Hi Guys,
Thanks for the Forum it is super helpful and has helped me with other problems that I have had.
For this particular problem I have spent quite a bit of time reading through the posts on the fortinet forum and the various cookbooks to find out what I am doing incorrect that this does not work. Unfortunately I do not have a team that is able to work with me on this and I am doing it by myself so thought that maybe someone can critique my config and spot what I am missing and hopefully point me in the right direction. I have a FG 100E it is OS 5.4.1 I have my main subnet as 12.12.12.228/30 Then I have additional subnet as 5.5.5.224/29 The modem only has one port connecting to WAN1. The FG has WAN1 with IP Address 12.12.12.230 I have tried the following recipe and others similar to: https://cookbook.fortinet...re-port-forwarding-54/ The closest that I can get is online websites saying that port 22 is open for 5.5.5.228. But if I try to SSH into this I do not get connection and it just times out. On that server I can curl a website and it even says that I have the address 5.5.5.228 but does not respond. The server is accessible on the internal network and receives ssh requests and allows login.
Basically the idea that should work:
The Fortigate with WAN1 - 12.12.12.230/30
have the additional static WAN address 5.5.5.228:22 forwarding to 192.168.45.10:22 which is on port14 of the Fortigate.
I have tried assigning to WAN1 a second IP address of 5.5.5.226 but still no luck.
I have also tried adding a 2nd static route as well for the 5.5.5.224/29 subnet.
I tried adding a policy route but no luck.
I have attached the conf with sensitive data removed and only the made up addresses and names. Hopefully someone can give me a heads up on this one.
Again thank you for taking the time.
Cheers
David
Solved! Go to Solution.
When you get a /30 as your main interface pucblic subnet, then an additional /29 from your ISP, the /29 is meant to be used on LAN side or VIPs at the FW as you're doing. You shouldn't configure it on wan1 as its secondary. I'm not sure how the FGT would react with this but take it out first. Also I saw you configured an ippool. It wouldn't affect anything unless you apply it to a policy but I would take it out as well to avoid future confusion.
The vip config seems to be fine but the name "demo" doesn't match what you referred at the policy "demo-ssh" but it might be the result of over editing before posting.
Then it should work but I should learn how to debut using "sniffer" and "debug flow" in CLI to see where it's coming/going and how it's treated in-between.
When you get a /30 as your main interface pucblic subnet, then an additional /29 from your ISP, the /29 is meant to be used on LAN side or VIPs at the FW as you're doing. You shouldn't configure it on wan1 as its secondary. I'm not sure how the FGT would react with this but take it out first. Also I saw you configured an ippool. It wouldn't affect anything unless you apply it to a policy but I would take it out as well to avoid future confusion.
The vip config seems to be fine but the name "demo" doesn't match what you referred at the policy "demo-ssh" but it might be the result of over editing before posting.
Then it should work but I should learn how to debut using "sniffer" and "debug flow" in CLI to see where it's coming/going and how it's treated in-between.
Thank you Toshi for the fast answer!
So not assigning additional subnet to the WAN1 makes sense and I removed this.
Then should I assign a LAN inside with the IP address 5.5.5.225/29 and the server that I am trying to port forward to the address of 5.5.5.228?
I followed what you laid out above and I removed the IPPOOL
Should the role of the interface port14 be LAN or DMZ for this?
I have attached nearly the full conf file with some repetitive lines removed.
When I use ping.eu to see if the port is open it reports that port 22 is open.
