Technical Tip: Explicit Proxy configured on a Loopback Interface fails because of captive portal config on incoming interface

sagha · ‎06-26-2025

Description

This article explains a scenario where an explicit proxy may fail on a Loopback if there is a captive portal config on the incoming interface.

Scope

FortiGate.

Solution

A loopback interface is configured and has explicit proxy enabled:

config system interface

edit "LOOPBACK1"

set vdom "root"

set ip 10.5.5.19 255.255.255.255

set allowaccess ping https http

set type loopback

set explicit-web-proxy enable

set role lan

set snmp-index 362

Explicit proxy configuration:

config web-proxy explicit

set status enable

set http-incoming-port 8081

set incoming-ip 10.5.5.19

end

There is a policy that allows traffic from the incoming interface towards the loopback interface.

config firewall policy

edit 10

set name "Port1 to LOOPBACK"

set srcintf "port1"

set dstintf "LOOPBACK1"

set action accept

set srcaddr "all"

set dstaddr "all"

set schedule "always"

set service "ALL"

set logtraffic all

Inbound traffic is seen on the FortiGate, but is then dropped.

FGT # diagnose sniffer packet any 'host 10.12.0.1 and port 8080' 4 0 a
interfaces=[any]
filters=[host 10.12.0.1 and port 8080]

2025-05-13 09:49:48.673062 port1 in 10.12.0.1.64338 -> 10.5.5.19.8080: syn 1677162700
2025-05-13 09:49:52.674096 port1 in 10.12.0.1.64338 -> 10.5.5.19.8080: syn 1677162700

Debug flow shows that traffic fails to match any policy, and hence it is getting dropped.

025-05-16 11:56:07 id=65308 trace_id=113855 func=print_pkt_detail line=5862 msg="vd-root:0 received a packet(proto=6, 10.12.0.1:58204->10.5.5.19:8081) tun_id=0.0.0.0 from port1. flag [S
], seq 3718586160, ack 0, win 64240"
2025-05-16 11:56:07 id=65308 trace_id=113855 func=init_ip_session_common line=6047 msg="allocate a new session-0e7dd737"
2025-05-16 11:56:07 id=65308 trace_id=113855 func=iprope_dnat_check line=5281 msg="in-[port1], out-[]"
2025-05-16 11:56:07 id=65308 trace_id=113855 func=iprope_dnat_tree_check line=824 msg="len=0"
2025-05-16 11:56:07 id=65308 trace_id=113855 func=iprope_dnat_check line=5293 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
2025-05-16 11:56:07 id=65308 trace_id=113855 func=__vf_ip_route_input_rcu line=1990 msg="find a route: flag=80000000 gw-0.0.0.0 via root"

2025-05-13 10:51:23 id=65308 trace_id=106407 func=fw_local_in_handler line=615 msg="iprope_in_check() check failed on policy 0, drop"

Verifying the configuration on port 1, it is seen that a captive portal is enabled.

config system interface

edit "EDU_MPLS-PRI"

set vdom "EDU"

set ip 10.15.5.50 255.255.255.252

set allowaccess ping

set security-mode captive-portal

set security-groups "LDAP_grp"

set role lan

set snmp-index 75

For traffic to work between Port1 and LOOPBACK1, the user must be authenticated via Captive Portal on the FortiGate, which will then match the firewall policy 10 configured, and traffic will be allowed.

To apply a fix, traffic that needs to be proxied can be exempted from the Captive Portal check.

config firewall policy

edit 10

set name "Port1 to LOOPBACK"

set srcintf "port1"

set dstintf "LOOPBACK1"