Skip to main content
roberto_papa
roberto_papa
New Member
March 25, 2025
Question

Unable to reach virtual server on a VLAN

  • March 25, 2025
  • 4 replies
  • 1900 views

Hi,

I've created virtual servers on Fortigate (eg: mail.customer.com, phone.customer.com...) and all works on LAN, but when i connect my pc to a VLAN i can't reach no one of them, so if (for example) i want to connect to my mail server it didn't works.

I'm able to ping mail.customer.com (return public IP).

I've created firewall policy rule but i'm not sure how to create static route and/or policy route.

Can you help me?

Thanks.

4 replies

adambomb1219
SuperUser
adambomb1219
SuperUser
March 25, 2025

Need way more details here.  Does DNS work?  Is there a policy in place?  Is this inbound NAT using a virtual IP?  Something else?

roberto_papa
roberto_papaAuthor
New Member
March 28, 2025

I've reply with my configuration

dingjerry_FTNT
Staff
dingjerry_FTNT
Staff
March 25, 2025

Hi @roberto_papa ,

 

Could you please attach the FGT config? 

 

Or at least share the VIP configurations and relevant firewall policies.

    roberto_papa
    roberto_papaAuthor
    New Member
    March 27, 2025

    I've reply with my configuration

    Sheikh
    Staff
    Sheikh
    Staff
    March 25, 2025

    Hello @roberto_papa 

     

    With this limited information, it would be difficult to provide or suggest next action plans.

     

    regards,

     

    Sheikh

      roberto_papa
      roberto_papaAuthor
      New Member
      March 27, 2025

      If i ping a virtual server it return me public IP, not local IP (i don't want to forward traffic locally VLAN-LAN).
      I've created virtual server for VLAN: 

      virtualserver.png

      and policy

      policy.png

      I don't create DNS server for VLAN because i want ping virtual server by public IP, not local IP (if create DNS server for VLAN is the only possible solution, i create it).

      Tracert goes out, but it stop on public IP when the packet return.

      Maybe it's a static routes problem:

      staticroute.png

      or policy route problem:

      POLICYroute.png

      dingjerry_FTNT
      Staff
      dingjerry_FTNT
      Staff
      March 27, 2025

      1) I am not sure why you are not using VIP.  You are using Virtual Server unless you have multiple real servers for load balancing; otherwise, you may use VIP.  Apparently, you don't.

       

      Please check this KB for how to configure VIP:

       

      https://community.fortinet.com/t5/FortiGate/Technical-Tip-Virtual-IP-VIP-port-forwarding-configuration/ta-p/198143

       

      2) The static route for the external IP of your Virtual Server is supposed to be linked to "VLAN Ospiti", not "lan".

        dingjerry_FTNT
        Staff
        dingjerry_FTNT
        Staff
        March 27, 2025

        Oh, the policy route is not necessary.

          Terms & ConditionsAccessibility statement