Multiple incoming static IPs @ WAN1, forwarding to specific servers. VIPs / VGroup / Port Forwarding set up (No NAT), and forwarding works internally using secondary IP (can connect to web server), but can't access from outside... times out. My experience with this is limited, so I am not prone to experiment too much.. ;)
Read somewhere that specifying a secondary IP on the WAN1 interface should not be necessary, is that true? That's the only idea I have left, so if that's not it, maybe someone can point me in the right direction..
Thanks!
CW Jones
Solved! Go to Solution.
cwjones wrote:Multiple incoming static IPs @ WAN1, forwarding to specific servers. VIPs / VGroup / Port Forwarding set up (No NAT), and forwarding works internally using secondary IP (can connect to web server), but can't access from outside... times out. My experience with this is limited, so I am not prone to experiment too much.. ;)
Read somewhere that specifying a secondary IP on the WAN1 interface should not be necessary, is that true? That's the only idea I have left, so if that's not it, maybe someone can point me in the right direction..
Thanks!
CW Jones
You do not need to specify secondary IP for VIP configuration. However you need to make sure that you have setup the policy from outside to inside. For the destination address, select the VIP that you have created.
YC
Should I be including any other parameters? This output looks more promising, the redirection shows up at least - i isolated it below..
-----------
diag debug enable
diag debug flow filter add 65.60.xx.xx
diag debug flow show console enable diag debug flow trace start 100
----------
id=13 trace_id=990 msg="vd-root received a packet(proto=6, 10.10.0.22:65407->65.60.xx.xx:443) from internal." id=13 trace_id=990 msg="Find an existing session, id-24148333, original direction" id=13 trace_id=990 msg="enter fast path" id=13 trace_id=990 msg="DNAT 65.60.xx.xx:443->10.10.0.204:443" id=13 trace_id=990 msg="SNAT 10.10.0.22->10.10.0.1:65407" id=13 trace_id=991 msg="vd-root received a packet(proto=6, 10.10.0.22:65405->65.60.xx.xx:443) from internal." id=13 trace_id=991 msg="Find an existing session, id-2414832f, original direction" id=13 trace_id=991 msg="enter fast path" id=13 trace_id=991 msg="DNAT 65.60.xx.xx:443->10.10.0.204:443" id=13 trace_id=991 msg="SNAT 10.10.0.22->10.10.0.1:65405" id=13 trace_id=992 msg="vd-root received a packet(proto=6, 10.10.0.22:65406->65.60.xx.xx:443) from internal." id=13 trace_id=992 msg="Find an existing session, id-24148332, original direction" id=13 trace_id=992 msg="enter fast path"
-------------------------------------------------------------------------------- id=13 trace_id=992 msg="DNAT 65.60.xx.xx:443->10.10.0.204:443"
-------------------------------------------------------------------------------- id=13 trace_id=992 msg="SNAT 10.10.0.22->10.10.0.1:65406" id=13 trace_id=993 msg="vd-root received a packet(proto=6, 10.10.0.22:65405->65.60.xx.xx:443) from internal." id=13 trace_id=993 msg="Find an existing session, id-2414832f, original direction" id=13 trace_id=993 msg="enter fast path" id=13 trace_id=993 msg="DNAT 65.60.xx.xx:443->10.10.0.204:443" id=13 trace_id=993 msg="SNAT 10.10.0.22->10.10.0.1:65405" id=13 trace_id=994 msg="vd-root received a packet(proto=6, 10.10.0.22:65406->65.60.xx.xx:443) from internal." id=13 trace_id=994 msg="Find an existing session, id-24148332, original direction" id=13 trace_id=994 msg="enter fast path" id=13 trace_id=994 msg="DNAT 65.60.xx.xx:443->10.10.0.204:443" id=13 trace_id=994 msg="SNAT 10.10.0.22->10.10.0.1:65406" id=13 trace_id=995 msg="vd-root received a packet(proto=6, 10.10.0.22:65290->65.60.xx.xx:443) from internal." id=13 trace_id=995 msg="no session matched" id=13 trace_id=996 msg="vd-root received a packet(proto=6, 