Hello
i need support, i have an OpenVPN server on my network, and its listening on default port 1194 so I created a VIP from the public to the inside but VPN is not working I have tried multiple ways but no luck, so i ran debug on the srcddrs and I see TCP rst message .
edit OVPN
set comment "OVPN"
set extip 1.1.1.1
set mappedip "2.2.2.2"
set extintf "wan2"
set color 12
FW policy :-
set srcintf "wan2"
set dstintf "lan1"
set srcaddr "all"
set dstaddr "OVPN"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
wan2 is my secondary circuit, so I created a route policy for the return traffic
edit
set input-device "lan1"
set srcaddr "2.2.2.2"
set dstaddr "all"
set output-device "wan2"
set gateway 1.1.1.2
Thanks
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
You probably don't need to configure any SNAT for this. By default the DNAT VIP will SNAT the return traffic.
Also, you have a policy route that sends traffic from OVPN out WAN2. Your FIrewall policy allowing this traffic will SNAT it to the WAN2 IP address.
If you have multiple IP addresses on the WAN2 interface and you want to use these for SNAT (and same for the DNAT VIP you already created) then if you want traffic that is initiated from the OVPN to use SNAT you can enable "nat-source-vip
" from the CLI on your DNAT VIP. See here for more details: https://docs.fortinet.com/document/fortigate/7.2.3/administration-guide/510402/static-virtual-ips
Thanks, Graham VPN is working well now I just allowed UDP 1194 and TCP port 22 i think something was wrong from OVPN side .
One last question what if I want to do Snat on that same mapped IP
Dnat 1.1.1.1 :1194 mapped to 2.2.2.2 :1194
2.2.2.2 natted to 1.1.1.1 >>> public internet
For Snat should I configure another policy using ippool? or is there any feature on the forti for the return traffic using same dnat public ip ?
You probably don't need to configure any SNAT for this. By default the DNAT VIP will SNAT the return traffic.
Also, you have a policy route that sends traffic from OVPN out WAN2. Your FIrewall policy allowing this traffic will SNAT it to the WAN2 IP address.
If you have multiple IP addresses on the WAN2 interface and you want to use these for SNAT (and same for the DNAT VIP you already created) then if you want traffic that is initiated from the OVPN to use SNAT you can enable "nat-source-vip
" from the CLI on your DNAT VIP. See here for more details: https://docs.fortinet.com/document/fortigate/7.2.3/administration-guide/510402/static-virtual-ips
Thanks, Graham for the clarification, nat source VIP is what i needed
Cheers
"
filters=[ host 2.2.2.2 ]
2023-01-31 05:57:07.578320 lan1 out x.x.x.x.54791 -> 2.2.2.2.1194: udp 21
2023-01-31 05:57:12.578504 lan1 out arp who-has 2.2.2.2 tell 2.2.2.254
2023-01-31 05:57:12.578633 lan1 in arp reply 2.2.2.2 is-at 7c:4f:34:12:8b:90
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1712 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.