You have a few choices all are nasty
1st have you tried with the src-ip left as-is 0.0.0.0 ?
config firewall vip
edit "NTP"
set mappedip "10.10.1.112"
set extintf "wan1"
set portforward enable
set extport 123
set mappedport 123
next
end
2nd you can't do what your asking directly since you have overlap of ext-srcs and the mapped. if you think about it the mappedip is in the src-range
3rd , your next option is. you have to out-play the fortigate so speak, since any local assigned address used will overlap in the src-range. You can try the following as a guide.
e.g a workaround is to eliminate the local address by breaking up the src-range and applying multiple vips
config firewall vip edit "test-vip1" set uuid 88b9508a-a92e-51eb-c370-f85b1c740d8a set type load-balance set extip 0.0.0.0-9.255.255.255 set mappedip "10.0.1.112" set extintf "wan1" set portforward enable set extport 999 set mappedport 999 next edit "test-vip2" set uuid b40364f6-a92e-51eb-853d-7321802aaa2d set type load-balance set extip 11.0.0.0-192.167.255.2255 set mappedip "10.0.1.112" set extintf "wan1" set portforward enable set extport 999 set mappedport 999 next edit "test-vip3" set uuid b40364f6-a92e-51eb-853d-7321802aaa2d set type load-balance set extip 192.169.0.0-239.255.255.255 set mappedip "10.0.1.112" set extintf "wan1" set portforward enable set extport 999 set mappedport 999 next and so on
You have to poke hole for all interfaces address , all static routes address, all vpns end-points, etc........that you have, and ip address assigned on the fortigate.
Like I said, not a clean approach but very a nasty approach
if you come across a better way, please post what you ultimately do, but the above is what we did with mixed results. We have a test lab and had reasons for doing the above. I would not recommend the above in a production env. A proper SLB would be best suited.
I think using the 0.0.0.0 vip is the best approach but let us know if it works
Ken Felix
