Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Re: How to allow access from internal guest wifi t...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to allow access from internal guest wifi to SSL VPN?
Hi,
I have SSL VPN running on two wan addressees and this is working from the internet. I have also wifi guest network, this guest network should have access using Forticlient in SSL mode to connect to one of these WAN addresses, how to do this?
Now when I start the connection from Forticlient it stuck on 10% with error "The VPN server may be unreachable"
Labels:
- Labels:
-
FortiGate
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
9 REPLIES 9
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
7.2.8 firmware.
I have nothing in standard GUI logs so I think that is problem with routing or something which is first before firewall.
So I did a debug flow, with this result:
FGT # id=65308 trace_id=1147 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 172.16.0.29:54905->x.x.x.85:443) tun_id=0.0.0.0 from Guest-WiFi. flag [S], seq 1667350216, ack 0, win 64240"
id=65308 trace_id=1147 func=init_ip_session_common line=6009 msg="allocate a new session-0639308c, tun_id=0.0.0.0"
id=65308 trace_id=1147 func=get_new_addr line=1205 msg="find DNAT: IP-y.y.y.30, port-443"
id=65308 trace_id=1147 func=__iprope_tree_check line=528 msg="gnum-100004, use int hash, slot=126, len=58"
id=65308 trace_id=1147 func=get_new_addr line=1205 msg="find SNAT: IP-y.y.y.30(from IPPOOL), port-54905"
id=65308 trace_id=1147 func=fw_pre_route_handler line=180 msg="VIP-y.y.y.30:443, outdev-unknown"
id=65308 trace_id=1147 func=__ip_session_run_tuple line=3419 msg="DNAT x.x.x.85:443->y.y.y.30:443"
id=65308 trace_id=1147 func=vf_ip_route_input_common line=2611 msg="find a route: flag=84000000 gw-y.y.y.30 via root"
id=65308 trace_id=1147 func=__iprope_tree_check line=528 msg="gnum-100004, use int hash, slot=126, len=58"
id=65308 trace_id=1147 func=fw_local_in_handler line=606 msg="iprope_in_check() check failed on policy 0, drop"
172.16.0.0 - this is internal wifi guest
x.x.x.85:443 - this is an Natted provided by ISP additional ip address of wan interface (this IP is configured on Forticlients)
y.y.y.30:443 - this is ip address configured on the wan interface
and I have translation using VIP from secondary to first wan IP:
config firewall vip
edit "SSLVPN_to_natted"
set extip x.x.x.85
set mappedip "y.y.y.30"
set extintf "port24"
set portforward enable
set extport 443
set mappedport 443
next
Ipv4 policy for natted incoming sslvpn traffic with VIP as destination:
config firewall policy
edit 19
set name "SSLVPN_to_natted"
set srcintf "virtual-wan-link"
set dstintf "virtual-wan-link"
set action accept
set srcaddr "all"
set dstaddr "SSLVPN_to_natted"
set schedule "always"
set service "ALL"
set logtraffic all
set comments "Incoming SSL Traffic to natted wan address"
nextGuest-Wifi network have allowed on ipv4 policy port 443 to wan (wirtual-wan-link) interface.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you tried to enable the SSL VPN for the interested SSID?
- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
If you have found a solution, please like and accept it to make it easily accessible for others.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
then I would have to change the forticlient configuration on each guest laptop.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You could use the same domain name that resolves in different IPs to avoid changing the configurations in FortiClient or set up two different VPN connections. It could be also a solution using hairpin NAT but I don't encourage using it, maybe this article or this other thread will help you.
- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
If you have found a solution, please like and accept it to make it easily accessible for others.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Tutek,
Why do you want guest wifi users to connect to the VPN if they are already behind the FortiGate? Why are you translating x.x.x.85:443 to y.y.y.30:443 since they are both IPs of the wan interface?
Regards,
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is wifi network for guest it would be unreasonable to give access on such a network to servers and other important equipment, this network is used by visitors who have ssl vpn accounts set up, and they are supposed to be able to log into our fortigate via dialup ssl vpn.
Our ISP, on the other hand, in addition to the wan connection address, has assigned us a pool of 8 routable addresses on another network assigned to the wan connection, one of these IP addresses is used to translate the public domain that is configured in forticlient. In case of future public IP change, so as not to have to change dozens of forticlient configurations all our forticlients are configured using domain name instead IP. This domain name is translated by our public dns to just this one public address, that's it.
Do you have any idea how to resolve this?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can use dynamic DNS. Please refer to https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-Dynamic-DNS-Fortigate/ta-...
Regards,
Created on 05-23-2024 02:58 AM Edited on 05-23-2024 03:01 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't have problem with DDNS why do you offer mi this solution?
I have a problem accessing on ssl vpn interface from internal network and with that I am looking for help.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would try the hairpinning NAT Firewall-Rule
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,738 -
FortiClient
1,775 -
5.2
801 -
FortiManager
736 -
5.4
639 -
FortiAnalyzer
562 -
FortiSwitch
476 -
FortiAP
474 -
FortiClient EMS
436 -
6.0
416 -
5.6
362 -
FortiMail
320 -
6.2
251 -
SSL-VPN
248 -
FortiAuthenticator v5.5
234 -
IPsec
212 -
FortiWeb
206 -
5.0
196 -
FortiNAC
190 -
FortiGuard
139 -
6.4
128 -
SD-WAN
117 -
FortiAuthenticator
105 -
FortiGateCloud
102 -
FortiSIEM
99 -
FortiCloud Products
97 -
FortiToken
92 -
Firewall policy
84 -
Customer Service
80 -
Wireless Controller
80 -
4.0MR3
64 -
FortiProxy
60 -
High Availability
56 -
FortiADC
54 -
Fortivoice
53 -
FortiEDR
52 -
vlan
52 -
ZTNA
49 -
Routing
47 -
FortiExtender
45 -
FortiSandbox
44 -
DNS
44 -
FortiDNS
42 -
LDAP
42 -
BGP
40 -
Authentication
39 -
FortiGate v5.4
35 -
SAML
35 -
NAT
35 -
Certificate
35 -
FortiSwitch v6.4
34 -
RADIUS
34 -
SSO
33 -
Interface
31 -
FortiConnect
30 -
VDOM
30 -
FortiLink
29 -
FortiWAN
27 -
Application control
27 -
Web profile
27 -
FortiConverter
25 -
Logging
25 -
Virtual IP
25 -
FortiGate v5.2
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
Fortigate Cloud
20 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
FortiGate-VM
18 -
FortiMonitor
18 -
Traffic shaping
17 -
SSID
16 -
WAN optimization
16 -
FortiDDoS
15 -
OSPF
15 -
Automation
15 -
FortiGate v5.0
14 -
FortiSoar
14 -
Static route
14 -
System settings
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
SNMP
13 -
FortiCASB
12 -
Admin
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
Security profile
11 -
Proxy policy
11 -
FortiManager v4.0
10 -
FortiBridge
10 -
IPS signature
10 -
FortiAP profile
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
Web rating
7 -
Fortinet Engage Partner Program
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
API
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
TACACS
3 -
SDN connector
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
Vulnerability Management
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1732 | |
| 1106 | |
| 752 | |
| 447 | |
| 240 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.