- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Creating a Loop Back Policy to allow internal users to access services by looping out and back in
We have a service that is available externally. We have a firewall policy rule in place that allows anyone external to hit the external IP address and be NAT'd in to our internal service. The rule is setup like this:
Incoming Interface: WAN
Outgoing Interface: LAN
Destination: (Set as a virtual IP)
Services: HTTPS
So when people try to visit the URL from the outside, they hit this rule, the virtual IP in the rule translates it from the external IP to the internal server IP and everything works correctly.
The issue we are having is when users are trying to access the services from our guest wifi network. Our guest wifi network does not have access to our internet IP ranges. So in order to access the service, it must route out and then back in on itself. Our DNS on our guest wifi range is setup to use an external service, so when you try to visit the URL it resolves to the external IP address.
If you check the firewall logs when trying to access it, you can see it's hitting the firewall on the LAN interface from the correct internal guest IP address range. But you can see on the logs it's showing the destination as LAN too. I think this should be WAN.
Do I need to create some sort of rule so that anything coming from the guest network ranges, should route to the WAN instead of trying to stay on the LAN interface for the source and destination? If so, how?
Thanks in advance.
- Labels:
-
FortiGate
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The easiest thing to do is to clone the policy you have for WAN -> LAN and create the new one as Guest WiFi -> LAN. Leave the VIP as the destination and it should work.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This doesn't work to me. Have same problem.
firewall policy rule in place that allows anyone external to hit the external IP address and be NAT'd in to our internal service. The rule is setup like this:
Incoming Interface: WAN
Outgoing Interface: LAN
Destination: (Set as a virtual IP)
Services: HTTPS
Guests from other VLAN which doesn't see LAN - cannot access to web server from internet.
We use to public IPs. One is for NAT, other is for all users accessing internet from fortinet (configured as IPpool). Guest users can resolve external ip for web server and also can ping it, but need right policy (loop back) to HTTP traffic. Thank you for your help.
I tried to Guest WIFI > LAN policy, but without success.
SOURCE: guests
OUTGOING INTERFACE: LAN
DESTINATION: VIP
NAT (with IP-POOL of users)
