Hello everyone,
I have a multiple public IPs that are all assigned to my WAN1 interface as secondary IPs. I would like setup an explicit proxy such that if I connect to SecIP-A on port 12345, my public IP becomes one of the SecIPs (not specifically SecIP-A). And if I connect to SecIP-B on port 12345, my public IP becomes one of the SecIPs but not the same as with SecIP-A.
Basically the objective is that I'd like to browse internet with all of my public IPs by setting an HTTP proxy, all of that from outside my local network. I describe my research and findings below, any help is appreciated to understand better the issues and potentially finding a solution to achieve the objective. Thanks!
Initial setup
The setup that I initially tried was to configure the explicit proxy on WAN1 (with a whitelist on the allowed IPs to prevent anyone to use the proxy), and set all the SecIPs in an IP Pool. Then my Proxy Policy uses the outgoing source ip = the IP pool configuration. The problem is that somehow no matter which Sec-IP I connect to, my public IP would always be the same. My understanding is that since the public IP of my client is always the same no matter which SecIP:12345 I connect to, the IP pool overload mode will always assign me the same SecIP from the pool (https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/29961/dynamic-snat)
Second setup
To work around the limitation of my client IP always being the same, an article suggested to use loopback interfaces. So I created 192.168.3.45 and 192.168.3.46 as loopback interfaces and moved the explicit proxy to these instead of WAN1. Then I added the Virtual IPs to forward SecIP-A:12345 and SecIP-B:12345 to those loopback interfaces. Finally, I setup the firewall policies to accept connections on WAN1 -> Loopback and NAT by using the outgoing interface address, which in that case should be 192.168.3.45 for SecIP-B and 192.168.3.46 for SecIP-B.
However, the issue stays the same. Looking at the troubleshooting logs:
[ul]
From there, I understand that SecIP-A is assigned to my client directly without considering the loopback interface. SecIP-C is another public IP in the pool that has been chosen by the algorithm I guess - it's not assigned to any loopback interface at the moment.
[ul]
id=20085 trace_id=10997 func=print_pkt_detail line=5742 msg="vd-root:0 received a packet(proto=6, 13.14.15.20:64849->SecIP-A:12345) from port1. flag [.], seq 2729179222, ack 2785731966, win 2048"
id=20085 trace_id=10997 func=resolve_ip_tuple_fast line=5823 msg="Find an existing session, id-0002231b, original direction"
id=20085 trace_id=10997 func=__ip_session_run_tuple line=3500 msg="DNAT SecIP-A:12345->192.168.3.45:12345"
id=20085 trace_id=10998 func=print_pkt_detail line=5742 msg="vd-root:0 received a packet(proto=6, 192.168.3.45:12345-> 13.14.15.20:64849) from local. flag [.], seq 2785732036, ack 2729179257, win 222"
id=20085 trace_id=10998 func=resolve_ip_tuple_fast line=5823 msg="Find an existing session, id-0002231b, reply direction"
id=20085 trace_id=10998 func=__ip_session_run_tuple line=3486 msg="SNAT 192.168.3.45-> SecIP-A:12345"
id=20085 trace_id=10998 func=ipd_post_route_handler line=490 msg="out port1 vwl_zone_id 0, state2 0x0, quality 0.
But from the logs here, I understand that the DNAT/SNAT is properly done between the client IP, the SecIP, and the loopback interface.
I didn't include the logs for SecIP-B but it's the exact same results.
[ul]
References (some of them):
https://forum.fortinet.com/tm.aspx?m=146710&high=explicit+proxy
https://socpuppet.blogspot.com/2017/08/fortigate-explicit-proxy-with.html
http://socpuppet.blogspot.com/2017/08/turn-around-explicit-proxy-on.html
https://forum.fortinet.com/tm.aspx?m=189456&high=explicit+proxy
I'm not experienced with Fortigate devices so feel free to challenge my conclusions - I likely missed some elements. Thank you everyone in advance for your help!
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.