Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Autumn 2024 badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: Multiple IP forwarding
Options
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
Multiple IP forwarding
Multiple incoming static IPs @ WAN1, forwarding to specific servers. VIPs / VGroup / Port Forwarding set up (No NAT), and forwarding works internally using secondary IP (can connect to web server), but can't access from outside... times out. My experience with this is limited, so I am not prone to experiment too much.. ;)
Read somewhere that specifying a secondary IP on the WAN1 interface should not be necessary, is that true? That's the only idea I have left, so if that's not it, maybe someone can point me in the right direction..
Thanks!
CW Jones
Solved! Go to Solution.
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
cwjones wrote:Multiple incoming static IPs @ WAN1, forwarding to specific servers. VIPs / VGroup / Port Forwarding set up (No NAT), and forwarding works internally using secondary IP (can connect to web server), but can't access from outside... times out. My experience with this is limited, so I am not prone to experiment too much.. ;)
Read somewhere that specifying a secondary IP on the WAN1 interface should not be necessary, is that true? That's the only idea I have left, so if that's not it, maybe someone can point me in the right direction..
Thanks!
CW Jones
You do not need to specify secondary IP for VIP configuration. However you need to make sure that you have setup the policy from outside to inside. For the destination address, select the VIP that you have created.
YC
15 REPLIES 15
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
cwjones wrote:Multiple incoming static IPs @ WAN1, forwarding to specific servers. VIPs / VGroup / Port Forwarding set up (No NAT), and forwarding works internally using secondary IP (can connect to web server), but can't access from outside... times out. My experience with this is limited, so I am not prone to experiment too much.. ;)
Read somewhere that specifying a secondary IP on the WAN1 interface should not be necessary, is that true? That's the only idea I have left, so if that's not it, maybe someone can point me in the right direction..
Thanks!
CW Jones
You do not need to specify secondary IP for VIP configuration. However you need to make sure that you have setup the policy from outside to inside. For the destination address, select the VIP that you have created.
YC
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
The way to use multiple public IPs is to create a VIP for each and to create 'wan' -> 'internal' policies, one for each VIP. You could use a VIP group if all forwarded services ('service' field in the policy) are the same.
If I understand your post correctly you've done just this. How did you test it? Remember you cannot use ping to test a port-forwarding VIP, only the service on that port is serviced.
The FGT will proxy-arp for each VIP, and use the translation defined by it to source-NAT traffic in the other direction, from (internal) server to outside.
If you still have problems post the VIP config for one VIP and it's policy.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
As far as I can tell, yes, I have done the steps correctly.
Testing - I can reach the server from inside the lan using the public IP.. it is forwarded to that server. However from outside, I cannot (from my phone sans wifi, or from home).
I did create a Firewall Address policy -
Incoming - wan1
Source - all
Outgoing - internal
Destination - VIP Group
Schedule - always
Service - Service group (+HTTP / HTTPS/ SSH just in case)
Accept
Group elements are typically
VIP - WebAccess80
External - wan1
Type Static NAT
IP Range - public_IP
Mapped IP - 10.10.100.204
Port Forwarding checked
Protocol TCP
External service port 80 / 443 / 22 (separate VIPs)
Map to port 80 / 433 / 22
Created VIP Group from these to use in policy
I can post screen caps if that is preferable
Thanks!
CW
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
Is your ISP allowing those ports inward? Try using port 65443 on the outside pointed to 443 on the inside. If that works, then it's your ISP. (https://your.domainname.com:65443)
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
I noted that as a possible issue as I was reading through posts.. Called Telepacific just to make sure, they assured me that they do not block anything coming in...
Nice to have a method to check it though - thanks!
