Description
This article explains how to avoid unintended NAT when custom NAT is required for one or more SD-WAN members by associating appropriate IP pools to each SD-WAN member interface.
Scope
FortiGate.
Solution
Consider a simple SD-WAN configuration (Configuring the SD-WAN interface) with two WAN links in a single SD-WAN zone. If traffic to the Internet should have source NAT applied, but the default option 'Use Outgoing Interface Address' is not appropriate for one or more of the links, IP pools must be used.
When two IP pools are configured on a firewall policy, by default, the FortiGate will only use the first IP pool. This can cause connectivity issues for traffic egressing over the other interface since the FortiGate will use the IP Pool intended for WAN1 when sending packets over WAN2.
The solution is to configure an associated-interface for each IP pool.
IP Assignment:
port1(WAN1) IP Pool: 10.47.4.104.
port2(WAN2) IP Pool: 10.47.20.104.
Sniffer output while running a ping test to v4.2.2.2 from LAN and using port2 (WAN2) as the outgoing interface.
In this case the FortiGate's port2 gateway is dropping the echo request since it contains an unexpected source IP address.
Bind IP pool to a specific interface:
- Create both IP pool objects in Policy & Objects -> IP Pools.
- Add these two IP pools to the firewall policy that gives users access to the Internet via the SD-WAN.
- Go to Policy & Objects -> IPv4 Policy.
- Create or edit the corresponding policy, and in the Firewall/Network Options, enable the NAT toggle.
- In the IP Pool Configuration, select 'Use Dynamic IP Pool' and add the two IP Pools created previously.
-
Associate each of the IP Pools used in the firewall policy with its corresponding physical interface.
In FortiOS v7.4.1 and earlier, the default IP pool type 'overload' is the only type which allows associated-interface. In v7.4.2 and later, other types can be used.
config firewall ippool
edit ippool-WAN1_clients
set type overload
set startip 10.47.4.104
set endip 10.47.4.104
set associated-interface port1
next
edit ippool-WAN2_clients
set type overload
set startip 10.47.20.104
set endip 10.47.20.104
set associated-interface port2
next
end
After applying the changes above, each IP pool will only be used for traffic exiting over its own associated-interface.
Note that if required, an IP Pool can have an IP range that matches an existing interface IP. If the IP pool is matched, the NAT behavior is the same as if 'Use Outgoing Interface Address' was selected.
config system interface
edit "port2"
set vdom "root"
set ip 10.47.20.104 255.255.255.240
set type physical
set snmp-index 2
next
end
Debug Flow:
id=65308 trace_id=12578 func=init_ip_session_common line=6070 msg="allocate a new session-229166a4"
id=65308 trace_id=12578 func=vf_ip_route_input_common line=2612 msg="find a route: flag=00000000 gw-10.47.4.10 via port2"
id=65308 trace_id=12578 func=__iprope_tree_check line=539 msg="gnum-100004, use addr/intf hash, len=129"
id=65308 trace_id=12578 func=get_new_addr line=1265 msg="find SNAT: IP-10.47.20.104(from IPPOOL), port-35383"
id=65308 trace_id=12578 func=fw_forward_handler line=991 msg="Allowed by Policy-3347: SNAT"
id=65308 trace_id=12578 func=__ip_session_run_tuple line=3433 msg="SNAT 192.168.100.53->10.47.20.104:35383"
id=65308 trace_id=12578 func=__ip_session_run_tuple line=3487 msg="run helper-dns-udp(dir=original)"
id=65308 trace_id=12579 func=print_pkt_detail line=5879 msg="vd-root:0 received a packet(proto=17, 8.8.4.4:53->10.47.20.104:55076) t
un_id=0.0.0.0 from port1. "
id=65308 trace_id=12579 func=resolve_ip_tuple_fast line=5974 msg="Find an existing session, id-229162f3, reply direction"
id=65308 trace_id=12579 func=__ip_session_run_tuple line=3446 msg="DNAT 10.47.20.104:55076->192.168.100.53:55076"
id=65308 trace_id=12579 func=vf_ip_route_input_common line=2612 msg="find a route: flag=00000000 gw-192.168.73.1 via LAN Group"
id=65308 trace_id=12579 func=fw_forward_dirty_handler line=430 msg="auxiliary ses proto=17 dev=66->41 192.168.100.53/55076=>8.8.4.4/5
3"
Session list:
session info: proto=17 proto_state=01 duration=54 expire=125 timeout=0 refresh_dir=both flags=00000000 socktype=0 sockport=0 av_idx=0 use=4
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ helper=dns-udp vlan_cos=0/255
state=log may_dirty npu f00 route_preserve
statistic(bytes/packets/allow_err): org=83/1/1 reply=600/1/1 tuples=2
tx speed(Bps/kbps): 1/0 rx speed(Bps/kbps): 11/0
orgin->sink: org pre->post, reply pre->post dev=66->45/45->66 gwy=10.47.4.10/0.0.0.0
hook=post dir=org act=snat 192.168.100.53:45162->8.8.4.4:53(10.47.20.104:45162)
hook=pre dir=reply act=dnat 8.8.4.4:53->10.47.20.104:45162(192.168.100.53:45162)
misc=0 policy_id=3347 pol_uuid_idx=27680 auth_info=0 chk_client_info=0 vd=0
serial=208e67c4 tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=00000000
npu info: flag=0x00/0x00, offload=0/0, ips_offload=0/0, epid=0/0, ipid=0/0, vlan=0x0000/0x0000
vlifid=0/0, vtag_in=0x0000/0x0000 in_npu=0/0, out_npu=0/0, fwd_en=0/0, qid=0/0, ha_divert=0/0
no_ofld_reason:
reflect info 0:
dev=66->41/41->66
npu_state=00000000
npu info: flag=0x00/0x00, offload=0/0, ips_offload=0/0, epid=0/0, ipid=0/0, vlan=0x0000/0x0000
vlifid=0/0, vtag_in=0x0000/0x0000 in_npu=0/0, out_npu=0/0, fwd_en=0/0, qid=0/0
total reflect session num: 1
Related article:
Technical Tip: Configuring Source NAT for specific SD-WAN members in v7.6.1 and later [Central NAT]