I ran the following when ssh was initiated from internet:
FG100E4Q16006136 # diag sniffer packet port14 none 4 20 3
interfaces=[port14]
filters=[none]
1.095299 port14 -- 223.111.139.247.40466 -> 192.168.45.10.22: psh fin 651293180 ack 3006770733
2.717404 port14 -- 192.168.45.10.50426 -> 8.8.8.8.53: syn 3069804125
3.386205 port14 -- 115.238.245.2.52720 -> 192.168.45.10.22: syn 3447152338
3.386348 port14 -- 192.168.45.10.22 -> 115.238.245.2.52720: syn 1814113060 ack 3447152339
3.420422 port14 -- 115.238.245.2.53600 -> 192.168.45.10.22: fin 4164346355 ack 965568311
3.421919 port14 -- 192.168.45.10.22 -> 115.238.245.2.53600: fin 965568311 ack 4164346356
3.674320 port14 -- 115.238.245.2.52720 -> 192.168.45.10.22: ack 1814113061
5.582770 port14 -- 192.168.45.10.47571 -> 8.8.8.8.53: udp 32
5.582841 port14 -- 192.168.45.10.50428 -> 8.8.8.8.53: syn 2967082809
5.617856 port14 -- 122.226.181.167.38730 -> 192.168.45.10.22: syn 412603914
5.618009 port14 -- 192.168.45.10.22 -> 122.226.181.167.38730: syn 3410943952 ack 412603915
5.641885 port14 -- 122.226.181.167.53084 -> 192.168.45.10.22: fin 3243229011 ack 1893471737
5.643240 port14 -- 192.168.45.10.22 -> 122.226.181.167.53084: fin 1893471737 ack 3243229012
5.942029 port14 -- 122.226.181.167.38730 -> 192.168.45.10.22: ack 3410943953
6.589432 port14 -- 192.168.45.10.50428 -> 8.8.8.8.53: syn 2967082809
8.349445 port14 -- 192.168.45.10.22 -> 223.111.139.247.40466: psh fin 3006770733 ack 651293233
8.605448 port14 -- 192.168.45.10.50428 -> 8.8.8.8.53: syn 2967082809
10.587886 port14 -- 192.168.45.10.47571 -> 8.8.8.8.53: udp 32
10.909469 port14 -- 192.168.45.10.22 -> 223.111.139.247.42868: psh fin 1212441805 ack 634382344
12.701473 port14 -- 192.168.45.10.50428 -> 8.8.8.8.53: syn 2967082809
diag debug flow output:
FG100E4Q16006136 # diagnose debug flow filter addr 5.5.5.228
FG100E4Q16006136 # diagnose debug flow show console enable
show trace messages on console
FG100E4Q16006136 # diagnose debug flow show function enable
show function name
FG100E4Q16006136 # diagnose debug flow trace start 50
FG100E4Q16006136 # diagnose debug enable
FG100E4Q16006136 #
FG100E4Q16006136 # id=20085 trace_id=471 func=print_pkt_detail line=4784 msg="vd-root received a packet(proto=6, 185.176.27.182:53844->5.5.5.228:9064) from wan1. flag, seq 2481459453, ack 0, win 1024"
id=20085 trace_id=471 func=init_ip_session_common line=4935 msg="allocate a new session-0003fbe0"
id=20085 trace_id=471 func=vf_ip_route_input_common line=2584 msg="find a route: flag=80000000 gw-5.5.5.228 via root"
id=20085 trace_id=471 func=fw_local_in_handler line=387 msg="iprope_in_check() check failed on policy 0, drop"
FG100E4Q16006136 # id=20085 trace_id=472 func=print_pkt_detail line=4784 msg="vd-root received a packet(proto=6, 185.153.197.13:49142->5.5.5.228:6655) from wan1. flag, seq 2285942157, ack 0, win 1024"
id=20085 trace_id=472 func=init_ip_session_common line=4935 msg="allocate a new session-0003fbfd"
id=20085 trace_id=472 func=vf_ip_route_input_common line=2584 msg="find a route: flag=80000000 gw-5.5.5.228 via root"
id=20085 trace_id=472 func=fw_local_in_handler line=387 msg="iprope_in_check() check failed on policy 0, drop"
id=20085 trace_id=473 func=print_pkt_detail line=4784 msg="vd-root received a packet(proto=6, 185.254.122.9:56128->5.5.5.228:8407) from wan1. flag, seq 3668607456, ack 0, win 1024"
id=20085 trace_id=473 func=init_ip_session_common line=4935 msg="allocate a new session-0003fc12"
id=20085 trace_id=473 func=vf_ip_route_input_common line=2584 msg="find a route: flag=80000000 gw-5.5.5.228 via root"
id=20085 trace_id=473 func=fw_local_in_handler line=387 msg="iprope_in_check() check failed on policy 0, drop"
id=20085 trace_id=474 func=print_pkt_detail line=4784 msg="vd-root received a packet(proto=6, 172.104.61.55:46687->5.5.5.228:3386) from wan1. flag, seq 3891552857, ack 0, win 65535"
id=20085 trace_id=474 func=init_ip_session_common line=4935 msg="allocate a new session-0003fc28"
id=20085 trace_id=474 func=vf_ip_route_input_common line=2584 msg="find a route: flag=80000000 gw-5.5.5.228 via root"
id=20085 trace_id=474 func=fw_local_in_handler line=387 msg="iprope_in_check() check failed on policy 0, drop"
id=20085 trace_id=476 func=fw_local_in_handler line=387 msg="iprope_in_check() check failed on policy 0, drop"
