Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
dmvssrte
New Contributor

Created on ‎06-19-2021 12:53 PM

Explicit proxy - outgoing interface based on incoming IP

Hello everyone,

 

I have a multiple public IPs that are all assigned to my WAN1 interface as secondary IPs. I would like setup an explicit proxy such that if I connect to SecIP-A on port 12345, my public IP becomes one of the SecIPs (not specifically SecIP-A). And if I connect to SecIP-B on port 12345, my public IP becomes one of the SecIPs but not the same as with SecIP-A.

Basically the objective is that I'd like to browse internet with all of my public IPs by setting an HTTP proxy, all of that from outside my local network. I describe my research and findings below, any help is appreciated to understand better the issues and potentially finding a solution to achieve the objective. Thanks!

 

Initial setup

The setup that I initially tried was to configure the explicit proxy on WAN1 (with a whitelist on the allowed IPs to prevent anyone to use the proxy), and set all the SecIPs in an IP Pool. Then my Proxy Policy uses the outgoing source ip = the IP pool configuration. The problem is that somehow no matter which Sec-IP I connect to, my public IP would always be the same. My understanding is that since the public IP of my client is always the same no matter which SecIP:12345 I connect to, the IP pool overload mode will always assign me the same SecIP from the pool (https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/29961/dynamic-snat)

 

Second setup

To work around the limitation of my client IP always being the same, an article suggested to use loopback interfaces. So I created 192.168.3.45 and 192.168.3.46 as loopback interfaces and moved the explicit proxy to these instead of WAN1. Then I added the Virtual IPs to forward SecIP-A:12345 and SecIP-B:12345 to those loopback interfaces. Finally, I setup the firewall policies to accept connections on WAN1 -> Loopback and NAT by using the outgoing interface address, which in that case should be 192.168.3.45 for SecIP-B and 192.168.3.46 for SecIP-B.

However, the issue stays the same. Looking at the troubleshooting logs:

[ul]
  • Explicit proxy: most IPs have been changed for privacy. 13.14.15.20 is my external client trying to access [link]https://whatismyipaddress.com/[/link][/ul]

    

    wad_http_conn_request_classify(14477): no security profile HTTPS/HTTP, tport=443
    wad_fast_match_is_enable(3444): fast matching is enabled
    wad_fast_match_pol_array(3297): pol_id : 0 get_asyn_info status:1
    wad_http_request_policy_set(24677): match pid=270 policy-id=1 vd=0 in_if=9, out_if=9 13.14.15.20:12345 -> 172.217.194.157:443
    wad_http_conn_request_classify(14493): try to match HTTPS/HTTP/SSH with nport=443
    wad_http_conn_request_classify(14514): HTTP port[0]=80.
    wad_http_sec_proc_policy(24583): policy result:vf_id=0:0 sec_profile=0x7f5ec84255d8 set_cookie=0
    wad_http_check_special_request(23341): policy result:vf_id=0:0 special_type=0
    wad_ippool_get_ip(473): clt:13.14.15.20 got ip:SecIP-C from ip pool, logic/phy intf(9/9)
     
    From there, I understand that SecIP-A is assigned to my client directly without considering the loopback interface. SecIP-C is another public IP in the pool that has been chosen by the algorithm I guess - it's not assigned to any loopback interface at the moment.
     
    [ul]
  • Firewall logs[/ul]
    

    id=20085 trace_id=10997 func=print_pkt_detail line=5742 msg="vd-root:0 received a packet(proto=6, 13.14.15.20:64849->SecIP-A:12345) from port1. flag [.], seq 2729179222, ack 2785731966, win 2048"
    

    id=20085 trace_id=10997 func=resolve_ip_tuple_fast line=5823 msg="Find an existing session, id-0002231b, original direction"
    

    id=20085 trace_id=10997 func=__ip_session_run_tuple line=3500 msg="DNAT SecIP-A:12345->192.168.3.45:12345"
    

     
    

    id=20085 trace_id=10998 func=print_pkt_detail line=5742 msg="vd-root:0 received a packet(proto=6, 192.168.3.45:12345-> 13.14.15.20:64849) from local. flag [.], seq 2785732036, ack 2729179257, win 222"
    

    id=20085 trace_id=10998 func=resolve_ip_tuple_fast line=5823 msg="Find an existing session, id-0002231b, reply direction"
    

    id=20085 trace_id=10998 func=__ip_session_run_tuple line=3486 msg="SNAT 192.168.3.45-> SecIP-A:12345"
    

    id=20085 trace_id=10998 func=ipd_post_route_handler line=490 msg="out port1 vwl_zone_id 0, state2 0x0, quality 0.
    

