Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Creating a Loop Back Policy to allow internal users to access services by looping out and back in

We have a service that is available externally. We have a firewall policy rule in place that allows anyone external to hit the external IP address and be NAT'd in to our internal service. The rule is setup like this:


Incoming Interface: WAN
Outgoing Interface: LAN
Destination: (Set as a virtual IP)
Services: HTTPS


So when people try to visit the URL from the outside, they hit this rule, the virtual IP in the rule translates it from the external IP to the internal server IP and everything works correctly.


The issue we are having is when users are trying to access the services from our guest wifi network. Our guest wifi network does not have access to our internet IP ranges. So in order to access the service, it must route out and then back in on itself. Our DNS on our guest wifi range is setup to use an external service, so when you try to visit the URL it resolves to the external IP address.


If you check the firewall logs when trying to access it, you can see it's hitting the firewall on the LAN interface from the correct internal guest IP address range. But you can see on the logs it's showing the destination as LAN too. I think this should be WAN. 


Do I need to create some sort of rule so that anything coming from the guest network ranges, should route to the WAN instead of trying to stay on the LAN interface for the source and destination? If so, how? 



Thanks in advance.

Contributor III

The easiest thing to do is to clone the policy you have for WAN -> LAN and create the new one as Guest WiFi -> LAN.  Leave the VIP as the destination and it should work.