In a course I was told that when we want to use the public ip for an internal server, we need to create a hairpin nat rule.
This rule we pickup the public ip and past in to the vip-object.
Because we using extinf any, I thought I must use solutions 2:
Solution 2: External interface in the VIP object is configured to “any”
#config firewall vip edit "VIP" set extip 220.127.116.11 set extintf 'any' set mappedip 10.10.10.10 next end
In this scenario, one policy from internal network directly to DMZ is sufficient:
#config firewall policy edit 3 set srcintf "internal" set dstintf "dmz" set srcaddr "all" set dstaddr "VIP" <----- VIP object. set action accept set schedule "always" set service "ALL" next end
In my situation this should be
edit 3 set srcintf "WIFI_GUEST" set dstintf "dmz" set srcaddr "all" set dstaddr "VIP_VS_SF" <----- VIP object. set action accept set schedule "always" set service "ALL" next end
But I did not create rule 3 yet and it already working.
Therefor I created a ticket with Fortinet but the explantion was first worng and then unclear.
It was hard and even inpossible to yet in touch with an engineer because this was only an p4 or p3 ticket.
The engineer had told me that for firmware 6.4.3 something changed.
He is refering to the last part of the KB before the trace.
If both the server and the PC are hosted behind the same LAN interface, the traffic used to implement the "LAN-LAN" policy prior to 6.4.3. In FortiOS 6.4.3 and higher, the traffic would match the "WAN-LAN" policy; see the traffic flow below for additional information.
In the below-mentioned example the Source "10.150.7.22" and the destination "10.5.55.218" are hosted behind the same Interface Port5:
External IP: 10.5.55.218, Mapped IP: "10.150.4.58", LAN Facing Interface: Port5 WAN Facing Interface: Port2
# config firewall vip
# edit "HAIRPIN-NAT"
# set uuid 15baccae-6e03-51ec-9819-8da608ba2c39 # set extip 10.5.55.218 # set mappedip "10.150.4.58" # set extintf "any" # set arp-reply disable # set portforward enable # set extport 10443 # set mappedport 443
# config firewall policy
# edit 13
# set name "WAN-LAN" # set uuid 5d48ff10-6e07-51ec-d776-6809a6d67bf5 # set srcintf "port2" # set dstintf "port5" # set srcaddr "all" # set dstaddr "HAIRPIN-NAT" # set action accept # set schedule "always" # set service "ALL"
# edit 14
# set name "activate-hairpin" # set uuid 9cf01964-6e11-51ec-c4b7-880cc8ed68ab # set srcintf "port5" # set dstintf "port2" # set srcaddr "all" # set dstaddr "10.5.55.218" # set action accept # set schedule "always" # set service "ALL" # next
I'm not confinced that this is the explanation.
DMZ and WIFI_GUEST are seperated vlan.
We have a rule like 14
# set name "WIFI2WAN" # set srcintf "WIFI_GUEST" # set dstintf "WAN2" # set srcaddr "all" # set dstaddr "all" # set action accept # set schedule "always" # set service "ALL" # next
This allow device in the WIFI_GUEST to access the internet.
So is there someone who can explain me why it's working with a hairpin nat?
What I'm doing wrong?
And is there a more update KB for using VIP and using internal server wiht there public ip?
To access the DMZ server over the internet kindly create a VIP.
External IP as 18.104.22.168 and Mapped IP as 10.168.35.202, the external interface as WAN2 and mapped interface as DMZ. After creating a VIP create a policy from WAN to DMZ with source as all and in destination call the VIP(Which we created )
Your external IP is the wan2 interface IP if I read your diagram correctly. Then, your case falls into example 1 in the KB your referred. So you need 1. regular outgoing policy, and 2. VIP policy from wan to dmz.