Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ilmagnifico
New Contributor

Issue with a WireGuard server behind FortiGate

Hi,

I'm having issue to access to a Mikrotik router, that is a WireGuard server, behind a FortiGate 60F.

 

IP of 60F is 192.168.113.1, the IP of the Mikrotik is 192.168.113.4, the WireGuard port is 51820, I created a virtual IP on the FG

 

 

SYSFW60F (WireGuard) # show
config firewall vip
    edit "WireGuard"
        set uuid f03ef9d2-b285-51ed-108d-f7e3e193c54a
        set extip xx.xx.xx.xx
        set mappedip "192.168.113.4"
        set extintf "wan1"
        set portforward enable
        set protocol udp
        set extport 51820
        set mappedport 51820
    next
end

 

 

Then a firewall rule with the virtual IP

 

 

SYSFW60F (2) # show
config firewall policy
    edit 2
        set name "WireGuard"
        set uuid e023f12c-b1ce-51ed-67ea-7da8d93cead2
        set srcintf "wan1"
        set dstintf "internal"
        set action accept
        set srcaddr "all"
        set dstaddr "WireGuard"
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set nat enable
    next
end

 

 

But I don't see any traffic using this rule, nor I'm able to get the WireGuard handshake.

 

Any suggestion? 

Thanks

3 REPLIES 3
abarushka
Staff
Staff

Hello,

 

In case NAT is not configured you may consider to collect debug flow traces and try to trigger the issue:

 

diagnose debug flow filter saddr <source IP address>

diagnose debug flow show function-name enable
diagnose debug flow trace start 10

diagnose debug enable

 

and traffic sniffer


diagnose sniffer packet any 'host <source IP address>' 4 0 a

FortiGate
ilmagnifico

I'm behind a NAT, I don't see any traffic from the logs, any other suggestions?

Thanks

abarushka

Hello,

You may consider to collect debug flow traces and use port as filter and try to trigger the issue:

 

diagnose debug flow filter port 51820
diagnose debug flow show function-name enable
diagnose debug flow trace start 10
diagnose debug enable

 

and traffic sniffer

 

diagnose sniffer packet any 'port 51820' 4 0 a

FortiGate
Labels
Top Kudoed Authors