Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
rniesen
New Contributor

I'm confused how to access server from dmz into WIFI vlan over his public ip

Hello all,

 

I created 14 days ago a ticket with Fortinet because I din't understand why something is working when I didn't program it.

 

topology.jpg

 

We have 2 goals:

1) access server in dmz from outside

2) access server from wifi_guest to dmz with public ip (ip on wan2)

 

For 1 I created a VIP:

config firewall vip
  edit "VIP_VS_SF"
  set extip 20.100.34.2
  set mappedip "10.168.35.202"
  set extintf "any"
  set portforward enable
  set extport 443
  set mappedport 443
next

 

And we created a policy:

edit 38
  set name "FW_WAN22DMZ_SF"
  set srcintf "wan2"
  set dstintf "WPDMZ"
  set srcaddr "all"
  set dstaddr "VIP_VS_SF"
  set action accept
  set schedule "always"
  set service "HTTPS"
  set nat enable
next

 

As result we are able to access the server in the dmz via WAN2 public ip.

This is ok.

 

Now for part 2 I followed this article:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-Hairpin-NAT-VIP/ta-p/195448

Now everythung becomes very unclear.

 

We are using firmware 6.4.8.

 

In a course I was told that when we want to use the public ip for an internal server, we need to create a hairpin nat rule.

This rule we pickup the public ip and past in to the vip-object.

 

Because we using extinf any, I thought I must use solutions 2:

 

Solution 2: External interface in the VIP object is configured to “any”

#config firewall vip
    edit "VIP"
        set extip 92.0.2.10
        set extintf 'any'
        set mappedip 10.10.10.10
    next
end

In this scenario, one policy from internal network directly to DMZ is sufficient:

#config firewall policy
    edit 3
        set srcintf "internal"
        set dstintf "dmz"
        set srcaddr "all"
        set dstaddr "VIP"             <----- VIP object.
        set action accept
        set schedule "always"
        set service "ALL"
    next
end

In my situation this should be

edit 3
        set srcintf "WIFI_GUEST"
        set dstintf "dmz"
        set srcaddr "all"
        set dstaddr "VIP_VS_SF"             <----- VIP object.
        set action accept
        set schedule "always"
        set service "ALL"
    next
end

 

But I did not create rule 3 yet and it already working.

Therefor I created a ticket with Fortinet but the explantion was first worng and then unclear.

It was hard and even inpossible to yet in touch with an engineer because this was only an p4 or p3 ticket.

 

The engineer had told me that for firmware 6.4.3 something changed.

He is refering to the last part of the KB before the trace.

 

If both the server and the PC are hosted behind the same LAN interface, the traffic used to implement the "LAN-LAN" policy prior to 6.4.3. In FortiOS 6.4.3 and higher, the traffic would match the "WAN-LAN" policy; see the traffic flow below for additional information.

 

In the below-mentioned example the Source "10.150.7.22" and the destination "10.5.55.218" are hosted behind the same Interface Port5:

 

External IP: 10.5.55.218,
Mapped IP: "10.150.4.58",
LAN Facing Interface: Port5
WAN Facing Interface: Port2

 

# config firewall vip

# edit "HAIRPIN-NAT"

# set uuid 15baccae-6e03-51ec-9819-8da608ba2c39
# set extip 10.5.55.218
# set mappedip "10.150.4.58"
# set extintf "any"
# set arp-reply disable
# set portforward enable
# set extport 10443
# set mappedport 443

# next

# end

# config firewall policy

# edit 13

# set name "WAN-LAN"
# set uuid 5d48ff10-6e07-51ec-d776-6809a6d67bf5
# set srcintf "port2"
# set dstintf "port5"
# set srcaddr "all"
# set dstaddr "HAIRPIN-NAT"
# set action accept
# set schedule "always"
# set service "ALL"

# next

# edit 14

# set name "activate-hairpin"
# set uuid 9cf01964-6e11-51ec-c4b7-880cc8ed68ab
# set srcintf "port5"
# set dstintf "port2"
# set srcaddr "all"
# set dstaddr "10.5.55.218"
# set action accept
# set schedule "always"
# set service "ALL"
# next

# end

 

 

I'm not confinced that this is the explanation.

DMZ and WIFI_GUEST are seperated vlan.

 

We have a rule like 14

 

edit 14

# set name "WIFI2WAN"
# set srcintf "WIFI_GUEST"
# set dstintf "WAN2"
# set srcaddr "all"
# set dstaddr "all"
# set action accept
# set schedule "always"
# set service "ALL"
# next

# end

This allow device in the WIFI_GUEST to access the internet.

 

So is there someone who can explain me why it's working with a hairpin nat?

What I'm doing wrong?

And is there a more update KB for using VIP and using internal server wiht there public ip?

 

Sorry for my bad English already ....

 

 

 

6 REPLIES 6
rniesen
New Contributor

TopologyTopology

akumarr

To access the DMZ server over the internet kindly create a VIP.

External IP as 20.100.34.2 and Mapped IP as 10.168.35.202, the external interface as WAN2 and mapped interface as DMZ.
After creating a VIP create a policy from WAN to DMZ with source as all and in destination call the VIP(Which we created )

After the configuration please check the behavior


Best regards,
ARUNKUMAR.R.
rniesen

Hi Arunkumar,

 

In my post I tolled that  I create the vip to match public ip to the server in the dmz.

That isn't the problem.

 

If I follow the article included into the post, we need to create a hairpin nat from wifi to dmz to access the server with the public ip from wifi.

Withouyt this hairpin it is already working.

Or something is wrong or something has changed.

 

 

 
akumarr
Staff
Staff

Regarding the wifi users to access the DMZ server kindly configure Hair Pin nat

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-Hairpin-NAT-VIP/ta-p/195448

Best regards,
ARUNKUMAR.R.
rniesen

Hi,

 

This article is exactly follewd.

If your read my post, you se litteral past copy from the article.

 

 

 
Toshi_Esumi
Esteemed Contributor II

Your external IP is the wan2 interface IP if I read your diagram correctly. Then, your case falls into example 1 in the KB your referred. So you need 1. regular outgoing policy, and 2. VIP policy from wan to dmz.

 

Toshi