CW
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
You could try to start a sniffer on the CLI and check what's happening.
diagnose sniffer packet any 'host <external_testing_ip>' 4
If you see the packet, your ISP is not blocking anything. Also you should see the forwarded packet with the destination ip translated to the internal ip defined in the VIP. If not, start a flow debug as described in this KB at step 4:
Maybe you can then post the output here on the forum, and disguise the external address
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
Got sidetracked.. but thanks for the response. Output of these didn't tell me much (I'm no expert) do they need to run longer?
This is what I got with a short run on the sniffer - public ip 65.60.xx.xx
FG100DXXXXXXXXXX diagnose sniffer packet any '65.60.xx.xx' 4
30.237706 internal in 10.10.0.156.60476 -> 65.60.xxx.xx.443: psh 3935544879 ack 3549504294 30.238312 internal out 65.60.xxx.xx.443 -> 10.10.0.156.60476: ack 3935545140 30.238316 eth1 out 65.60.xxx.xx.443 -> 10.10.0.156.60476: ack 3935545140 30.294918 internal out 65.60.xxx.xx.443 -> 10.10.0.156.60476: psh 3549504294 ack 3935545140 30.294927 eth1 out 65.60.xxx.xx.443 -> 10.10.0.156.60476: psh 3549504294 ack 3935545140 30.297186 internal in 10.10.0.156.60476 -> 65.60.xxx.xx.443: 3935545140 ack 3549504384 30.297211 internal in 10.10.0.156.60476 -> 65.60.xxx.xx.443: psh 3935546600 ack 3549504384 30.391104 internal in 10.10.0.61.53627 -> 65.60.xxx.xx.443: psh 113730147 ack 2728317477 30.391133 internal out 65.60.xxx.xx.443 -> 10.10.0.156.60476: ack 3935546670 30.391136 eth1 out 65.60.xxx.xx.443 -> 10.10.0.156.60476: ack 3935546670 30.391146 internal out 65.60.xxx.xx.443 -> 10.10.0.156.60476: psh 3549504384 ack 3935546670 30.391150 eth1 out 65.60.xxx.xx.443 -> 10.10.0.156.60476: psh 3549504384 ack 3935546670 30.391160 internal out 65.60.xxx.xx.443 -> 10.10.0.156.60476: psh 3549504634 ack 3935546670 30.391163 eth1 out 65.60.xxx.xx.443 -> 10.10.0.156.60476: psh 3549504634 ack 3935546670 30.391174 internal out 65.60.xxx.xx.443 -> 10.10.0.156.60476: psh 3549505012 ack 3935546670 30.391176 eth1 out 65.60.xxx.xx.443 -> 10.10.0.156.60476: psh 3549505012 ack 3935546670 30.391726 internal in 10.10.0.156.60476 -> 65.60.xxx.xx.443: ack 3549505086 30.441700 internal in 10.10.0.62.12962 -> 65.60.xxx.xx.443: psh 2360887271 ack 2640936906 30.497741 internal out 65.60.xxx.xx.443 -> 10.10.0.61.53627: psh 2728317477 ack 113730408 30.497746 eth1 out 65.60.xxx.xx.443 -> 10.10.0.61.53627: psh 2728317477 ack 113730408 30.497763 internal out 65.60.xxx.xx.443 -> 10.10.0.62.12962: psh 2640936906 ack 2360887569 30.497767 eth1 out 65.60.xxx.xx.443 -> 10.10.0.62.12962: psh 2640936906 ack 2360887569 30.498054 internal in 10.10.0.62.12962 -> 65.60.xxx.xx.443: 2360887569 ack 2640936996 30.498074 internal in 10.10.0.62.12962 -> 65.60.xxx.xx.443: psh 2360889029 ack 2640936996 30.498216 internal in 10.10.0.61.53627 -> 65.60.xxx.xx.443: 113730408 ack 2728317567 30.498250 internal in 10.10.0.61.53627 -> 65.60.xxx.xx.443: psh 113731868 ack 2728317567 30.498310 internal out 65.60.xxx.xx.443 -> 10.10.0.62.12962: ack 2360889333 30.498313 eth1 out 65.60.xxx.xx.443 -> 10.10.0.62.12962: ack 2360889333 30.665865 internal