Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.

How to allow access from internal guest wifi to SSL VPN?


I have SSL VPN running on two wan addressees and this is working from the internet. I have also wifi guest network, this guest network should have access using Forticlient in SSL mode to connect to one of these WAN addresses, how to do this?

Now when I start the connection from Forticlient it stuck on 10% with error "The VPN server may be unreachable" 


7.2.8 firmware.

I have nothing in standard GUI logs so I think that is problem with routing or something which is first before firewall.

So I did a debug flow, with this result:



FGT # id=65308 trace_id=1147 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6,>x.x.x.85:443) tun_id= from Guest-WiFi. flag [S], seq 1667350216, ack 0, win 64240"
id=65308 trace_id=1147 func=init_ip_session_common line=6009 msg="allocate a new session-0639308c, tun_id="
id=65308 trace_id=1147 func=get_new_addr line=1205 msg="find DNAT: IP-y.y.y.30, port-443"
id=65308 trace_id=1147 func=__iprope_tree_check line=528 msg="gnum-100004, use int hash, slot=126, len=58"
id=65308 trace_id=1147 func=get_new_addr line=1205 msg="find SNAT: IP-y.y.y.30(from IPPOOL), port-54905"
id=65308 trace_id=1147 func=fw_pre_route_handler line=180 msg="VIP-y.y.y.30:443, outdev-unknown"
id=65308 trace_id=1147 func=__ip_session_run_tuple line=3419 msg="DNAT x.x.x.85:443->y.y.y.30:443"
id=65308 trace_id=1147 func=vf_ip_route_input_common line=2611 msg="find a route: flag=84000000 gw-y.y.y.30 via root"
id=65308 trace_id=1147 func=__iprope_tree_check line=528 msg="gnum-100004, use int hash, slot=126, len=58"
id=65308 trace_id=1147 func=fw_local_in_handler line=606 msg="iprope_in_check() check failed on policy 0, drop"

 - this is internal wifi guest

x.x.x.85:443 - this is an Natted provided by ISP additional ip address of wan interface (this IP is configured on Forticlients)

y.y.y.30:443 - this is ip address configured on the wan interface

and I have translation using VIP from secondary to first wan IP:


config firewall vip
    edit "SSLVPN_to_natted"
        set extip x.x.x.85
        set mappedip "y.y.y.30"
        set extintf "port24"
        set portforward enable
        set extport 443
        set mappedport 443


Ipv4 policy for natted incoming sslvpn traffic with VIP as destination:

config firewall policy
    edit 19
        set name "SSLVPN_to_natted"
        set srcintf "virtual-wan-link"
        set dstintf "virtual-wan-link"
        set action accept
        set srcaddr "all"
        set dstaddr "SSLVPN_to_natted"
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set comments "Incoming SSL Traffic to natted wan address"

Guest-Wifi network have allowed on ipv4 policy port 443 to wan (wirtual-wan-link) interface.




Have you tried to enable the SSL VPN for the interested SSID?


- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

then I would have to change the forticlient configuration on each guest laptop.


You could use the same domain name that resolves in different IPs to avoid changing the configurations in FortiClient or set up two different VPN connections. It could be also a solution using hairpin NAT but I don't encourage using it, maybe this article or this other thread will help you.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

Hi @Tutek,


Why do you want guest wifi users to connect to the VPN if they are already behind the FortiGate? Why are you translating x.x.x.85:443 to y.y.y.30:443 since they are both IPs of the wan interface? 





This is wifi network for guest it would be unreasonable to give access on such a network to servers and other important equipment, this network is used by visitors who have ssl vpn accounts set up, and they are supposed to be able to log into our fortigate via dialup ssl vpn.

Our ISP, on the other hand, in addition to the wan connection address, has assigned us a pool of 8 routable addresses on another network assigned to the wan connection, one of these IP addresses is used to translate the public domain that is configured in forticlient. In case of future public IP change, so as not to have to change dozens of forticlient configurations all our forticlients are configured using domain name instead IP. This domain name is translated by our public dns to just this one public address, that's it.

Do you have any idea how to resolve this?


I don't have problem with DDNS why do you offer mi this solution?

I have a problem accessing on ssl vpn interface from internal network and with that I am looking for help.

New Contributor III

I would try the hairpinning NAT Firewall-Rule


Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors