Description
This article describes how, if the WAN link uses a dynamic IP address and a FortiGuard DDNS FQDN has been configured, it may be used to reach internal services by the means of a VIP.
Scope
FortiGate.
Solution
Make sure an FQDN has been configured for FortiGuard DDNS service.
config system ddns
edit 1
set ddns-server FortiGuardDDNS
set ddns-domain "myfortigate.fortiddns.com"
set monitor-interface "wan1"
next
end
edit 1
set ddns-server FortiGuardDDNS
set ddns-domain "myfortigate.fortiddns.com"
set monitor-interface "wan1"
next
end
Configure a VIP leaving the external IP address all zeros.
config firewall vip
edit "PublicServer"
set extip 0.0.0.0 0.0.0.0
set extintf "wan1"
set portforward enable
set mappedip 192.168.1.250
set extport 8010
set mappedport 8010
next
end
Configure the firewall policy to allow the traffic toward the internal Server:
It should be possible to reach the server on the FortiGuard DDNS FQDN and port defined on the VIP.
https://myfortigate.fortiddns.com:8010
Special note:
If 'any' interface will be selected then 0.0.0.0 will not be allowed and GUI will show an error indicating ‘IP must not be zero’.
Port forwarding must be used in case of multiple VIPs to avoid the conflict.
