Technical Tip : Creating DNAT/VIP to multiple internal ip from single external IP

_mribwan · ‎04-03-2024

Description

This article describes how to create DNAT/VIP from single external IP to multiple internal IP

Scope

FortiGate.

Solution

The key would be to configure optional filter on the DNAT/VIP for all related external IP. This would allow multiple internal ip to be configured on the same external IP.

The strict requirement is that ALL config related to that external IP must have an optional filter. If there is an entry without any optional filter, all VIPs will only match that entry only as per this KB article:

Technical Tip: VIP/DNAT port forwarding not working (NGFW Policy based central NAT)

Config example :

config firewall service custom
edit "TCP-892"
set tcp-portrange 892
next
edit "tcp935"
set tcp-portrange 935
next
end

config firewall VIP
edit "DNAT 1"
set service "TCP-892"
set extip 10.47.2.111
set mappedip "10.47.34.112"
set extintf "port1"
next
edit "DNAT 2"
set service "tcp935"
set extip 10.47.2.111
set mappedip "10.47.34.113"
set extintf "port1"
next
end

Debug flow result.

DNAT 1:

Kancil-kvm36 # id=65308 trace_id=2004 func=print_pkt_detail line=5888 msg="vd-root:0 received a packet(proto=6, 10.111.37.43:17335->10.47.2.111:935) tun_id=0.0.0.0 from port1. flag [S], seq 3864503231, ack 0, win 64240"
id=65308 trace_id=2004 func=init_ip_session_common line=6073 msg="allocate a new session-002dbe6f"
id=65308 trace_id=2004 func=iprope_dnat_check line=5473 msg="in-[port1], out-[]"
id=65308 trace_id=2004 func=iprope_dnat_tree_check line=824 msg="len=1"
id=65308 trace_id=2004 func=__iprope_check_one_dnat_policy line=5338 msg="checking gnum-100000 policy-5"
id=65308 trace_id=2004 func=get_new_addr line=1268 msg="find DNAT: IP-10.47.34.113, port-0(fixed port)"
id=65308 trace_id=2004 func=__iprope_check_one_dnat_policy line=5428 msg="matched policy-5, act=accept, vip=5, flag=104, sflag=2000000"
id=65308 trace_id=2004 func=iprope_dnat_check line=5494 msg="result: skb_flags-02000000, vid-5, ret-matched, act-accept, flag-00000104"
id=65308 trace_id=2004 func=fw_pre_route_handler line=191 msg="VIP-10.47.34.113:935, outdev-port1"
id=65308 trace_id=2004 func=__ip_session_run_tuple line=3457 msg="DNAT 10.47.2.111:935->10.47.34.113:935"

DNAT 2:

Kancil-kvm36 # id=65308 trace_id=1999 func=print_pkt_detail line=5888 msg="vd-root:0 received a packet(proto=6, 10.111.37.43:17282->10.47.2.111:892) tun_id=0.0.0.0 from port1. flag [S], seq 195359374, ack 0, win 64240"
id=65308 trace_id=1999 func=init_ip_session_common line=6073 msg="allocate a new session-002dbca7"
id=65308 trace_id=1999 func=iprope_dnat_check line=5473 msg="in-[port1], out-[]"
id=65308 trace_id=1999 func=iprope_dnat_tree_check line=824 msg="len=1"
id=65308 trace_id=1999 func=__iprope_check_one_dnat_policy line=5338 msg="checking gnum-100000 policy-4"
id=65308 trace_id=1999 func=get_new_addr line=1268 msg="find DNAT: IP-10.47.34.112, port-0(fixed port)"
id=65308 trace_id=1999 func=__iprope_check_one_dnat_policy line=5428 msg="matched policy-4, act=accept, vip=4, flag=104, sflag=2000000"
id=65308 trace_id=1999 func=iprope_dnat_check line=5494 msg="result: skb_flags-02000000, vid-4, ret-matched, act-accept, flag-00000104"
id=65308 trace_id=1999 func=fw_pre_route_handler line=191 msg="VIP-10.47.34.112:892, outdev-port1"
id=65308 trace_id=1999 func=__ip_session_run_tuple line=3457 msg="DNAT 10.47.2.111:892->10.47.34.112:892"

Technical Tip : Creating DNAT/VIP to multiple internal ip from single external IP

You are leaving our website