Skip to main content
hbuenafe81
hbuenafe81
Explorer III
February 4, 2024
Question

VIPs on loopback with s2s communication

  • February 4, 2024
  • 5 replies
  • 9647 views

Gents,

 

Need your assistance here.. i have a s2s connection and i want the remote side to access my server ports through loopback interface. s2s is up and able to reach my loopback interface, however my VIPs port forwarding using loopback is not responding.. base on my diagnose sniffer shows that remote are able to reach the loopback but no ack receive as shown below. 

 

3953.534013 TO-JED in 10.1.74.21.65027 -> 10.0.225.102.1200: syn 289683913
3956.547416 TO-JED in 10.1.74.21.65027 -> 10.0.225.102.1200: syn 289683913
3962.546623 TO-JED in 10.1.74.21.65027 -> 10.0.225.102.1200: syn 289683913

 

----config---

config system interface
edit "Loopback102"
set vdom "root"
set ip 10.0.225.102 255.255.255.255
set allowaccess ping https ssh http fgfm
set type loopback
set role lan
set snmp-index 25

-----------------

config firewall policy
edit 66
set name "ewew"
set uuid 7be5d9e4-c0fc-51ee-71e4-dc872d849459
set srcintf "TO-JED"
set dstintf "Loopback102"
set action accept
set srcaddr "JED-DMZ-SVR"
set dstaddr "iNET-1200"
set schedule "always"
set service "ALL"
set logtraffic all
set comments " "
next
end

edit "iNET-1200"
set uuid 5099f20a-c0f9-51ee-edd8-d4b4f6b515f3
set extip 10.0.225.102
set mappedip "10.3.131.160"
set extintf "any"
set portforward enable
set extport 1200
set mappedport 7000
next

 

 

5 replies

mpeddalla
Staff
mpeddalla
Staff
February 4, 2024

Hello  @hbuenafe81 ,

 

Thank you for contacting the Fortinet Forum portal.

Once the traffic reaches the loopback interface does traffic reach the actual server not sure if you can achieve this, As once the traffic reaches from the remote site to the loopback interface private address session will offload on the interface is there any other route you have for end server from the loopback?

 

Please collect below debug logs to get flow in a better way

 

get router info routing-table details 10.0.255.102

get router info routing-table details 10.3.131.160

 

# diagnose debug reset

# diagnose debug flow trace stop

# diagnose debug flow filter clear

# diagnose debug flow filter addr [src-ip]    [remoteip address from were traffic is generated]

# diagnose debug flow filter port <portnumber>

# diagnose debug flow show function-name enable

# diagnose debug flow iprope en

# diagnose debug console timestamp enable

# diagnose debug flow trace start 999

# diagnose debug enable

 

# diagnose debug disable

 

Best regards,

Manasa.

 

If you feel the above steps helped to resolve the issue mark the reply as solved so that other customers can get it easily while searching on similar scenarios.

    hbuenafe81
    hbuenafe81Author
    Explorer III
    February 4, 2024

    Thanks for the prompts response.. as suggested below. When i tried lopbck interface to reach 10.3.131.160 ports is reachable/open, the thing is that its not mapping to loopback interface.

     

    NSPTSDFW02 # get router info routing-table details 10.0.255.102

    Routing table for VRF=0
    Routing entry for 10.0.0.0/8
    Known via "static", distance 1, metric 0, best
    * via iNET-s2s tunnel x.x.x.x, tun_id

    NSPTSDFW02 # get router info routing-table details 10.3.131.160

    Routing table for VRF=0
    Routing entry for 10.3.131.0/24
    Known via "connected", distance 0, metric 0, best
    * is directly connected, port4

    NSPTSDFW02 # diag sniffer packet any "host 10.1.74.21 and port 1200" 4
    interfaces=[any]
    filters=[host 10.1.74.21 and port 1200]
    13.643032 TO-JED in 10.1.74.21.65165 -> 10.0.225.102.1200: syn 1131091791
    16.649474 TO-JED in 10.1.74.21.65165 -> 10.0.225.102.1200: syn 1131091791
    22.649572 TO-JED in 10.1.74.21.65165 -> 10.0.225.102.1200: syn 1131091791

    ------

    NSPTSDFW02 # execute telnet 10.3.131.160 7000
    Trying 10.3.131.160...
    Connected to 10.3.131.160.

    ebilcari
    Staff
    ebilcari
    Staff
    February 4, 2024

    If the server is behind another Router/NAT device make sure it can reach the loopback IP (10.0.225.102) in FGT and also based on this article you need another firewall policy allowing the traffic from loopback to the server.

    Emirjon
      hbuenafe81
      hbuenafe81Author
      Explorer III
      February 5, 2024

      Gents,

       

      Just an update, I tried to simulate locally and found issue same, what i did is make other interface and create a policy to communicate with loopback and its was successfully. However the same issue, the server port that was assign to loopback via VIPs (multiple test servers and port) are not open. its weird i don't know the issue here. :(  Anyone tried VIPs using loopback as external ip?

      Toshi_Esumi
      SuperUser
      Toshi_Esumi
      SuperUser
      February 7, 2024

      Not contributing to fix this problem but you probably didn't have to deal with this problem if you used the tunnel interface to set IP and VIP instead of using loopback interface. With that, you don't have to have two sets of policies but just one set between the tunnel interface and the LAN interface.

      Toshi

        hbuenafe81
        hbuenafe81Author
        Explorer III
        February 8, 2024

        Got you bro, it's a customers demand for security reason, there nothing you can do about it. Anyhow, thanks everyone.

        ken24
        ken24
        New Member
        June 17, 2024

        Hi @hbuenafe81

        I have exactly the same problem, I need to use a VIP over a loopback interface for traffic coming from an s2s VPN. I've tried everything but I can't get it to do the NAT. Did you solve this problem?

         

        Ken

          hbuenafe81
          hbuenafe81Author
          Explorer III
          June 18, 2024

          @ken24 

           

          Yes, I solve it, could you share trace and policy created for us to check. Kindly try also to enter below command to the VIP.

           

          set portforward enable

          ken24
          ken24
          New Member
          June 18, 2024

          Hi @hbuenafe81 

          Thanks for your response.

          I have two policies, the first one from the s2s VPN towards the loopback (permit any to any), and the second policy from the loopback towards the LAN interface (permit any to VIP). I do not have the screenshots of the policies since it is a client's Fortigate and I did the tests during a maintenance window, after all I rolled back my changes.

          The ping tests from the VPN to the IP of my loopback respond correctly, but when I generate traffic to the VIP it does not match with my policies and the traffic matches the implicit deny policy

          In my VIPs I have the "set portforward enable" command enabled. What other changes did you make to make NAT work correctly for you? I must have a plan for my next maintenance window with the client.

          sw2090
          SuperUser
          sw2090
          SuperUser
          June 19, 2024

          the above from ken24 sounds correct to me. But if there is no snat on the second policy your server will have to have static route to your vpn subnet/source ips with the FGT as gateway or it must have the FGT as default gw. Otherwise in this case your ping will reach the server but the replay will not reach back to you.

           

          Secondly your traffic comes still from vpn and you have a policy from loopback to lan. That certainly will not match traffic coming from your vpn.

          Terms & ConditionsAccessibility statement