FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ppatel
Staff
Staff
Description This article describes, the hairpin NAT works within the same VDOM, but in this case, in order to trigger the VIP on different Internet lines, it is needed to have VDOMs, each VDOM with its own Internet line.

Let’s consider the following example:

  • 2 internet lines: WAN1 and WAN2

WAN1: 1.1.1.1/24

WAN2: 2.2.2.2/24

  • VIP on WAN2 (whether you bind it to any or not, the external IP belongs to wan2: 2.2.2.2)
  • Server in DMZ (mapped IP)
  • port1 and port2 are LAN ports, but port1 is forced to reach destination 0.0.0.0/0.0.0.0 via WAN1 through a policy route (PBR). Port2 goes to destination 0.0.0.0/0.0.0.0 via WAN2

With a single vdom scenario (VDOMS disabled), only users from port2 can access the server in DMZ via the VIP external IP 2.2.2.2. Users in port1 are forced to go via wan1, but they cannot reach the VIP with IP 2.2.2.2 because the packet never leaves the vdom and VIP cannot be triggered with source IP of WAN1 interface to WAN2 interface. Even if you do not bind the VIP to WAN2, it still won’t work.

Scope

FortiGate

Solution

In order to have this scenario working you must use VDOMs where:

 

VDOM1 contains WAN1 and port1 (SNAT in firewall policy)

VDOM2 contains WAN2, port2 and DMZ (VIP configured)

 

When users behind port1 in VDOM1 access 2.2.2.2 (VIP) the packet will exit and enter VDOM2, VIP will be matched and translation to DMZ server will take place.

In this scenario, the policy route isn’t needed anymore since WAN1 is the only internet line in that VDOM.

Contributors