Skip to main content
RuuJan
RuuJan
New Member
May 17, 2019
Solved

Strange VIP problem

  • May 17, 2019
  • 3 replies
  • 15163 views

Hi, I have a strange problem. I have a new Fortigate 60E and I've configured it to replace an old pfSense router. There is an OpenVPN server inside the network and I have to create a portforwarding to it. I'm not able to get this working. So I created another portforwarding to a Windows machine and tried to RDP into that. To my surprise this works. I can even test the policy with Policy Lookup to simulate a session to the external IP-adres. TCP 3389 works without a problem. TCP 943 (management page) and UDP 1194 (tunnel) don't match a policy.

 

I've checked it over and over but I guess I'm missing something.

 

 

 

This is my CLI configuration:

 

config firewall policy     edit 13         set name "OVPN"         set uuid eeb3d648-70dd-51e9-8b48-10597084cee0         set srcintf "wan1"         set dstintf "internal"         set srcaddr "all"         set dstaddr "OpenVPN"         set action accept         set schedule "always"         set service "SOpenVPN"         set logtraffic all         set fsso disable     next end   config firewall policy     edit 15         set name "RDPTest"         set uuid e9f28758-77bd-51e9-f8b4-0258a68224be         set srcintf "wan1"         set dstintf "internal"         set srcaddr "all"         set dstaddr "RDP"         set action accept         set schedule "always"         set service "RDP"         set logtraffic all         set fsso disable     next end

 

    Best answer by ede_pfau

    Regular routing directs traffic according to the destination address. Only.

    Policy routing can match more criteria like source address or ports.

    3 replies

    Fullmoon
    Fullmoon
    New Member
    May 17, 2019

    may you please check if there's a built in firewall openvpn server.

    RuuJan
    RuuJanAuthor
    New Member
    May 17, 2019

    Hi Fullmoon, thanks, but that is not the issue. I tesetd from another VLAN and the management page on the VPN server is reacting normal. Besides that, the policy lookup shows there is a route.

     

    Is there a way to test what rule is blocking my traffic?

    rwpatterson
    rwpatterson
    New Member
    May 17, 2019

    RuuJan wrote:

           set service "SOpenVPN"

    Please show the contents of the above custom service. Source ports should be 1024-65535, and destination should be the target port(s).

    RuuJan
    RuuJanAuthor
    New Member
    May 17, 2019

    This is the service as I created it. Is it necessary to specify the source ports?

     

    config firewall service custom     edit "SOpenVPN"         set category "Tunneling"         set tcp-portrange 943         set udp-portrange 1194     next end  

    rwpatterson
    rwpatterson
    New Member
    May 17, 2019

    That's fine. If you do not specify, it assumes source port range is 1-65535 which covers everything. Missing is the 'set protocol TCP/UDP/SCTP' line. Not sure if that is needed, but give it a shot.

     

     

    Matrix
    Matrix
    Explorer
    January 29, 2023

    Hi, I have a similar problem I have an OpenVPN server inside the network.

    So i created VIP 

    edit OVPN
    set comment "OVPN"
    set extip 1.1.1.1
    set mappedip "2.2.2.2"
    set extintf "wan2"
    set color 12


    FW policy :-
    set srcintf "wan2"
    set dstintf "lan1"
    set srcaddr "all"
    set dstaddr "OVPN"
    set action accept
    set schedule "always"
    set service "ALL"
    set logtraffic all

     

    wan2 is my secondary circuit, so I created a route policy  for the return traffic 

    edit 
    set input-device "lan1"
    set srcaddr "2.2.2.2"
    set dstaddr "all"
    set output-device "wan2"

    set gateway 1.1.1.2
    still no luck I have tried multiple things still not working, I ran debug on the srcaddress and I see tcp rst .

     

    Terms & ConditionsCookie settingsAccessibility statement