the ' wildcard' IP. A VIP maps an external IP to another (usually internal) IP. The external IP might be a single host address (a.b.c.d/32) or a subnet. In your example if you host an internal mail server you map a single external IP to it which is specified in the MX record of your DNS setup. If your ISP provides one public static IP only, this is the external address of your Fortigate. You can use it in a port-forwarding VIP to direct SMTP (or other services) to your internal mail server. You cannot use a VIP without port forwarding in this case (as you have to share this one address for many different services). If the ISP provides a public subnet (like 1.2.3.4/28 with 16 addresses) you use one of these public addresses for your mailserver. This usually will not be the FGT' s WAN IP. The FGT will proxy-arp for it and redirect all traffic with this destination IP to the internal IP given in the VIP. This might use port forwarding or not. Often the ISP assigns one public dynamic IP address to you; then you cannot specify it in the VIP definition. To enable use of the public IP you can use the ' 0.0.0.0' wildcard meaning ' traffic to the actual external IP address at this moment will be mapped to the internal address' . A VIP only handles destination address(es) not source addresses. What you are concerned about are source addresses of hosts sending mails to your server. As a VIP doesn' t touch source addresses you don' t need to be concerned about it here.

Thanks for the explanation. I still don' t entirely understand the concept but have tried it and it works (which surprises me a bit). I setup the other VIP as coming from my WAN2 on port 25 to the exchange server and it works! I was under the impression that it won' t so thank you for your input everyone, mainly ede_pfau.