Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
andrea_mercanti
New Contributor

Policy Routing and Port Forwarding

Hi,

I'm Andrea and I'm trying to configure a new Fortigate in my company. I have a Fortigate 60D with FortiOS 5.2.1.

 

Below the network topology:

 

I set the policy routing so the traffic from the GuestNetwork is sent to wan2 and other traffic is sent to wan1 and all works fine. Now I have to set a internal WebServer and a port forwarding to make it available from Public IP on wan1. I can reach the WebServer from interent and from the network 192.172.0.0/16 with the Public IP. The problem is with the GuestNetwork, the devices in the GuestNetwork network cannot reach the WebServer with the Public IP. I think that the problem is in the Policy Routing, in fact if I remove the policy and I put the two "wan" in Load Balancing all works fine. Is there an error in my settings? Is it a known bug?

 

Could you please help me? Tank you.

 

Best Regards,

Andrea 

 

Below the Fortigate settings:

#ROUTING

 

Static Routes:

    Static Route 01:         Destination IP/Mask: 0.0.0.0/0.0.0.0         Device: wan1         Gateway: 87.153.237.177         Distance: 10         Priority: 1

        

    Static Route 02:         Destination IP/Mask: 0.0.0.0/0.0.0.0         Device: wan2         Gateway: 192.168.1.254         Distance: 10         Priority: 10

        Policy Routes:     Policy Route 01:         Protocol: ANY         Incoming Interface: internal         Source address/mask: 192.172.1.10/255.255.255.255         Destination/mask: 0.0.0.0/0.0.0.0         Forward Traffic: true         Outgoing interface: wan2         Gateway Address: 192.168.1.254

 

#PORT FORWARDING

    Virtual IPs         Name: WebServer         Interface: wan1         Type: Static NAT         Soure Address Filter: false         External IP Address: 84.153.237.178-84.153.237.178         Mapped IP Address: 192.172.3.45-192.172.3.45         Port Forwarding: True         Protocol: TCP         External Service Port: 4040-4040         Map to Port: 8080-8080

 

    Policy IPv4         Incoming Interface: Wan1         Source Address: all         Outgoing Interface: internal         Destination Address: WebServer         Schedule: always         Service: ALL         Action: ACCEPT         NAT: off

5 REPLIES 5
gschmitt
Valued Contributor

Are you really using 192.172.0.0/16 as your internal IP address range? This is not a private network

Please read this to learn more about private/reserved IP address ranges: https://en.wikipedia.org/wiki/Private_network https://en.wikipedia.org/wiki/Reserved_IP_addresses

 

As a workaround you can try creating the following policy in Policy&Objects > Policies > IPv4

Incoming Interface: GuestNetwork

Source Address: You Guest Network (or all if you don't have an object for it)

Outgoing Interface: Internal

Destination Address: WebServer VIP object

Configure the rest as needed

 

If your WebServer virtual IP is not selectable go to Policy&Objects > Objects > Virtual IPs and edit the WebServer Object

Select Interface: Any

If this is not possible please remove all references to it first (your wan>internal policy)

andrea_mercanti

Hi, 

 

The problem is that a device with the IP 192.172.5.125(example) reach the WebServer with the Public IP 84.153.237.178:4040 meanwhile the same device in the GuestNetwork, natted with IP 192.172.1.10, does not reach the WebServer with the Public IP 84.153.237.178:4040.

 

However I try to add this policy

 

Policy IPv4         Incoming Interface: any         Source Address: all         Outgoing Interface: internal         Destination Address: WebServer         Schedule: always         Service: ALL         Action: ACCEPT         NAT: off

 

but I have the same result that I have without this policy.

Only if I delete the policy route I can reach the WebServer the Public IP 84.153.237.178:4040.

 

PS. all IPs in the first post are fake, it is just for explain the network topology.

 

Best Regards,

Andrea

gschmitt

Hm ok.

 

Try creating a new Policy Route

Protocol TCP (or ANY)

Incoming Interface: Internal

Source address/mask: 192.172.1.10/255.255.255.255 Destination/mask: 84.153.237.178/255.255.255.255

 

Then:

Action: Stop Policy Routing

 

Move it above the existing Policy Route

andrea_mercanti
New Contributor

Thank you for the support and patience.

 

I have already try with that policy route but nothing change. I have just retried and nothing change.

 

It seems that the "stop policy routing" does not work.

 

Best Regards,

Andrea

gschmitt

andrea.mercanti@catenate.com wrote:

Thank you for the support and patience.

 

I have already try with that policy route but nothing change. I have just retried and nothing change.

 

It seems that the "stop policy routing" does not work.

 

Best Regards,

Andrea

Keep the policy route and create another with destination IP mask: 192.172.3.25/32 again with Stop policy route

Create the policy I meantioned below: from internal > internal from 192.172.1.10 to WebServer (VIP Object)

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors