Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
andrea_mercanti
New Contributor

Created on ‎07-06-2015 01:53 AM

Policy Routing and Port Forwarding

Hi,

I'm Andrea and I'm trying to configure a new Fortigate in my company. I have a Fortigate 60D with FortiOS 5.2.1.

 

Below the network topology:

 

I set the policy routing so the traffic from the GuestNetwork is sent to wan2 and other traffic is sent to wan1 and all works fine. Now I have to set a internal WebServer and a port forwarding to make it available from Public IP on wan1. I can reach the WebServer from interent and from the network 192.172.0.0/16 with the Public IP. The problem is with the GuestNetwork, the devices in the GuestNetwork network cannot reach the WebServer with the Public IP. I think that the problem is in the Policy Routing, in fact if I remove the policy and I put the two "wan" in Load Balancing all works fine. Is there an error in my settings? Is it a known bug?

 

Could you please help me? Tank you.

 

Best Regards,

Andrea 

 

Below the Fortigate settings:

#ROUTING

 

Static Routes:

    Static Route 01:         Destination IP/Mask: 0.0.0.0/0.0.0.0         Device: wan1         Gateway: 87.153.237.177         Distance: 10         Priority: 1

        

    Static Route 02:         Destination IP/Mask: 0.0.0.0/0.0.0.0         Device: wan2         Gateway: 192.168.1.254         Distance: 10         Priority: 10

        Policy Routes:     Policy Route 01:         Protocol: ANY         Incoming Interface: internal         Source address/mask: 192.172.1.10/255.255.255.255         Destination/mask: 0.0.0.0/0.0.0.0         Forward Traffic: true         Outgoing interface: wan2         Gateway Address: 192.168.1.254

 

#PORT FORWARDING

    Virtual IPs         Name: WebServer         Interface: wan1         Type: Static NAT         Soure Address Filter: false         External IP Address: 84.153.237.178-84.153.237.178         Mapped IP Address: 192.172.3.45-192.172.3.45         Port Forwarding: True         Protocol: TCP         External Service Port: 4040-4040         Map to Port: 8080-8080

 

    Policy IPv4         Incoming Interface: Wan1         Source Address: all         Outgoing Interface: internal         Destination Address: WebServer         Schedule: always         Service: ALL         Action: ACCEPT         NAT: off

Labels:
10812
0 Kudos
5 REPLIES 5
gschmitt
Valued Contributor

Created on ‎07-06-2015 02:32 AM

Are you really using 192.172.0.0/16 as your internal IP address range? This is not a private network

Please read this to learn more about private/reserved IP address ranges: https://en.wikipedia.org/wiki/Private_network https://en.wikipedia.org/wiki/Reserved_IP_addresses

 

As a workaround you can try creating the following policy in Policy&Objects > Policies > IPv4

Incoming Interface: GuestNetwork

Source Address: You Guest Network (or all if you don't have an object for it)

Outgoing Interface: Internal

Destination Address: WebServer VIP object

Configure the rest as needed

 

If your WebServer virtual IP is not selectable go to Policy&Objects > Objects > Virtual IPs and edit the WebServer Object

Select Interface: Any

If this is not possible please remove all references to it first (your wan>internal policy)

2103
0 Kudos
andrea_mercanti
New Contributor
In response to gschmitt

Created on ‎07-06-2015 02:52 AM

Hi, 

 

The problem is that a device with the IP 192.172.5.125(example) reach the WebServer with the Public IP 84.153.237.178:4040 meanwhile the same device in the GuestNetwork, natted with IP 192.172.1.10, does not reach the WebServer with the Public IP 84.153.237.178:4040.

 

However I try to add this policy

 

Policy IPv4         Incoming Interface: any         Source Address: all         Outgoing Interface: internal         Destination Address: WebServer         Schedule: always         Service: ALL         Action: ACCEPT         NAT: off

 

but I have the same result that I have without this policy.

Only if I delete the policy route I can reach the WebServer the Public IP 84.153.237.178:4040.

 

PS. all IPs in the first post are fake, it is just for explain the network topology.

 

Best Regards,

Andrea

2103
0 Kudos
gschmitt
Valued Contributor
In response to andrea_mercanti

Created on ‎07-06-2015 03:07 AM

Hm ok.

 

Try creating a new Policy Route

Protocol TCP (or ANY)

Incoming Interface: Internal

Source address/mask: 192.172.1.10/255.255.255.255 Destination/mask: 84.153.237.178/255.255.255.255

 

Then:

Action: Stop Policy Routing

 

Move it above the existing Policy Route

2103
0 Kudos
andrea_mercanti
New Contributor

Created on ‎07-06-2015 04:04 AM

Thank you for the support and patience.

 

I have already try with that policy route but nothing change. I have just retried and nothing change.

 

It seems that the "stop policy routing" does not work.

 

Best Regards,

Andrea

2103
0 Kudos
gschmitt
Valued Contributor
In response to andrea_mercanti

Created on ‎07-06-2015 04:49 AM

andrea.mercanti@catenate.com wrote:

Thank you for the support and patience.

 

I have already try with that policy route but nothing change. I have just retried and nothing change.

 

It seems that the "stop policy routing" does not work.

 

Best Regards,

Andrea

Keep the policy route and create another with destination IP mask: 192.172.3.25/32 again with Stop policy route

Create the policy I meantioned below: from internal > internal from 192.172.1.10 to WebServer (VIP Object)

2103
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.