Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Can't access server with same public ip subnet in fortigate wan firewall, kindly advised

Hi so we have fortigate 1801F as our internet firewall. This fortigate firewall has public ip assigned on it’s interface and has direct connection to ISP PE.


We have nat for internal user for going to internet (using outgoing interface IP), and we have 1 on 1 nat for our server  X accessible from internet. This server X public ip is the same subnet as internal user public ip, server X public ip using virtual ip for 1 on 1 nat.



Screenshot 2023-09-27 at 11.05.14.png


This server X public ip can be accessed via public (my coworker in different continent can access it, but this server X can’t be accessed via internal user. This internal user access this server X not using server X internal IP, but using server X public IP.


I tried to trace route and forti show something like strange symbol : !H !H


Rules for server X is

source : any, dest :server X, port : 443.


Rules for internal user is :

source : internal user ip, dest : any, port : any


Is it because internal user using public ip that is in the same subnet as server X public ip so internal user can’t access server X public IP? Or there is some kind of forti config that i didn’t know?


New Contributor III



For your internal users to access your server from the public IP, you need to configure a NAT hairpin.
Basically imagine that your packet does a loop and goes to your server.

Try this guide, it had helped me in the past:


Not all those who wander are lost


Hi yes it looks like need to do hairpin, we'll do it on the next windows change, i'll keep the update after changes.


When internal user connects to the server, the flow may be like below.

SYN - Source IP is Private PC--- Destination IP is Public IP
Packet reaches Switch, Switch sends it to Firewall, Firewall forward it to server via Switch again after NAT.
All good here

SYN-ACK - Source IP is the Private IP of Server - Destination is Private IP of PC
Packet reaches Switch, and the Switch will forward it directly to PC as it is aware about the route and no need to send it to Firewall.

Now the TCP handshake is broken on Firewall as the TCP SYN-ACK dont reach firewall.

The TCP ACK from client will again take the first path and reach firewall, but it won't accept it as the TCP-SYN never reached firewall.

This can be fixed if you enable Interface NAT towards the Server from PC port. This way, SYN-ACK will reach firewall as the destination will be of Firewall IP and not PC IP.

Feel free to correct me if I misunderstood the topology/flow.



- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

Top Kudoed Authors