Hi,
I'm Andrea and I'm trying to configure a new Fortigate in my company. I have a Fortigate 60D with FortiOS 5.2.1.
Below the network topology:
I set the policy routing so the traffic from the GuestNetwork is sent to wan2 and other traffic is sent to wan1 and all works fine. Now I have to set a internal WebServer and a port forwarding to make it available from Public IP on wan1. I can reach the WebServer from interent and from the network 192.172.0.0/16 with the Public IP. The problem is with the GuestNetwork, the devices in the GuestNetwork network cannot reach the WebServer with the Public IP. I think that the problem is in the Policy Routing, in fact if I remove the policy and I put the two "wan" in Load Balancing all works fine. Is there an error in my settings? Is it a known bug?
Could you please help me? Tank you.
Best Regards,
Andrea
Below the Fortigate settings:
#ROUTING
Static Routes:
Static Route 01: Destination IP/Mask: 0.0.0.0/0.0.0.0 Device: wan1 Gateway: 87.153.237.177 Distance: 10 Priority: 1
Static Route 02: Destination IP/Mask: 0.0.0.0/0.0.0.0 Device: wan2 Gateway: 192.168.1.254 Distance: 10 Priority: 10
Policy Routes: Policy Route 01: Protocol: ANY Incoming Interface: internal Source address/mask: 192.172.1.10/255.255.255.255 Destination/mask: 0.0.0.0/0.0.0.0 Forward Traffic: true Outgoing interface: wan2 Gateway Address: 192.168.1.254
#PORT FORWARDING
Virtual IPs Name: WebServer Interface: wan1 Type: Static NAT Soure Address Filter: false External IP Address: 84.153.237.178-84.153.237.178 Mapped IP Address: 192.172.3.45-192.172.3.45 Port Forwarding: True Protocol: TCP External Service Port: 4040-4040 Map to Port: 8080-8080
Policy IPv4 Incoming Interface: Wan1 Source Address: all Outgoing Interface: internal Destination Address: WebServer Schedule: always Service: ALL Action: ACCEPT NAT: off
Are you really using 192.172.0.0/16 as your internal IP address range? This is not a private network
Please read this to learn more about private/reserved IP address ranges: https://en.wikipedia.org/wiki/Private_network https://en.wikipedia.org/wiki/Reserved_IP_addresses
As a workaround you can try creating the following policy in Policy&Objects > Policies > IPv4
Incoming Interface: GuestNetwork
Source Address: You Guest Network (or all if you don't have an object for it)
Outgoing Interface: Internal
Destination Address: WebServer VIP object
Configure the rest as needed
If your WebServer virtual IP is not selectable go to Policy&Objects > Objects > Virtual IPs and edit the WebServer Object
Select Interface: Any
If this is not possible please remove all references to it first (your wan>internal policy)
Hi,
The problem is that a device with the IP 192.172.5.125(example) reach the WebServer with the Public IP 84.153.237.178:4040 meanwhile the same device in the GuestNetwork, natted with IP 192.172.1.10, does not reach the WebServer with the Public IP 84.153.237.178:4040.
However I try to add this policy
Policy IPv4 Incoming Interface: any Source Address: all Outgoing Interface: internal Destination Address: WebServer Schedule: always Service: ALL Action: ACCEPT NAT: off
but I have the same result that I have without this policy.
Only if I delete the policy route I can reach the WebServer the Public IP 84.153.237.178:4040.
PS. all IPs in the first post are fake, it is just for explain the network topology.
Best Regards,
Andrea
Hm ok.
Try creating a new Policy Route
Protocol TCP (or ANY)
Incoming Interface: Internal
Source address/mask: 192.172.1.10/255.255.255.255 Destination/mask: 84.153.237.178/255.255.255.255
Then:
Action: Stop Policy Routing
Move it above the existing Policy Route
Thank you for the support and patience.
I have already try with that policy route but nothing change. I have just retried and nothing change.
It seems that the "stop policy routing" does not work.
Best Regards,
Andrea
andrea.mercanti@catenate.com wrote:Keep the policy route and create another with destination IP mask: 192.172.3.25/32 again with Stop policy routeThank you for the support and patience.
I have already try with that policy route but nothing change. I have just retried and nothing change.
It seems that the "stop policy routing" does not work.
Best Regards,
Andrea
Create the policy I meantioned below: from internal > internal from 192.172.1.10 to WebServer (VIP Object)
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.