out 65.60.xxx.xx.443 -> 10.10.0.61.53627: ack 113731970 30.665873 eth1 out 65.60.xxx.xx.443 -> 10.10.0.61.53627: ack 113731970 30.665892 internal out 65.60.xxx.xx.443 -> 10.10.0.61.53627: psh 2728317567 ack 113731970 30.665896 eth1 out 65.60.xxx.xx.443 -> 10.10.0.61.53627: psh 2728317567 ack 113731970 30.665908 internal out 65.60.xxx.xx.443 -> 10.10.0.61.53627: psh 2728317817 ack 113731970 30.665912 eth1 out 65.60.xxx.xx.443 -> 10.10.0.61.53627: psh 2728317817 ack 113731970 30.665925 internal out 65.60.xxx.xx.443 -> 10.10.0.61.53627: psh 2728318195 ack 113731970 30.665928 eth1 out 65.60.xxx.xx.443 -> 10.10.0.61.53627: psh 2728318195 ack 113731970 30.665941 internal out 65.60.xxx.xx.443 -> 10.10.0.62.12962: psh 2640936996 ack 2360889333 30.665943 eth1 out 65.60.xxx.xx.443 -> 10.10.0.62.12962: psh 2640936996 ack 2360889333 30.665954 internal out 65.60.xxx.xx.443 -> 10.10.0.62.12962: psh 2640937246 ack 2360889333 30.665957 eth1 out 65.60.xxx.xx.443 -> 10.10.0.62.12962: psh 2640937246 ack 2360889333 30.665968 internal out 65.60.xxx.xx.443 -> 10.10.0.62.12962: psh 2640937624 ack 2360889333 30.665971 eth1 out 65.60.xxx.xx.443 -> 10.10.0.62.12962: psh 2640937624 ack 2360889333 30.666087 internal in 10.10.0.61.53627 -> 65.60.xxx.xx.443: ack 2728318269 30.666120 internal in 10.10.0.62.12962 -> 65.60.xxx.xx.443: ack 2640937698
This is partial output from the flow trace - id=13 trace_id=96 msg="SNAT 10.10.0.204->65.60.xxx.xx:443" id=13 trace_id=97 msg="vd-root received a packet(proto=6, 10.10.0.204:443->10.10.0.1:49381) from internal." id=13 trace_id=97 msg="Find an existing session, id-22b498d9, reply direction" id=13 trace_id=97 msg="enter fast path" id=13 trace_id=97 msg="DNAT 10.10.0.1:49381->10.10.0.179:49381" id=13 trace_id=97 msg="SNAT 10.10.0.204->65.60.xxx.xx:443" id=13 trace_id=98 msg="vd-root received a packet(proto=6, 10.10.0.204:443->10.10.0.1:28603) from internal." id=13 trace_id=98 msg="Find an existing session, id-219f5f38, reply direction" id=13 trace_id=98 msg="enter fast path" id=13 trace_id=98 msg="DNAT 10.10.0.1:28603->10.10.0.179:49228" id=13 trace_id=98 msg="SNAT 10.10.0.204->65.60.xxx.xx:443" id=13 trace_id=99 msg="vd-root received a packet(proto=6, 10.10.0.204:443->10.10.0.1:49381) from internal." id=13 trace_id=99 msg="Find an existing session, id-22b498d9, reply direction" id=13 trace_id=99 msg="enter fast path" id=13 trace_id=99 msg="DNAT 10.10.0.1:49381->10.10.0.179:49381" id=13 trace_id=99 msg="SNAT 10.10.0.204->65.60.xxx.xx:443" id=13 trace_id=100 msg="vd-root received a packet(proto=6, 10.10.0.204:443->10.10.0.1:49658) from internal." id=13 trace_id=100 msg="Find an existing session, id-22b8a018, reply direction" id=13 trace_id=100 msg="enter fast path" id=13 trace_id=100 msg="DNAT 10.10.0.1:49658->10.10.0.7:49658" id=13 trace_id=100 msg="SNAT 10.10.0.204->65.60.xxx.xx:443
?? ideas
Thanks, Wes
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
.. forgot to mention - 10.10.0.204 is the internal target for the redirect 65.60.. -> 10.10.0.204 ports 80,443
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
All these traces are for traffic from internal server to WAN (right?). Could you please post a 'diag deb flow' for real traffic, WAN to internal server?
