Topology of Virtual IP:
2.2.2.245 ---> 2.2.2.220(port2)FGT(port3) 3.3.3.244 ---> 3.3.3.243
Configuration of Virtual IP:
# config system interface edit "port2" set vdom "root" set ip 2.2.2.244 255.255.255.0 set allowaccess ping fabric set type physical set snmp-index 2 next end
# config firewall vip edit "port2_VIP" set uuid 825807aa-8b35-51ed-c0f4-9bdf16054d79 set extip 2.2.2.200 set mappedip "3.3.3.243" set extintf "port2" set portforward enable set protocol icmp next end
# config firewall policy edit 1 set uuid 999b1b82-8b35-51ed-c0e3-3fc427d764cb set srcintf "port2" set dstintf "port3" set action accept set srcaddr "all" set dstaddr "port2_VIP" set schedule "always" set service "ALL" set logtraffic all next end
Debug the flow when it is not working:
id=65308 trace_id=11 func=print_pkt_detail line=5892 msg="vd-root:0 received a packet(proto=1, 2.2.2.245:2048->2.2.2.200:2048) tun_id=0.0.0.0 from port2. type=8, code=0, id=2048, seq=0." id=65308 trace_id=11 func=init_ip_session_common line=6073 msg="allocate a new session-000128a6, tun_id=0.0.0.0" id=65308 trace_id=11 func=get_new_addr line=1228 msg="find DNAT: IP-3.3.3.243, port-2048" id=65308 trace_id=11 func=fw_pre_route_handler line=178 msg="VIP-3.3.3.243:2048, outdev-port2" id=65308 trace_id=11 func=__ip_session_run_tuple line=3523 msg="DNAT 2.2.2.200:8->3.3.3.243:2048" id=65308 trace_id=11 func=vf_ip_route_input_common line=2605 msg="find a route: flag=04000000 gw-3.3.3.243 via port3" id=65308 trace_id=11 func=fw_forward_handler line=918 msg="Allowed by Policy-1:"
If security-mode captive-portal on port2 is set up, VIP will not work:
# config system interface edit "port2" set vdom "root" set ip 2.2.2.244 255.255.255.0 set allowaccess ping fabric set type physical set security-mode captive-portal set snmp-index 2 next end
Debug flow:
id=65308 trace_id=14 func=print_pkt_detail line=5892 msg="vd-root:0 received a packet(proto=1, 2.2.2.245:2304->2.2.2.200:2048) tun_id=0.0.0.0 from port2. type=8, code=0, id=2304, seq=0." id=65308 trace_id=14 func=init_ip_session_common line=6073 msg="allocate a new session-0001294a, tun_id=0.0.0.0" id=65308 trace_id=14 func=get_new_addr line=1228 msg="find DNAT: IP-3.3.3.243, port-2304" id=65308 trace_id=14 func=fw_pre_route_handler line=178 msg="VIP-3.3.3.243:2304, outdev-port2" id=65308 trace_id=14 func=__ip_session_run_tuple line=3523 msg="DNAT 2.2.2.200:8->3.3.3.243:2304" id=65308 trace_id=14 func=vf_ip_route_input_common line=2605 msg="find a route: flag=04000000 gw-3.3.3.243 via port3" id=65308 trace_id=14 func=fw_forward_handler line=753 msg="Denied by forward policy check (policy 0)"
|