Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
nithincs
Staff & Editor
Staff & Editor

Created on ‎08-02-2021 06:33 AM Edited on ‎08-03-2025 02:11 PM By Community Manager

Article Id 192844

Technical Tip: VIP behaviour when Traffic source and mapped IP are connected in the same network

Description

 

This article provides information about VIP traffic’s DNAT and SNAT when the source and mapped IP are connected in the same network.

 

Scope

 

FortiGate.

Solution

 

In this scenario, both PC and server are behind FortiGate connected to the network 172.31.128.0 /24 via PORT4.
PC(172.31.128.2) wants to connect to the server by pointing to its external address (1.1.1.1) instead of its real one (172.31.128.20).

 
FortiGate is connected LAN network 172.31.128.0 /24 via PORT4.
FortiGate is configured with a VIP with an external IP of 1.1.1.1 mapped to the internal server 172.31.128.20.
 
config firewall vip
    edit "test"
        set uuid f1a6b83e-f27c-51eb-aa4a-b6c947c7530a
        set extip 1.1.1.1
        set extintf "any"
        set mappedip "172.31.128.20"
    next
end
 
To allow this traffic from PC to server using a mapped IP, a PORT4 to PORT4 policy has to be configured.

PORT4 to PORT4 policy to allow the reverse traffic.
 
    edit 4  
        set name "test2"
        set uuid 80d69150-f27d-51eb-aedc-5af165624624
        set srcintf "port4"
        set dstintf "port4"
        set srcaddr "all"
        set dstaddr "test"
        set action accept
        set schedule "always"
        set service "ALL"
    next
end
 
Note.
SNAT is not enabled in the policy.

PC 172.31.128.2 is trying to ping the server using the VIP external IP 1.1.1.1.
 
  1. Traffic will be received on PORT4 and verified.
  2. Destination IP matches VIP external IP, which triggers DNAT. Destination IP is changed from 1.1.1.1 to 172.31.128.20.
  3. Policy 4 will match since the source of the traffic-mapped IPs is connected via the same interface.
  4. Since both source AND destination are in the same network, FortiGate will apply SNAT to the traffic.
  5. With this, reply traffic from the server is not directly sent to the PC; instead, it will come to FortiGate. FortiGate will send the reply packet to PC 172.31.128.2 with source as 1.1.1.1


ICMP traffic PC to server.

 

aegon-kvm39 # id=20085 trace_id=415 func=print_pkt_detail line=5618 msg="vd-root:0 received a packet(proto=1, 172.31.128.2:1->1.1.1.1:2048) from port4. type=8, code=0, id=1, seq=33."
id=20085 trace_id=415 func=init_ip_session_common line=5788 msg="allocate a new session-00081764"
id=20085 trace_id=415 func=fw_pre_route_handler line=181 msg="VIP-172.31.128.20:1, outdev-unknown"
id=20085 trace_id=415 func=__ip_session_run_tuple line=3410 msg="DNAT 1.1.1.1:8->172.31.128.20:1"
id=20085 trace_id=415 func=vf_ip_route_input_common line=2595 msg="find a route: flag=04000000 gw-172.31.128.20 via port4"
id=20085 trace_id=415 func=fw_forward_handler line=771 msg="Allowed by Policy-4: SNAT"
id=20085 trace_id=415 func=__ip_session_run_tuple line=3396 msg="SNAT 172.31.128.2->172.31.128.1:60417"


Ping reply from server.

 

id=20085 trace_id=416 func=print_pkt_detail line=5618 msg="vd-root:0 received a packet(proto=1, 172.31.128.20:60417->172.31.128.1:0) from port4. type=0, code=0, id=60417, seq=33."
id=20085 trace_id=416 func=resolve_ip_tuple_fast line=5698 msg="Find an existing session, id-00081764, reply direction"
id=20085 trace_id=416 func=__ip_session_run_tuple line=3410 msg="DNAT 172.31.128.1:0->172.31.128.2:1"
id=20085 trace_id=416 func=vf_ip_route_input_common line=2595 msg="find a route: flag=04000000 gw-172.31.128.2 via port4"
id=20085 trace_id=416 func=npu_handle_session44 line=1142 msg="Trying to offloading session from port4 to port4, skb.npu_flag=00000000 ses.state=00000200 ses.npu_state=0x00040000"
id=20085 trace_id=416 func=fw_forward_dirty_handler line=399 msg="state=00000200, state2=00000000, npu_state=00040000"
id=20085 trace_id=416 func=__ip_session_run_tuple line=3396 msg="SNAT 172.31.128.20->1.1.1.1:1"

 

Packet Flow.

 

2021-08-01 06:57:07.525936 port4 in 172.31.131.2 -> 1.1.1.1: icmp: echo request
2021-08-01 06:57:07.529835 port4 out 172.31.128.1 -> 172.31.128.20: icmp: echo request
2021-08-01 06:57:07.530431 port4 in 172.31.128.20 -> 172.31.128.1: icmp: echo reply
2021-08-01 06:57:07.531657 port4 out 1.1.1.1 -> 172.31.131.2: icmp: echo reply

 

Related article:

Technical Tip: How to disable source NAT to enable a hairpin policy or one-arm firewall

2781
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.