Can't access server with same public ip subnet in fortigate wan firewall, kindly advised
Hi so we have fortigate 1801F as our internet firewall. This fortigate firewall has public ip assigned on it’s interface and has direct connection to ISP PE.
We have nat for internal user for going to internet (using outgoing interface IP), and we have 1 on 1 nat for our serverX accessible from internet. This server X public ip is the same subnet as internal user public ip, server X public ip using virtual ip for 1 on 1 nat.
This server X public ip can be accessed via public (my coworker in different continent can access it, but this server X can’t be accessed via internal user. This internal user access this server X not using server X internal IP, but using server X public IP.
I tried to trace route and forti show something like strange symbol : !H !H
Rules for server X is
source : any, dest :server X, port : 443.
Rules for internal user is :
source : internal user ip, dest : any, port : any
Is it because internal user using public ip that is in the same subnet as server X public ip so internal user can’t access server X public IP? Or there is some kind of forti config that i didn’t know?
When internal user connects to the server, the flow may be like below.
SYN - Source IP is Private PC--- Destination IP is Public IP Packet reaches Switch, Switch sends it to Firewall, Firewall forward it to server via Switch again after NAT. All good here
SYN-ACK - Source IP is the Private IP of Server - Destination is Private IP of PC Packet reaches Switch, and the Switch will forward it directly to PC as it is aware about the route and no need to send it to Firewall.
Now the TCP handshake is broken on Firewall as the TCP SYN-ACK dont reach firewall.
The TCP ACK from client will again take the first path and reach firewall, but it won't accept it as the TCP-SYN never reached firewall.
This can be fixed if you enable Interface NAT towards the Server from PC port. This way, SYN-ACK will reach firewall as the destination will be of Firewall IP and not PC IP.
Feel free to correct me if I misunderstood the topology/flow.
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.