Hi everyone,
I am relatively new to Forti and networking in generaly and I have one problem i can`t wrap my head around.
On Fortigate 100F I have two WAN interfaces enabled with diferent public subnets.
WAN1 is my primar interface with default route for my internal users to go to internet.
WAN2 is interface i inted to use for publishing web services.
I creaed virtual server with WAF for that purpose and pointed it to WAN2.
When i tray to access web servise from outside my local network ti works like a charm, but users in internal network can`t access those web services.
Domain on which this web service is published is public and DNS records are held by 3rd party registrar.
I don`t have split DNS in local network to be able to sent internal trafic directly to local IP of my web server.
So far I tryed to add second default route for WAN2 with higher administrative distance and I tryed to configre PBR but with no luck (maybe i`m not doing it right)
Is the PBR solution at all for my problem?
BR
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
@zao_gnom
You may want to use Hair-Pin feature to access your internal webserver from internal users using WAN2 IP address. Check this link for more info:
When you say unifi self hosting, you running the controller in a VM and not on UBNT hardware? I thought all new gateways had the appliance installed and the USG-4P was the last externally controllable gateway. If that’s not the case, time for me to upgrade to the Max
@zao_gnom
You may want to use Hair-Pin feature to access your internal webserver from internal users using WAN2 IP address. Check this link for more info:
Regarding this topic, I have one more question. The hair-pin feature is working as expected, and users on the local network can access the web services. However, I now have a few users connecting via VPN. When the VPN is turned off, they can normally access the web services because they connect directly to the WAN interface where services are published, but when they establish a VPN connection, they can no longer access those same web services. I tried creating another firewall policy, but when I select the incoming interface to be the "SSL-VPN tunnel interface (ssl.root)", I can't select the virtual servers because they don't appear in the list at all.
sdwan uses the specified algorithm to determine wich sdwan member to use.
If you want specific destinations to use a specific wan in sdwan you may need to create an sdwan rule for them and make sure it comes above all other matching rules because like policies also sdwan rules match topdown and the first match "wins".
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Thank you @xshkurti @GauravPandya that is the solution
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1666 | |
1077 | |
752 | |
446 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.