Description
This article describes how, if the WAN link uses a dynamic IP address and a FortiGuard DDNS FQDN has been configured, it may be used to reach internal services using a VIP.
Scope
FortiGate.
Solution
Make sure an FQDN has been configured for FortiGuard DDNS service.
config system ddns
edit 1
set ddns-server FortiGuardDDNS
set ddns-domain "myfortigate.fortiddns.com"
set monitor-interface "wan1"
next
end
edit 1
set ddns-server FortiGuardDDNS
set ddns-domain "myfortigate.fortiddns.com"
set monitor-interface "wan1"
next
end
Configure a VIP leaving the external IP address all zeros:
config firewall vip
edit "PublicServer"
set extip 0.0.0.0
set extintf "wan1"
set portforward enable
set mappedip 192.168.1.250
set extport 8010
set mappedport 8010
next
end
Configure a firewall policy to allow the traffic toward the internal Server:
It should be possible to reach the server on the FortiGuard DDNS FQDN and port defined on the VIP: https://myfortigate.fortiddns.com:8010
Special notes:
- If 'any' interface is selected for the Virtual IP, 0.0.0.0 will not be allowed as an external IP, and the GUI will show an error indicating 'IP must not be zero'.
- If multiple similar Virtual IPs are configured, port forwarding or services filter must be used to avoid conflict, see Technical Tip: Configure port forwarding using FortiGate VIPs
