RE: Issue with Virtual IPs - Page 2 - Fortinet Community

Support Forum

The Forums are a place to find answers on a range of Fortinet products from peers and product experts.

I have a complex setup (with multiple levels of NAT), but put simply, my problem is this: When I create a Virtual IP for a server on the LAN (to allow incoming connections from a trusted partner network), that same Virtual IP seems to be used for all outgoing traffic from that server to the internet. My provider' s firewall only allows outbound traffic from our firewall, and so connectivity is blocked. Is it normal behaviour for a Virtual IP to be applied to outgoing traffic as well as incoming, or is there a setting I' ve missed that prevents this?

7013

23 REPLIES 23

OKay! I won' t cross-post again! I have dozens of Virtual IPs (Destination NATs) for dozens of my Intranet IP addresses and their ports mapped to dozens of my DMZ servers and their ports and I have just one single policy to just allow the traffic from all sources coming from my Intranet interface going through the DMZ interface and destination of all Virtual IPs defined. Source NATing for the reply traffic takes place correctly via the Virtual IPs defined for Destination NATing. the problem is that I cannot force the reply traffic through the Intranet interface as it has destination address of Internet, without having a default route to my Intranet gateway. (I' m not native English, excuse me for my grammar and choice of words)

1320

I can understand you loud and clearly. Could you please post the policy in question (from console, ' conf fire policy / edit <n>' ). How do you fit all VIPs into one policy - via VIP group?

Ede Kernel panic: Aiee, killing interrupt handler!

Ede Kernel panic: Aiee, killing interrupt handler!

1319

No I didn' t use VIP Groups: config firewall policy edit 2 set srcintf " port4" -> Intranet Interface set dstintf " port2" -> DMZ Interface set srcaddr " all" set dstaddr " VIP#1" " VIP#2" " VIP#3" " VIP#4" " VIP#5" " VIP#6" set action accept set schedule " always" set service " ANY" next end

1320

I' ve looked it up in your other post which had all the details. The source of your trouble is the way how the web requests are routed to your intranet gateway. Solution: the gateway (10.10.10.150) should source NAT this traffic to it' s interface address (10.10.10.150) before routing it to your intranet interface.

Ede Kernel panic: Aiee, killing interrupt handler!

Ede Kernel panic: Aiee, killing interrupt handler!

1320

I agree. But we don' t have access to the Intranet gateway 10.10.10.150. isn' t there any other way? I' m not familiar with Fortigate device but we had it working on our Mikrotik RB1000

1320

No, I don' t think there is a way to do it on the FGT alone. The routing just isn' t correct. The VIP (internal NAT table) will take care of the Intranet-to-DMZ traffic and route it back to the right interface, but not web requests... Could you set up a VIP only for the web traffic from Intranet? That is, on your intranet the default route would point to this VIP and not to 10.10.10.146. This way, the FGT could keep track of the ingress interface. But again, this is patch work. One other point is that the FGT will discard all traffic for which there is no route. For unknown addresses, it will use the default route. If such traffic enters on the intranet interface but the default route points to the WAN interface it will be discarded for security reasons.

Ede Kernel panic: Aiee, killing interrupt handler!

Ede Kernel panic: Aiee, killing interrupt handler!

1320

On Mikrotik we could have static routes for specific packets having some routing mark which can be set using mangles. Then, I could create a mangle in prerouting chain to mark packets with source address of Intranet interface with a routing mark of to_Intranet, so I could have a default route to have all the traffic with to_Intranet routing mark through that. You mean I can' t achieve this on Fortigate in any way? P.S. I do really appreciate your time and consultancy up to this point; so please let me know if you' re done with this thread, if so I' ll take my chance by posting my last question as a new thread.

. Thanks Ede May I use DSCP to mark the incoming traffic from the Intranet interface to go back through it?

1320

I don' t know of any feature you could use to mimick the MT router behavior. The FGT is a very versatile firewall but there are limits. What do you think about my suggestion (second paragraph in my last post)? Could you try that?

Ede Kernel panic: Aiee, killing interrupt handler!

Ede Kernel panic: Aiee, killing interrupt handler!

1320

actually I didn' t get it. May you please be more specific? could you clarify me? Thanks

1320

Em, yes, I was just brain-storming myself. Don' t think it would work. The key concept is that if traffic uses a VIP the return path is determined through the NAT table. The ingress web traffic doesn' t use any VIP on the FGT and accordingly there must be a default route pointing to the intranet interface. My idea was: can you think of a way to make web requests use a VIP, assuming at present they do not, they use the interface IP address.

Ede Kernel panic: Aiee, killing interrupt handler!

Ede Kernel panic: Aiee, killing interrupt handler!

1320

Top Kudoed Authors

User

Count

1713

1093

752

447

231

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Copyright 2024 Fortinet, Inc. All Rights Reserved.