Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
CA-Davida1992
New Contributor

Creating a Loop Back Policy to allow internal users to access services by looping out and back in

We have a service that is available externally. We have a firewall policy rule in place that allows anyone external to hit the external IP address and be NAT'd in to our internal service. The rule is setup like this:

 

Incoming Interface: WAN
Outgoing Interface: LAN
Destination: (Set as a virtual IP)
Services: HTTPS

 

So when people try to visit the URL from the outside, they hit this rule, the virtual IP in the rule translates it from the external IP to the internal server IP and everything works correctly.

 

The issue we are having is when users are trying to access the services from our guest wifi network. Our guest wifi network does not have access to our internet IP ranges. So in order to access the service, it must route out and then back in on itself. Our DNS on our guest wifi range is setup to use an external service, so when you try to visit the URL it resolves to the external IP address.

 

If you check the firewall logs when trying to access it, you can see it's hitting the firewall on the LAN interface from the correct internal guest IP address range. But you can see on the logs it's showing the destination as LAN too. I think this should be WAN. 

 

Do I need to create some sort of rule so that anything coming from the guest network ranges, should route to the WAN instead of trying to stay on the LAN interface for the source and destination? If so, how? 

2023-02-14_11h52_55.png

 

Thanks in advance.

2 REPLIES 2
distillednetwork
Contributor III

The easiest thing to do is to clone the policy you have for WAN -> LAN and create the new one as Guest WiFi -> LAN.  Leave the VIP as the destination and it should work.

alfa6
New Contributor

This doesn't work to me. Have same problem.

firewall policy rule in place that allows anyone external to hit the external IP address and be NAT'd in to our internal service. The rule is setup like this:

 

Incoming Interface: WAN
Outgoing Interface: LAN
Destination: (Set as a virtual IP)
Services: HTTPS

 

Guests from other VLAN which doesn't see LAN - cannot access to web server from internet. 

We use to public IPs. One is for NAT, other is for all users accessing internet from fortinet (configured as IPpool). Guest users can resolve external ip for web server and also can ping it, but need right policy (loop back) to HTTP traffic. Thank you for your help.

I tried to Guest WIFI > LAN policy, but without success.

SOURCE: guests

OUTGOING INTERFACE: LAN

DESTINATION: VIP

NAT (with IP-POOL of users)

 

Labels
Top Kudoed Authors