Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
zao_gnom
New Contributor

Internal users can`t reach web service on WAN2 interface

Hi everyone,

I am relatively new to Forti and networking in generaly and I have one problem i can`t wrap my head around.

On Fortigate 100F I have two WAN interfaces enabled with diferent public subnets.

WAN1 is my primar interface with default route for my internal users to go to internet.

WAN2 is interface i inted to use for publishing web services.

I creaed virtual server with WAF for that purpose and pointed it to WAN2.

When i tray to access web servise from outside my local network ti works like a charm, but users in internal network can`t access those web services.

Domain on which this web service is published is public and DNS records are held by 3rd party registrar.

I don`t have split DNS in local network to be able to sent internal trafic directly to local IP of my web server.

So far I tryed to add second default route for WAN2 with higher administrative distance and I tryed to configre PBR but with no luck (maybe i`m not doing it right)

Is the PBR solution at all for my problem?

BR

 

 

 

 

 

2 Solutions
xshkurti
Staff
Staff

@zao_gnom 
You may want to use Hair-Pin feature to access your internal webserver from internal users using WAN2 IP address. Check this link for more info:

Configuring Hairpin NAT (VIP) - Fortinet Community

View solution in original post

GauravPandya
New Contributor III

6 REPLIES 6
romenren
New Contributor

When you say unifi self hosting, you running the controller in a VM and not on UBNT hardware? I thought all new gateways had the appliance installed and the USG-4P was the last externally controllable gateway. If that’s not the case, time for me to upgrade to the Max

VidMate
xshkurti
Staff
Staff

@zao_gnom 
You may want to use Hair-Pin feature to access your internal webserver from internal users using WAN2 IP address. Check this link for more info:

Configuring Hairpin NAT (VIP) - Fortinet Community

zao_gnom

@xshkurti 

Regarding this topic, I have one more question. The hair-pin feature is working as expected, and users on the local network can access the web services. However, I now have a few users connecting via VPN. When the VPN is turned off, they can normally access the web services because they connect directly to the WAN interface where services are published, but when they establish a VPN connection, they can no longer access those same web services. I tried creating another firewall policy, but when I select the incoming interface to be the "SSL-VPN tunnel interface (ssl.root)", I can't select the virtual servers because they don't appear in the list at all.

GauravPandya
New Contributor III

sw2090
SuperUser
SuperUser

sdwan uses the specified algorithm to determine wich sdwan member to use.

If you want specific destinations to use a specific wan in sdwan you may need to create an sdwan rule for them and make sure it comes above all other matching rules because like policies also sdwan rules match topdown and the first match "wins".

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
zao_gnom
New Contributor

Thank you  @xshkurti @GauravPandya that is the solution

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors