Description
This article explains how to configure a VIP using a loopback interface.
Scope
FortiOS.
Solution
This article provides configuration steps for the scenario to reach an internal IP using an external IP through a VIP, but by reaching it from different source interfaces and subnetworks.
Scenario.
VIP
Internal <-> loopback
loopback
Internal __|___ wan1/wan2/vpn
-------- |______|---------
- Add a loopback interface.
config system interface
edit "Loopback-int"
set vdom "root"
set ip 172.16.33.1 255.255.255.255
set allowaccess ping https ssh http
set type loopback
set snmp-index 10
next
end
-
Add a VIP.
config firewall vip
edit "test_VIP"
set extip 172.16.33.1 <-- External IP as Loopback interface.
set extintf "any"
set mappedip "10.10.10.2" <-- Internal IP.
next
end
-
Create a firewall policy to permit traffic from the incoming interface to the loopback interface.
config firewall policy
edit A
set srcintf "wan2"
set dstintf "Loopback-int"
set srcaddr "all"
set dstaddr "IP_loopback" <----- This is just Loopback IP, not a VIP.
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
set nat disable
-
Create a Firewall policy to permit traffic from the loopback interface to the outgoing interface and add the Virtual IP as the dstaddr.
config firewall policy
edit A
set srcintf "Loopback-int"
set dstintf "internal"
set srcaddr "all"
set dstaddr "test_VIP" <----- This is the VIP configured in step 2.
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
set nat disable
Both firewall policies can be closed based on the traffic to be allowed (srcaddr, dstaddr, service).