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- fortimanager template override 65 Views
- #FortiPAM Launcher Multi-Port Configuration 108 Views
- FortiAP-231G intermittently goes offline. 84 Views
- FortiSandbox File On-Demand 122 Views
- FortiGate Firewall Can Sending Logs to... 126 Views
Labels
-
FortiGate
8,372 -
FortiClient
1,692 -
5.2
801 -
FortiManager
708 -
5.4
639 -
FortiAnalyzer
536 -
FortiSwitch
452 -
FortiAP
447 -
6.0
416 -
FortiClient EMS
395 -
5.6
362 -
FortiMail
308 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
208 -
5.0
196 -
FortiWeb
195 -
IPsec
179 -
FortiNAC
173 -
FortiGuard
133 -
6.4
128 -
SD-WAN
105 -
FortiGateCloud
100 -
FortiSIEM
97 -
FortiCloud Products
95 -
FortiToken
88 -
FortiAuthenticator
82 -
Customer Service
76 -
Wireless Controller
76 -
Firewall policy
68 -
4.0MR3
64 -
FortiProxy
57 -
FortiADC
51 -
Fortivoice
50 -
FortiEDR
50 -
High Availability
50 -
vlan
47 -
ZTNA
45 -
FortiSandbox
43 -
FortiExtender
43 -
FortiDNS
42 -
Routing
39 -
DNS
38 -
LDAP
38 -
BGP
37 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SAML
32 -
Certificate
32 -
Interface
31 -
Authentication
30 -
NAT
30 -
SSO
29 -
FortiConnect
27 -
RADIUS
27 -
FortiLink
26 -
FortiWAN
25 -
FortiConverter
25 -
FortiGate v5.2
24 -
VDOM
24 -
Application control
24 -
Logging
23 -
Web profile
23 -
Virtual IP
22 -
FortiPAM
20 -
Fortigate Cloud
19 -
FortiSwitch v6.2
18 -
FortiPortal
18 -
FortiMonitor
18 -
SSL SSH inspection
18 -
Traffic shaping
17 -
FortiDDoS
15 -
OSPF
15 -
FortiGate v5.0
14 -
WAN optimization
14 -
IP address management - IPAM
14 -
SSID
13 -
Static route
13 -
FortiCASB
12 -
snmp
12 -
Automation
12 -
Admin
12 -
System settings
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiSOAR
11 -
FortiManager v4.0
10 -
FortiRecorder
10 -
IPS signature
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
FortiAP profile
9 -
Proxy policy
9 -
RMA Information and Announcements
8 -
Security profile
8 -
Port policy
8 -
4.0
7 -
FortiDeceptor
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
Traffic shaping policy
7 -
Fabric connector
7 -
Intrusion prevention
7 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Antivirus profile
6 -
FortiCarrier
5 -
FortiToken Cloud
5 -
Explicit proxy
5 -
FortiTester
5 -
Users
5 -
Traffic shaping profile
5 -
Web rating
5 -
Fortinet Engage Partner Program
5 -
3.6
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Email filter profile
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
VoIP profile
3 -
Multicast routing
3 -
Cloud Management Security
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
TACACS
2 -
Schedule
2 -
SDN connector
2 -
Service
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1634 | |
| 1063 | |
| 751 | |
| 443 | |
| 210 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.