FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
dchan
Staff
Staff
Article Id 189546
Description

Scenario:

 

Multiple connections with multiple ISPs, policy routes are configured to route particular hosts/subnets on internal network to a certain ISP connection (port1, 2)

 
Virtual IP:
 
1) SMTP Server 10.10.10.33
External IP = 1.1.1.33
Internal IP = 10.10.10.33
portforward= port 25
 
2) WEB Server 10.10.10.28 
External IP = 1.1.1.28
Internal IP = 10.10.10.28
Portforward = port 80
 
Policy routes:
 
1) Internal (All), dst (ALL), port 80, force to interface Port1.
2) Internal (All), dst (ALL), port 25, force to interface Port1.

Problem:

 

Hosts from internal network are not able to access Internal applications (HTTP, SMTP servers) using the external IP address of Virtual IP.  If policy routes are removed, hosts can access the internal applications again.

 
Topology:

dchan_fd31844_fd31844_virtual_ip_drawing.jpg


Scope
FortiOS 3.0, 4.0,  and above.

Solution
Add an additional policy route before policy route number (1) similar to the following example.
 
Example for the Web Server.
Protocol : 0
Incoming interface: internal
Source address / mask: 10.10.10.0/24
Destination address / mask: 10.10.10.33/32 (Internal Private IP)
Destination Ports: 80
Outgoing interface:
internal
Gateway: 0.0.0.0
Explanation:

Using policy route to control Internet traffic to go out a specific interface breaks the connection from the internal network to an internal server because traffic will not return internal interface as it has been forced to external interface (port 1) by policy route #1. 
 
To work around this, another policy route must be placed before the previous one to tell the packets to use the internal interface when the destination is
the Virtual IP private address.

Contributors