Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
metzler000
New Contributor

Hairpin NAT with DHCP WAN address

We have an app we're developing.  The app gets data from https://www.mywebsite.com.  This website is located internally on our network and uses a VIP to change from 443 to our internal port.  Our external WAN address is a DHCP address.  We don't need a static IP because the app is just in development and our IP hardly ever changes.  If the app is on a phone using a phone network it can reach the internal server fine, but when we test it internally it can't connect to the server.  I've watched some videos and read some docs, but their solutions just don't work.  I'm running a 61f with 7.2.5 on it.  Any experts have any ideas on how to make this work?

3 REPLIES 3
saneeshpv_FTNT

Hi,

 

If you are connecting internally why do you go via the DHCP WAN IP, instead you could resolve this directly to the internal server IP right ?

Anyway, First thing you need to check is, if the Internal DNS server resolve this name https://www.mywebsite.com to your DHCP WAN IP or your actual internal server IP. If the resolution if fine, then you need a Firewall policy from Internal to Internal to allow this communication where Destination is VIP and Source would be your internal network. VIP should be configured with Interface set as "ANY". 

 

Best Regards,

srajeswaran
Staff
Staff

Can you check these:

This article describes how to manipulate the outbound DNS reply when both the DNS server and the resolved IP is in lan.


https://community.fortinet.com/t5/FortiGate/Technical-Note-How-to-use-the-DNS-translation-feature/ta...
https://community.fortinet.com/t5/FortiGate/Technical-Note-Manipulating-DNS-replies-through-the-Fort...

Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
Emma02
New Contributor II

It seems like you're encountering an issue where internal clients can't connect to an internal server using its external address. Implementing Hairpin NAT can solve this. On your router/firewall (with version 7.2.5), you'll need to create a NAT rule that translates the source and destination address for internal clients attempting to access the server via the external DHCP WAN address. This will allow internal clients to use the external URL, redirecting the traffic back to the internal server, thereby solving your connectivity issue.

Emma Wilson
Emma Wilson
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors