Technical Note: How to configure a VIP using a loopback interface

omontanez · ‎11-04-2016

Description

This article explains how to configure a VIP using a loopback interface.

Scope

FortiOS v5.2

Solution

This article provides configuration steps for the scenario to reach an internal IP using an external IP through a VIP but by reaching it from different source interfaces and subnetworks.

Scenario

VIP

   Internal <-> loopback

        loopback
   Internal __|___ wan1/wan2/vpn
         -------- |______|---------

1) Add a loopback interface.

    edit "testl0"
        set vdom "root"
        set ip 172.16.33.1 255.255.255.255 (IP_loopback)
        set allowaccess ping https ssh http
        set type loopback
        set snmp-index 10
    next
end

2) Add a VIP.

config firewall vip
    edit "test_VIP"
        set extip 172.16.33.1        (External IP)
        set extintf "any"
        set mappedip "10.10.10.2"    (Internal IP)
    next
end

3) Create a firewall policy to permit traffic from incoming interface to the loopback interface.

config firewall policy
    edit A
        set srcintf "wan2"
        set dstintf "loopback"
        set srcaddr "all"
        set dstaddr "IP_loopback"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set nat disable

4) Create a Firewall policy to permit traffic from the loopback interface to the outgoing interface and add VIP as dstaddr.

config firewall policy
    edit A
        set srcintf "loopback"
        set dstintf "internal"
        set srcaddr "all"
        set dstaddr "VIP"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set nat disable

Both of these firewall policies can be closed as required.