Cannot access webserver behind DMZ on Fortigate E61

RBotha · ‎04-12-2019

Hi Everyone,

So I'm convinced I did something wrong here. 2 Days ago, with help from this forum, alot of googling and reading - I managed to allow external access through our wan to a DMZ_VLAN over to a Virtual machine that's hosted on my local machine.

But that night, not wanting to leave connections open to an unsecured/unpolished server, I disabled the policy and left. Upon return, I simply re-enabled the policy but now it doesn't work anymore... I can't hit (with https connection) the server from our external IP.

So here's what I did:

[ol]

Created a virtual interface on my internal (Interface 1: 192.168.1.1) port, addressed as 192.168.2.1/255.255.255.0 (DMZ_VLAN).

Created a Virtual IP (name: DMZ_HTTPS ext id: 11.22.33.44 mapped internal IP 192.168.2.10 interface: wan1) (with HTTPS port forwarded).

Created a policy with incoming interface: wan, outgoing: DMZ_VLAN, source: all, destination: DMZ_HTTPS VIP , NAT: off.

Created a policy with incoming interface: DMZ_VLAN, outgoing: wan, source: all, destination: all, NAT: ON)

Created a VLAN 20 on our Ubiquiti Unifi switch.

Setup HyperV's virtual switch to use my local machine's Ethernet port with VLAN 20 and assigned it to my VM.

Set a static IP for the VM (192.168.2.10) with gateway IP 192.168.2.1[/ol]

Here are my results (as commands executed from the webserver at 192.168.2.10)

[ol]

I can ping the fortigate DMZ interface (DMZ_VLAN) at 192.168.2.1 - GOOD

I cannot ping anything else on my internal network since only the machine and DMZ_VLAN use VLAN 20 - GOOD

I cannot reach my webserver's hosted IIS applications from the internet using the URL: https://11.22.33.44 - BAD

Nothing can ping the webserver from the internal network - GOOD.[/ol]

I'm completely stumped as to why by disabling a policy, this could happen? I did install Kaspersky Small Office Security Suite but removed that too. Windows Firewall is completely disabled and I evne created inbound & outbound rules for port 443. IIS is up and running but since this is the only machine on the VLAN, I cannot test this from another machine within the network to see if the problem lies with the server, or the firewall. My guessing is it would be the latter.

RBotha · ‎04-12-2019

My Traffic Forward Log shows this, but that doesn't make sense... There is no rule that directs traffic from DMZ_VLAN to DMZ_VLAN, because why would one needthat?

RBotha · ‎04-15-2019

Ok, so I think I solved this. For anyone else looking at this, there seems to be a difference in the way this is explained, or perhaps it is my setup. I think this might be caused by a Double NAT.

To fix the situation, I changed the External IP of my Virtual IPs to the internet breakout of our network stack, which IS NOT the actual external IP of our internet connection. This solved it for me.

RBotha · ‎04-23-2019

So after alot of tests and trials, I've finally got this to work correctly.

Quite simply, I added 2 more VIPs with the external IPs actually matching our real external ip( i.e. 11.22.33.44) and mapped it to the DMZ based web server's IP (192.168.2.10) along with HTTPS and HTTP ports forwarded. This was my primary struggle. To realise that I needed 4 VIPs (2 for normal WAN to DMZ traffic and 2 for..well WAN to DMZ traffic but actually its for LAN to DMZ).

A while back while testing this, I had setup a policy to allow LAN to DMZ traffic, but specified the original VIPs (the ones that map the internet breakout IPs on our network stack, not our ACTUAL external IP) but that never worked. One needed to specify the new 2 VIPs (the Hairpin ones) and suddenly it worked!

Also, one should remember to enable match-vip on the LAN to DMZ (your hairpin policy) to make this work.