FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
acardona
Staff
Staff
Article Id 364183
Description This article describes how to use a Source Address filter to allow access to two different internal servers using the same external IP address and port.
Scope FortiGate v7.2 and later.
Solution

Using a 'src-filter' on Virtual IP objects can allow two different remote IP addresses to access different internal resources using the same external IP address and port.

Example VIP 1:

 

Remote IP address: 10.255.100.56.
External IP address: 172.18.2.10.

Internal IP address: 172.18.3.151.

TCP port: 8443.

 

config firewall vip
    edit "vip1_TCP8443"
         set src-filter "10.255.100.56/32"
         set extip 172.18.2.10
         set mappedip "172.18.3.151"
         set extintf "port3"
         set portforward enable
         set extport 8443
         set mappedport 8443
end

 

Example VIP 2:

 

Remote IP address: 10.254.200.78.
External IP address: 172.18.2.10.

Internal IP address: 172.18.1.16.

TCP port: 8443.

 

config firewall vip

    edit "vip2_TCP8443"

        set src-filter "10.254.200.78/32"

        set extip 172.18.2.10

        set mappedip "172.18.1.16"

        set extintf "port3"

        set portforward enable
        set extport 8443
        set mappedport 8443
end

 

Configure the VIP objects as destinations on appropriate Firewall Policies. This step is omitted.

 

Result:

 

Packet sniffers for TCP connections to 172.18.2.10:8443 from different Source IP addresses show both connections are allowed but NAT to different internal IP addresses.


Connection 1:

 

2024-12-11 13:18:04.357132 port3 in 10.255.100.56.2517 -> 172.18.2.10.8443: syn 2206184086
2024-12-11 13:18:04.357193 port4 out 10.255.100.56.2517 -> 172.18.3.151.8443: syn 2206184086
2024-12-11 13:18:04.357374 port4 in 172.18.3.151.8443 -> 10.255.100.56.2517: rst 0 ack 2206184087

 

Connection 2:

 

2024-12-11 13:18:00.737020 port3 in 10.254.200.78.60514 -> 172.18.2.10.8443: syn 750478996
2024-12-11 13:18:00.737085 port2 out 10.254.200.78.60514 -> 172.18.1.16.8443: syn 750478996
2024-12-11 13:18:00.737540 port2 in 172.18.1.16.8443 -> 10.254.200.78.60514: rst 0 ack 750478997

 

Debug flow output:

 

id=65308 trace_id=47 func=print_pkt_detail line=5920 msg="vd-root:0 received a packet(proto=6, 10.254.200.78:14380->172.18.2.10:8443) tun_id=0.0.0.0 from port3. flag [S], seq 4188363006, ack 0, win 64240"
id=65308 trace_id=47 func=init_ip_session_common line=6110 msg="allocate a new session-00eb3f87"
id=65308 trace_id=47 func=iprope_dnat_check line=5480 msg="in-[port3], out-[]"
id=65308 trace_id=47 func=iprope_dnat_tree_check line=824 msg="len=2"
id=65308 trace_id=47 func=__iprope_check_one_dnat_policy line=5345 msg="checking gnum-100000 policy-4"
id=65308 trace_id=47 func=__iprope_check_one_dnat_policy line=5345 msg="checking gnum-100000 policy-11"
id=65308 trace_id=47 func=iprope_dnat_check line=5505 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=47 func=__vf_ip_route_input_rcu line=1988 msg="find a route: flag=80000000 gw-0.0.0.0 via root"
id=65308 trace_id=47 func=iprope_access_proxy_check line=458 msg="in-[port3], out-[], skb_flags-02000000, vid-0"
id=65308 trace_id=47 func=__iprope_check line=2404 msg="gnum-100017, check-ffffffffa002c9f7"
id=65308 trace_id=47 func=iprope_policy_group_check line=4902 msg="after check: ret-no-match, act-accept, flag-00000000, flag2-00000000"
id=65308 trace_id=47 func=iprope_in_check line=496 msg="in-[port3], out-[], skb_flags-02000000, vid-0"
id=65308 trace_id=47 func=__iprope_check line=2404 msg="gnum-100011, check-ffffffffa002dfb1"
id=65308 trace_id=47 func=iprope_policy_group_check line=4902 msg="after check: ret-no-match, act-drop, flag-00000000, flag2-00000000"
id=65308 trace_id=47 func=__iprope_check line=2404 msg="gnum-100001, check-ffffffffa002c9f7"
id=65308 trace_id=47 func=iprope_policy_group_check line=4902 msg="after check: ret-no-match, act-accept, flag-00000000, flag2-00000000"
id=65308 trace_id=47 func=__iprope_check line=2404 msg="gnum-10000e, check-ffffffffa002c9f7"
id=65308 trace_id=47 func=__iprope_check_one_policy line=2140 msg="checked gnum-10000e policy-4294967295, ret-no-match, act-accept"
id=65308 trace_id=47 func=__iprope_check_one_policy line=2140 msg="checked gnum-10000e policy-4294967295, ret-no-match, act-accept"

id=65308 trace_id=47 func=__iprope_check_one_policy line=2374 msg="policy-4294967295 is matched, act-drop"
id=65308 trace_id=47 func=__iprope_check line=2421 msg="gnum-10000f check result: ret-matched, act-drop, flag-00000801, flag2-00000000"
id=65308 trace_id=47 func=iprope_policy_group_check line=4902 msg="after check: ret-matched, act-drop, flag-00000801, flag2-00000000"
id=65308 trace_id=47 func=fw_local_in_handler line=620 msg="iprope_in_check() check failed on policy 0, drop"

 

FortiOS performs a gnum 10000 lookup to check with all VIPs. When incoming traffic is not matching with its settings, traffic is dropped as above 

 

Note:

With this configuration, only the source IP addresses specified in the VIP configuration are allowed to access internal resources through the Virtual IP. Connection attempts from other remote IP addresses such as 10.253.250.90 would not match either Virtual IP.

 

Related articles: