Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
aruns
Staff
Staff

Created on ‎06-29-2022 08:09 AM Edited on ‎11-29-2022 10:00 PM By Community Manager

Article Id 216261

Technical Tip: Hairpin NAT (VIP) with Geo-IP Object configured in Policy Source blocks the access from LAN Users.

Description

This article describes how to allow LAN Users to access the Servers using Public IP when the Hairpin NAT Policy is configured with Geo-IP Object in Source Field.
Scope FortiGate.
Solution

Explanation:

 

aruns_0-1656512456609.png

 

# config system interface

    edit "port1"

        set vdom "root"

        set ip 10.116.1.74 255.255.240.0

        set allowaccess ping https ssh http telnet fgfm

        set type physical

        set snmp-index 1

    next

    edit "port2"

        set vdom "root"

        set ip 10.117.1.74 255.255.240.0

        set allowaccess ping https ssh http telnet fgfm

        set type physical

        set snmp-index 2

    next

    edit "port10"

        set vdom "root"

        set ip 10.56.241.74 255.255.252.0

        set allowaccess https ssh http telnet fgfm

        set type physical

        set snmp-index 10

    next

 end

 

# config firewall address

edit "AU_Geo"

        set uuid d8905d2c-c75c-51ec-8e52-00fa1c289312

        set type geography

        set country "AU"

next

end

 

# config firewall vip

    edit "Ping_to_Server"

        set extip 10.56.241.74

        set extintf "any"

        set portforward enable

        set mappedip "10.116.0.154"

        set protocol icmp

    next

end

 

# config firewall policy

    edit 1

        set name "WAN_to_LAN"

        set uuid d901e7c4-c759-51ec-9ab6-4c99463c9ee6

        set srcintf "port10"

        set dstintf "port1"

        set srcaddr "AU_Geo"

        set dstaddr "Ping_to_Server"

        set action accept

        set schedule "always"

        set service "ALL_ICMP"

        set logtraffic all

next

 

Debug flow When LAN Machine tries to access the Public IP:

 

id=20085 trace_id=36 func=print_pkt_detail line=5664 msg="vd-root:0 received a packet(proto=1, 10.117.1.85:2->10.56.241.74:2048) from port2. type=8, code=0, id=2, seq=18016."

id=20085 trace_id=36 func=init_ip_session_common line=5834 msg="allocate a new session-00037973"

id=20085 trace_id=36 func=fw_pre_route_handler line=181 msg="VIP-10.116.0.154:2, outdev-unknown"

id=20085 trace_id=36 func=__ip_session_run_tuple line=3427 msg="DNAT 10.56.241.74:8->10.116.0.154:2"

id=20085 trace_id=36 func=vf_ip_route_input_common line=2581 msg="find a route: flag=04000000 gw-10.116.0.154 via port1"

id=20085 trace_id=36 func=fw_forward_handler line=630 msg="Denied by forward policy check (policy 0)"

 

Solution

 

When using the Hairpin NAT, traffic is not leaving port10 to outside and coming back again to port10.  It might be thought that traffic leaves the FortiGate while Source is Natted to: 10.56.241.74.

 

Add LAN Subnet 10.117.0.0/20 in the Policy ID 1:

 

# config firewall address

edit "LAN_10.117.0.0/20"  

        set subnet 10.117.0.0 255.255.240.0

next

end

 

# config firewall policy

    edit 1

        set name "WAN_to_LAN"

        set uuid d901e7c4-c759-51ec-9ab6-4c99463c9ee6

        set srcintf "port10"

        set dstintf "port1"

        set srcaddr "AU_Geo" "LAN_10.117.0.0/20"

        set dstaddr "Ping_to_Server"

        set action accept

        set schedule "always"

        set service "ALL_ICMP"

        set logtraffic all

next

 

Debug flow When LAN Machine tries to access the Public IP:

 

id=20085 trace_id=51 func=print_pkt_detail line=5664 msg="vd-root:0 received a packet(proto=1, 10.117.1.85:2->10.56.241.74:2048) from port2. type=8, code=0, id=2, seq=18024."

id=20085 trace_id=51 func=init_ip_session_common line=5834 msg="allocate a new session-00037fa3"

id=20085 trace_id=51 func=fw_pre_route_handler line=181 msg="VIP-10.116.0.154:2, outdev-unknown"

id=20085 trace_id=51 func=__ip_session_run_tuple line=3427 msg="DNAT 10.56.241.74:8->10.116.0.154:2"

id=20085 trace_id=51 func=vf_ip_route_input_common line=2581 msg="find a route: flag=04000000 gw-10.116.0.154 via port1"

id=20085 trace_id=51 func=fw_forward_handler line=777 msg="Allowed by Policy-1:"

id=20085 trace_id=52 func=print_pkt_detail line=5664 msg="vd-root:0 received a packet(proto=1, 10.116.0.154:2->10.117.1.85:0) from port1. type=0, code=0, id=2, seq=18024."

id=20085 trace_id=52 func=resolve_ip_tuple_fast line=5744 msg="Find an existing session, id-00037fa3, reply direction"

id=20085 trace_id=52 func=vf_ip_route_input_common line=2581 msg="find a route: flag=04000000 gw-10.117.1.85 via port2"

id=20085 trace_id=52 func=npu_handle_session44 line=1164 msg="Trying to offloading session from port1 to port2, skb.npu_flag=00000000 ses.state=00000204 ses.npu_state=0x00040000"

id=20085 trace_id=52 func=fw_forward_dirty_handler line=399 msg="state=00000204, state2=00000001, npu_state=00040000"

id=20085 trace_id=52 func=__ip_session_run_tuple line=3413 msg="SNAT 10.116.0.154->10.56.241.74:2"
609
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.