Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
sheshman
New Contributor II

self hosting stopped working after switching to 30E

 

Hi,

 

I'm hosting my websites on ispconfig3 server from my home, i was using pfsense as gateway and 2 days ago i've switched to 30E (Unlicenced), so forwarded necessary ports to my ispconfig3 server but my websites are not reachable, when i plug my old pfsense it works but when i switch to fortigate it stops working. 

 

Checked ports over and over again through ping.eu it seems like all ports (specially 53 dns port) are open and reachable from outer world but when i check A record through https://dnschecker.org/#A/fscdepo.com (it's one of my domains runs on my server) it's  not reachable.

 

Any ideas ?

 

Screenshot_2.png

Screenshot_3.png

 

12 REPLIES 12
Yurisk
Valued Contributor

VIP (port forwarding)  is too basic of a feature on the Fortigate to cause problems, so 99% probability it is misconfiguration. Have you followed docs in configuring VIPs (e.g. https://community.fortinet.com/t5/FortiGate/Technical-Tip-Using-Virtual-IPs-to-configure-port-forwar...) ?

 

In security policy you have in the upper bar "Policy lookup" button to simulate packets passing the firewall - use it putting src Ip of some client on the Internet, dst external IP of the server and see if match is done on the correct policy.

 

Yuri https://yurisk.info/  blog: All things Fortinet, no ads.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
sheshman
New Contributor II

Hi Yuri,

 

First of all thanks for sharing your blog's url there are lots of information for me :)

 

Let me explain how my connection works, i'm using fiber modem to reach to the internet so my fortigate is connected to the my modem, i can't connect forti to the fiber directly because i'm also getting ip tv service from ISP and isp's iptv service is not working if i don't connect to modem to fiber directly ;

-Fiber Modem : 192.168.1.254

-Forti 30E: 192.168.2.254

-ISPCONFIG3 Web server : 192.168.2.245

I'm forwarding port 53 from modem to fortigate first, after that forwarding from forti to ispconfig3 server as below;

Screenshot_4.pngScreenshot_5.pngScreenshot_6.png

When i check from ping.eu port 53 seems open, but when i check through https://dnschecker.org/ my web sites are not reachable. If i connect my ipconfig3 server directly to the modem and forward ports to the server or if i connect my server to my old pfsense gw it works without any problem.

 

I also tested "Policy Lookup" as you mentioned and it seems like my policy works without any problem, i really don't know what causing this.

 

Strange thing is we are using similiar configuration at the company i work, with 600E + ispconfig3 and it works the same way i'm trying to do at home, there is no problem on 600E, the only difference between 600E and my 30E is the licence, 600E is licenced and my 30E is not. Is that makes a different? As far as i know i can use my 30E with basic operations without licence.

Debbie_FTNT

Hey sheshman,

can you also share the policy?

The VIP itself looks fine, so I would want to double-check that you have the correct policy from WAN -> LAN in place with VIP as destination object

In addition, you might want a policy in the reverse direction (LAN -> WAN) and ensure the traffic from your server is NATed to the VIP's external IP properly

 

Also, a question for my understanding:

- your Fiber modem translates the public IP to 192.168.1.254

- FortiGate translates that IP 192.168.1.254 to 192.168.2.245?

- if the modem translated to 192.168.2.245 directly, FortiGate wouldn't need any VIP configuration, it could just route and require a simple IPv4 policy

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
sheshman

Hi

your Fiber modem translates the public IP to 192.168.1.254 - yeap

FortiGate translates that IP 192.168.1.254 to 192.168.2.245? - yeap

 if the modem translated to 192.168.2.245 directly - no, modem can't do that because modem on 192.168.1.x and my LAN works on 192.168.2.x so modem can not reach to 192.168.2.x network.

 

My policy as below;

Screenshot_1.png

 

Debbie_FTNT

I'm not sure if this is required - but can you change the policy to use source interface 'wan' instead of SD-WAN, to line up with the external interface defined on your VIP?

Other than that, the policy looks fine as far as I can see (if the VIP is part of the VIP group you have set as destination).

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
sheshman

Unfortunately there is no wan option, there is only SD-WAN

 

Screenshot_2.png

 

Debbie_FTNT

Hey sheshman,

in that case, can you remove the external interface from the VIP and set it to 'any' interface?

Or, if you're not using SD-WAN, you could remove the 'wan' interface from SD-WAN settings. You would have to rework your outgoing policies to use 'wan' interface instead of SD-WAN though.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
sheshman

changing interface to any on VIP didn't solved the problem. 

Screenshot_7.png

The thing that i don't understand is i've also a Zimbra server and it works with same logic, i mean all port forwards are works without any problem to that server but when i forward to ispconfig3 than all of my websites goes offline, seems like somehow port53 is not communicating with outer world.

Yurisk
Valued Contributor

Hi again, thanks.

Configs seem OK. 

Unlicensed - for hardware models it may matter for Application Control/IPS/AV features, but basic functions like VPN, NAT, routing, FW work just fine. So, no - license cannot cause traffic problems. 

 

When switching to PFsense and it starts to work - is it possible the fiber modem is set to work with PFsense's MAC address?

 

Anyway, the best way to proceed is to run packet sniffer while trying to reach servers behind the FGT. You can do it while connected via SSH or use web Applet in the FGT GUI - right upper corner you have ">_" to open applet based CLI .

The syntax would be: dia sni pa any 'host Source_IP_of_client_here' 4 

 

Where Source_IP_of_client_here is the IP address of some external (on the INternet) client trying to access server(s) on open port. The desired output will contain packet coming in on wan interface and going out on lan interface with proper NAT translations. 

Yuri https://yurisk.info/  blog: All things Fortinet, no ads.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
Labels
Top Kudoed Authors