10.10.0.134:65180->65.60.xx.xx:443) from internal." id=13 trace_id=996 msg="Find an existing session, id-23c3c50b, original direction" id=13 trace_id=996 msg="enter fast path" id=13 trace_id=996 msg="DNAT 65.60.xx.xx:443->10.10.0.204:443" id=13 trace_id=996 msg="SNAT 10.10.0.134->10.10.0.1:65180" id=13 trace_id=997 msg="vd-root received a packet(proto=6, 10.10.0.22:65291->65.60.xx.xx:443) from internal." id=13 trace_id=997 msg="no session matched" id=13 trace_id=998 msg="vd-root received a packet(proto=6, 10.10.0.22:65406->65.60.xx.xx:443) from internal." id=13 trace_id=998 msg="Find an existing session, id-24148332, original direction" id=13 trace_id=998 msg="enter fast path" id=13 trace_id=998 msg="DNAT 65.60.xx.xx:443->10.10.0.204:443" id=13 trace_id=998 msg="SNAT 10.10.0.22->10.10.0.1:65406" id=13 trace_id=999 msg="vd-root received a packet(proto=6, 10.10.0.22:65405->65.60.xx.xx:443) from internal." id=13 trace_id=999 msg="Find an existing session, id-2414832f, original direction" id=13 trace_id=999 msg="enter fast path" id=13 trace_id=999 msg="DNAT 65.60.xx.xx:443->10.10.0.204:443" id=13 trace_id=999 msg="SNAT 10.10.0.22->10.10.0.1:65405" id=13 trace_id=1000 msg="vd-root received a packet(proto=6, 10.10.0.22:65406->65.60.xx.xx:443) from internal." id=13 trace_id=1000 msg="Find an existing session, id-24148332, original direction" id=13 trace_id=1000 msg="enter fast path" id=13 trace_id=1000 msg="DNAT 65.60.xx.xx:443->10.10.0.204:443" id=13 trace_id=1000 msg="SNAT 10.10.0.22->10.10.0.1:65406"
Thx, WJ
I wonder what msg="SNAT 10.10.0.22->10.10.0.1:65405" stands for - you've got NAT checked on that policy (why?), and what about the interface's IP address 10.10.0.1...maybe you can clarify this.
VIP seems to do it's job. Make sure there are no secondary IPs left on the WAN interface, and that the FGT is rebooted after removal.
At this point, a sniffer trace would be helpful.
Last thought: I once was in the situation where the FGT just didn't "take" the changes I made. Deleted the object and recreated from scratch, then it worked. Admitted, this is a faint hope.
Also you could try to not filter with the public IP of the VIP, but maybe the public IP of your phone or something, so we don't see internal traffic > VIP and only public traffic > VIP.
.. I will try with the filter as you suggested..
Should the secondary address show up in this list? Is is not here...
FG100D3G13802391 # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
S* 0.0.0.0/0 [10/0] via 65.98.xxx.xx, wan1
C 10.10.0.0/23 is directly connected, internal
S 10.212.xxx.0/24 [30/0] is directly connected, ssl.root, [30/0]
C 65.98.xxx.xx/30 is directly connected, wan1
Thanks, WJ
Hmmm. A different question - if these are recently added secondary IPs, do they each have to be allowed access to get through the firewall? (as below, and would 192.168.182.108 represents the external secondary address? )
FGT # show system interface port1
config system interface edit "port1" set vdom "root" set ip 192.168.182.108 255.255.254.0 set allowaccess ping https ssh http telnet set type physical next end
Ths
WJ
I believe there is a sub-section which sets allowaccess per secondary_ip:
In 5.2.x it's something like:
config system interface
edit "port1"
...
config secondaryip
edit <secondary_ip_id>
set allowaccess <access_types>
set ip <ip>
end
end
In 5.4.x it's a little different, but you can still set allowaccess per secondary ip under config secondaryip.
I don't know if the secondary ips are automatically given the same allowaccess values the "main" ip has when they are created. That would not be very good. In 5.4.x when you add a secondary IP from the GUI you have to specify its allowaccess settings.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1735 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.