Explicit proxy - outgoing interface based on incoming IP
I have a multiple public IPs that are all assigned to my WAN1 interface as secondary IPs. I would like setup an explicit proxy such that if I connect to SecIP-A on port 12345, my public IP becomes one of the SecIPs (not specifically SecIP-A). And if I connect to SecIP-B on port 12345, my public IP becomes one of the SecIPs but not the same as with SecIP-A.
Basically the objective is that I'd like to browse internet with all of my public IPs by setting an HTTP proxy, all of that from outside my local network. I describe my research and findings below, any help is appreciated to understand better the issues and potentially finding a solution to achieve the objective. Thanks!
The setup that I initially tried was to configure the explicit proxy on WAN1 (with a whitelist on the allowed IPs to prevent anyone to use the proxy), and set all the SecIPs in an IP Pool. Then my Proxy Policy uses the outgoing source ip = the IP pool configuration. The problem is that somehow no matter which Sec-IP I connect to, my public IP would always be the same. My understanding is that since the public IP of my client is always the same no matter which SecIP:12345 I connect to, the IP pool overload mode will always assign me the same SecIP from the pool (https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/29961/dynamic-snat)
To work around the limitation of my client IP always being the same, an article suggested to use loopback interfaces. So I created 192.168.3.45 and 192.168.3.46 as loopback interfaces and moved the explicit proxy to these instead of WAN1. Then I added the Virtual IPs to forward SecIP-A:12345 and SecIP-B:12345 to those loopback interfaces. Finally, I setup the firewall policies to accept connections on WAN1 -> Loopback and NAT by using the outgoing interface address, which in that case should be 192.168.3.45 for SecIP-B and 192.168.3.46 for SecIP-B.
However, the issue stays the same. Looking at the troubleshooting logs:
Explicit proxy: most IPs have been changed for privacy. 220.127.116.11 is my external client trying to access [link]https://whatismyipaddress.com/[/link][/ul]
wad_http_conn_request_classify(14477): no security profile HTTPS/HTTP, tport=443
wad_fast_match_is_enable(3444): fast matching is enabled
wad_ippool_get_ip(473): clt:18.104.22.168 got ip:SecIP-C from ip pool, logic/phy intf(9/9)
From there, I understand that SecIP-A is assigned to my client directly without considering the loopback interface. SecIP-C is another public IP in the pool that has been chosen by the algorithm I guess - it's not assigned to any loopback interface at the moment.
id=20085 trace_id=10997 func=print_pkt_detail line=5742 msg="vd-root:0 received a packet(proto=6, 22.214.171.124:64849->SecIP-A:12345) from port1. flag [.], seq 2729179222, ack 2785731966, win 2048"
id=20085 trace_id=10997 func=resolve_ip_tuple_fast line=5823 msg="Find an existing session, id-0002231b, original direction"
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.