     
    But from the logs here, I understand that the DNAT/SNAT is properly done between the client IP, the SecIP, and the loopback interface.
    I didn't include the logs for SecIP-B but it's the exact same results.
     
    [ul]
  • Conclusion: it looks like the explicit proxy will use the Client IP instead of the loopback interface IP in order to choose the IP to use from the IP pool. Does anyone know a workaround for that?[ul]
  • I was initially running on 6.4.2 and then moved on 6.4.6 (because of https://forum.fortinet.com/tm.aspx?m=189456&high=explicit+proxy) - my configuration works with neither[/ul][/ul]
     
    References (some of them):
    https://forum.fortinet.com/tm.aspx?m=146710&high=explicit+proxy
    https://socpuppet.blogspot.com/2017/08/fortigate-explicit-proxy-with.html
    http://socpuppet.blogspot.com/2017/08/turn-around-explicit-proxy-on.html
    https://forum.fortinet.com/tm.aspx?m=189456&high=explicit+proxy
     
    I'm not experienced with Fortigate devices so feel free to challenge my conclusions - I likely missed some elements. Thank you everyone in advance for your help!
    • 
					
				
			
			
				
			
			
				
			
			
			
			
			
			
		
    
		
		
	

	
	

    
	
				
		
			 
 
    

		
			
					
		
	
				
		
			
					
			
		
				
		
			
		
			
					
	
    
		
			
				
						
							Labels:
						
						
		
    
			
		
    
	
					
			
		
	
    

	

	

	

				
		
	
	

    
		
    
	
    
		
    
			
		
    
			
		
    
	
    
		
    
			
    
	
		
			
    
  2095

    
		
			
					
    
	
			
    
				
		
			
		
			
				
    
					
						
	
			0
		

	Kudos

					
				
    
			
			
		

	
		
    	
		
    
			
				
					
				
				
			
		
    
	
    
			
    
		

	

	

	

    

	

	

    
				
		
			
					
				
		
	
	

    
		
    
			
    
	
		
			
					
		
			
    
				
			
    
		
	
				
		
			
					
		
	
				
		
			
					
		
	
				
		
			
					
				
		
			
		
			
		
	
	

    
		
    
	
    
		
    
			
    
	
		
			
					
				
		
			
					
				
		
			
					
		
	
				
		
			
					
		
	
				
		
	
	

    
		
    
	
    

    
		
    
	

	

	



    
			
		
    
            
    
                
    
            
    
        

	
		
    
		
	

	

	
    
	
			
		

	

    
					
    
	
    
		
    
			
     
    
		
    
		
    
			
		
    
		
    
			
     
    
		
    
	
    

    
				
		
		
			
			
		
		
			
			
		
		
			
		
			
			
	
    
		0 REPLIES 0
	
    

		
		
			
			
			
					
	
			
    
			
    
			

    
	

	
		
    
			
    
			
	

	

		
    

	

	

	

	



	

	
    
		
		
	
    

	

	

    


			
				
    

	
			
				
    
					
						
    
							
		
    
			
    
	
			
				
					
				
				
			
		

    
		
    
	
							
    
								
								
							
    
							
    
								
    
	
									
								

    
							
    
						
    
					
				
    
			
		
	

    
			
		

	

	

				
		
		
			
		
	
	

    
		
    
			
    
	
		
			


 
    
   
    
     
     
    
     
    
       
     
    
     
    
       
     
    
     
    
   
    
 
    

		
			
     
    Labels
    
	
	
	
    
		
			
    
	
    
		
     
    
		
    
			
    
				
					
    
						
    
							
								
        
	
							
						
    
					
    
				
				
    
					
    
						
		
				
    
					
    
	
	

    
				
    
			
	
					
    
				
    
			
    
		
    
		
     
    
	
    

    
			
		
	
    

     
    
		
			
     
    Top Kudoed Authors
    

	

	

	

	
		
    
	 
	
	
	

    
	
	
    View all
    


     
    
		
	
	

    
		
    
	
    
		
    
			
		
    
	
    
		
    
			
    
	
		
			
    
	
    
		
    
			
    
	
		
			
		
	
	

    
		
    
	
    
		
    
			
    
	
		
			
     
     
     
      
     Broad. Integrated. Automated. 
    The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
     
     
     Social Media  
     
     
     Security Research  
     
     Company  
     
     
     News & Articles  
     
     Contact Us  
     
     
     
    

    
		
    
			
    Copyright  2024 Fortinet, Inc. All Rights Reserved.