Using a 'src-filter' on Virtual IP objects can allow two different remote IP addresses to access different internal resources using the same external IP address and port.
Example VIP 1:
Remote IP address: 10.255.100.56. External IP address: 172.18.2.10.
Internal IP address: 172.18.3.151.
TCP port: 8443.
config firewall vip edit "vip1_TCP8443" set src-filter "10.255.100.56/32" set extip 172.18.2.10 set mappedip "172.18.3.151" set extintf "port3" set portforward enable set extport 8443 set mappedport 8443 end
Example VIP 2:
Remote IP address: 10.254.200.78. External IP address: 172.18.2.10.
Internal IP address: 172.18.1.16.
TCP port: 8443.
config firewall vip
edit "vip2_TCP8443"
set src-filter "10.254.200.78/32"
set extip 172.18.2.10
set mappedip "172.18.1.16"
set extintf "port3"
set portforward enable set extport 8443 set mappedport 8443 end
Configure the VIP objects as destinations on appropriate Firewall Policies. This step is omitted.
Result:
Packet sniffers for TCP connections to 172.18.2.10:8443 from different Source IP addresses show both connections are allowed but NAT to different internal IP addresses.
Connection 1:
2024-12-11 13:18:04.357132 port3 in 10.255.100.56.2517 -> 172.18.2.10.8443: syn 2206184086 2024-12-11 13:18:04.357193 port4 out 10.255.100.56.2517 -> 172.18.3.151.8443: syn 2206184086 2024-12-11 13:18:04.357374 port4 in 172.18.3.151.8443 -> 10.255.100.56.2517: rst 0 ack 2206184087
Connection 2:
2024-12-11 13:18:00.737020 port3 in 10.254.200.78.60514 -> 172.18.2.10.8443: syn 750478996 2024-12-11 13:18:00.737085 port2 out 10.254.200.78.60514 -> 172.18.1.16.8443: syn 750478996 2024-12-11 13:18:00.737540 port2 in 172.18.1.16.8443 -> 10.254.200.78.60514: rst 0 ack 750478997
Debug flow output:
id=65308 trace_id=47 func=print_pkt_detail line=5920 msg="vd-root:0 received a packet(proto=6, 10.254.200.78:14380->172.18.2.10:8443) tun_id=0.0.0.0 from port3. flag [S], seq 4188363006, ack 0, win 64240" id=65308 trace_id=47 func=init_ip_session_common line=6110 msg="allocate a new session-00eb3f87" id=65308 trace_id=47 func=iprope_dnat_check line=5480 msg="in-[port3], out-[]" id=65308 trace_id=47 func=iprope_dnat_tree_check line=824 msg="len=2" id=65308 trace_id=47 func=__iprope_check_one_dnat_policy line=5345 msg="checking gnum-100000 policy-4" id=65308 trace_id=47 func=__iprope_check_one_dnat_policy line=5345 msg="checking gnum-100000 policy-11" id=65308 trace_id=47 func=iprope_dnat_check line=5505 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000" id=65308 trace_id=47 func=__vf_ip_route_input_rcu line=1988 msg="find a route: flag=80000000 gw-0.0.0.0 via root" id=65308 trace_id=47 func=iprope_access_proxy_check line=458 msg="in-[port3], out-[], skb_flags-02000000, vid-0" id=65308 trace_id=47 func=__iprope_check line=2404 msg="gnum-100017, check-ffffffffa002c9f7" id=65308 trace_id=47 func=iprope_policy_group_check line=4902 msg="after check: ret-no-match, act-accept, flag-00000000, flag2-00000000" id=65308 trace_id=47 func=iprope_in_check line=496 msg="in-[port3], out-[], skb_flags-02000000, vid-0" id=65308 trace_id=47 func=__iprope_check line=2404 msg="gnum-100011, check-ffffffffa002dfb1" id=65308 trace_id=47 func=iprope_policy_group_check line=4902 msg="after check: ret-no-match, act-drop, flag-00000000, flag2-00000000" id=65308 trace_id=47 func=__iprope_check line=2404 msg="gnum-100001, check-ffffffffa002c9f7" id=65308 trace_id=47 func=iprope_policy_group_check line=4902 msg="after check: ret-no-match, act-accept, flag-00000000, flag2-00000000" id=65308 trace_id=47 func=__iprope_check line=2404 msg="gnum-10000e, check-ffffffffa002c9f7" id=65308 trace_id=47 func=__iprope_check_one_policy line=2140 msg="checked gnum-10000e policy-4294967295, ret-no-match, act-accept" id=65308 trace_id=47 func=__iprope_check_one_policy line=2140 msg="checked gnum-10000e policy-4294967295, ret-no-match, act-accept"
id=65308 trace_id=47 func=__iprope_check_one_policy line=2374 msg="policy-4294967295 is matched, act-drop" id=65308 trace_id=47 func=__iprope_check line=2421 msg="gnum-10000f check result: ret-matched, act-drop, flag-00000801, flag2-00000000" id=65308 trace_id=47 func=iprope_policy_group_check line=4902 msg="after check: ret-matched, act-drop, flag-00000801, flag2-00000000" id=65308 trace_id=47 func=fw_local_in_handler line=620 msg="iprope_in_check() check failed on policy 0, drop"
FortiOS performs a gnum 10000 lookup to check with all VIPs. When incoming traffic is not matching with its settings, traffic is dropped as above
Note:
With this configuration, only the source IP addresses specified in the VIP configuration are allowed to access internal resources through the Virtual IP. Connection attempts from other remote IP addresses such as 10.253.250.90 would not match either Virtual IP.
Related articles:
|