Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jfernandz
New Contributor II

Created on ‎05-25-2021 07:14 AM

Acessing to Virtual IP from the inside

therHi everyone, 

 

I've created a Virtual IP to forward the TCP port 10000 to 80 TCP in a client with the IP 192.168.1.12, so the details are:

 

0.0.0.0 -> 192.168.1.12 (TCP: 10000 -> 80)

 

Also I've created a policy so I can access to that host from the outside when I do a request at <office.public.ip>:10000 and does work as expected. I've basically followed this post in the knowledge base. 

 

However, I'm experiencing something unexpected, when I try to access to <office.public.ip>:10000 from another interface (VLAN) I cannot reach the host, just when I try to access from outside (another different internet connection) why is this? 

 

To put you a little more in context ... I'm doing this in my company, so I can reach the host from my home, but not from the office itself. Also ... the ISP gave me a IP to use as a gateway in a static route (which is different than the public IP of the connection in the office) and also I have another different IP/Netmask for the WAN1 interface (also different than the public IP and the IP for the static route). When I try to reach the host by requesting <ip.wan1.interface>:10000 it works as expected, but again, i cannot reach it when I request <office.public.ip>:10000 from the office itself, only works when I do that request from outside. 

 

I know when I'm inside (in the office) I don't need actually to access that host via <office.public.ip> but I'm curious because apparently I should be able to use <office.public.ip>:10000 in the same way than I'm able to use just the private local IP (192.168.1.12).

 

What do you think? Thank you all.

   

   
6628
0 Kudos
13 REPLIES 13
jfernandz
New Contributor II
In response to jfernandz

Created on ‎05-27-2021 06:40 AM

Well, I've been checking the logs and I think this is because of my ISP.

 

 

As you can see, despite I'm always (in both cases) doing the request to the office public IP (83.x.y.143)

[ul]
  • When I open the connection from outside (source=176.83.47.77), FortiGate actually uses 217.124.116.61 as destination IP (the ISP gave me this IP to set the WAN1 IP/Netmask, which is actually connected to the ISP router)
  • When I open the connection from inside (source=172.20.1.16), FortiGate uses the actual public IP (83.x.y.143), but it's not forwarding/natting properly the connection to the right local IP (192.168.1.12) and port (80). If I do the request to 217.124.116.61:10000 from inside it works as expected, but 217.124.116.61 is not available from outside ... [/ul]

    So maybe this is because the network architecture of my ISP, what do you think?

    • 397
    0 Kudos
    jorge_americo
    Contributor
    In response to jfernandz

    Created on ‎05-27-2021 12:04 PM

    Perfect. then we have to see something on that WAN. how is it configured?

    where does ip 83 come from? is a valid ip routed by your operator to you? the IP 217.124.116.61 is configured on your WAN, correct?

    the request has been made by IP or DNS?

    One more question, you informed: If I do the request to 217.124.116.61:10000 from inside it works as expected, but 217.124.116.61 is not available from outside ... Do you have a macro drawing of your topology? to try to understand better

    NSE-4

    NSE-4
    397
    0 Kudos
    jfernandz
    New Contributor II
    In response to jorge_americo

    Created on ‎05-28-2021 12:17 AM

    jorge.americo wrote:

    Perfect. then we have to see something on that WAN. how is it configured?

    where does ip 83 come from? is a valid ip routed by your operator to you? the IP 217.124.116.61 is configured on your WAN, correct?

    the request has been made by IP or DNS?

    One more question, you informed: If I do the request to 217.124.116.61:10000 from inside it works as expected, but 217.124.116.61 is not available from outside ... Do you have a macro drawing of your topology? to try to understand better

    [ul]
  • As I've said, WAN1 has as IP/Netmask just that value (217.124.116.61)[/ul][ul]
  • The IP 83 is the IP that services for knowing your public IP report to me, for example this one
  • I'm always doing the request by IP, of course.[/ul]

     

    I'm not sure if this will help, but this is a little schema representing what I have.

     

     

    217.124.116.x IPs were given to me by the ISP in order to set the these two things (WAN1 interface IP/Netmask and the shown static route), but actually the 83.x.y.143 IP is the IP that public services for knowing your public IP report to me.

     

    Again, as I've said ... 217.124.116.x IPs are not accessible from outside, I guess those IPs have something to do with the configured DMZ by the ISP, I can ping them just when I'm at the office.

     

     

       

    • 397
    0 Kudos
    jorge_americo
    Contributor
    In response to jfernandz

    Created on ‎05-28-2021 07:39 AM

    As I understand it, your provider grants you a valid IP but still does a NAT for the internet. In this case, you have to ask them to do 83. routing for your equipment and change your VIP from "0.0.0.0 -> 192.168.1.12 (TCP: 10000 -> 80)" to "83.xyz -> 192.168. 1.12 (TCP: 10000 -> 80) "

    Obs. Put the wan interface in the VIP so that there is the gratuitous arp and your equipment is presented to the provider as 83.

    NSE-4

    NSE-4
    397
    0 Kudos
    Labels
    Top Kudoed Authors
    View all
    Broad. Integrated. Automated.

    The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

    Social Media
    Security Research
    Company
    News & Articles
    Contact Us

    Copyright 2024 Fortinet, Inc. All Rights Reserved.