id=20085 trace_id=477 func=print_pkt_detail line=4784 msg="vd-root received a packet(proto=6, 61.184.247.8:57131->5.5.5.228:22) from wan1. flag, seq 434277023, ack 0, win 29200"
id=20085 trace_id=477 func=init_ip_session_common line=4935 msg="allocate a new session-0003fce7"
id=20085 trace_id=477 func=fw_pre_route_handler line=182 msg="VIP-192.168.45.10:22, outdev-wan1"
id=20085 trace_id=477 func=__ip_session_run_tuple line=2808 msg="DNAT 5.5.5.228:22->192.168.45.10:22"
id=20085 trace_id=477 func=vf_ip_route_input_common line=2584 msg="find a route: flag=00000000 gw-192.168.45.10 via port14"
id=20085 trace_id=477 func=fw_forward_handler line=691 msg="Allowed by Policy-1:"
id=20085 trace_id=478 func=print_pkt_detail line=4784 msg="vd-root received a packet(proto=6, 61.184.247.8:57131->5.5.5.228:22) from wan1. flag [.], seq 434277024, ack 351432971, win 229"
id=20085 trace_id=478 func=resolve_ip_tuple_fast line=4848 msg="Find an existing session, id-0003fce7, original direction"
id=20085 trace_id=478 func=__ip_session_run_tuple line=2808 msg="DNAT 5.5.5.228:22->192.168.45.10:22"
id=20085 trace_id=478 func=npu_handle_session44 line=1026 msg="Trying to offloading session from wan1 to port14, skb.npu_flag=00000400 ses.state=00010200 ses.npu_state=0x00000800"
id=20085 trace_id=478 func=ip_session_install_npu_session line=320 msg="npu session intallation succeeded"
id=20085 trace_id=479 func=print_pkt_detail line=4784 msg="vd-root received a packet(proto=6, 71.6.233.75:10001->5.5.5.228:10001) from wan1. flag, seq 2668983840, ack 0, win 65535"
id=20085 trace_id=479 func=init_ip_session_common line=4935 msg="allocate a new session-0003fcef"
id=20085 trace_id=479 func=vf_ip_route_input_common line=2584 msg="find a route: flag=80000000 gw-5.5.5.228 via root"
id=20085 trace_id=479 func=fw_local_in_handler line=387 msg="iprope_in_check() check failed on policy 0, drop"
id=20085 trace_id=480 func=print_pkt_detail line=4784 msg="vd-root received a packet(proto=6, 61.184.247.8:60288->5.5.5.228:22) from wan1. flag, seq 1163008124, ack 0, win 29200"
id=20085 trace_id=480 func=init_ip_session_common line=4935 msg="allocate a new session-0003fcf3"
id=20085 trace_id=480 func=fw_pre_route_handler line=182 msg="VIP-192.168.45.10:22, outdev-wan1"
id=20085 trace_id=480 func=__ip_session_run_tuple line=2808 msg="DNAT 5.5.5.228:22->192.168.45.10:22"
id=20085 trace_id=480 func=vf_ip_route_input_common line=2584 msg="find a route: flag=00000000 gw-192.168.45.10 via port14"
id=20085 trace_id=480 func=fw_forward_handler line=691 msg="Allowed by Policy-1:"
id=20085 trace_id=481 func=print_pkt_detail line=4784 msg="vd-root received a packet(proto=6, 61.184.247.8:57131->5.5.5.228:22) from wan1. flag [F.], seq 434278399, ack 351435264, win 262"
id=20085 trace_id=481 func=resolve_ip_tuple_fast line=4848 msg="Find an existing session, id-0003fce7, original direction"
id=20085 trace_id=481 func=ipv4_fast_cb line=53 msg="enter fast path"
id=20085 trace_id=481 func=ip_session_run_all_tuple line=5954 msg="DNAT 5.5.5.228:22->192.168.45.10:22"
id=20085 trace_id=482 func=print_pkt_detail line=4784 msg="vd-root received a packet(proto=6, 61.184.247.8:60288->5.5.5.228:22) from wan1. flag [.], seq 1163008125, ack 3724905783, win 229"
id=20085 trace_id=482 func=resolve_ip_tuple_fast line=4848 msg="Find an existing session, id-0003fcf3, original direction"
id=20085 trace_id=482 func=__ip_session_run_tuple line=2808 msg="DNAT 5.5.5.228:22->192.168.45.10:22"
id=20085 trace_id=482 func=npu_handle_session44 line=1026 msg="Trying to offloading session from wan1 to port14, skb.npu_flag=00000400 ses.state=00010200 ses.npu_state=0x00000800"
id=20085 trace_id=482 func=ip_session_install_npu_session line=320 msg="npu session intallation succeeded"
Thank you for your help, totally appreciate this.
Cheers
David
Don't assign it to any interface if you want to use it for VIP ouside IP to be translated to a local IP.
The roles are only for GUI what options to show. It wouldn't change any actual capability.
Your sniffing is showing the FGT is mapping IP as you intended and the server is responding to the outside party. So it's working. But out side party is dropping the response immediately somehow.
Instead of limiting the sniffing to port14, use "any" for the interface and add option "4" to see the entire sequence coming-in to going-out. You need to know the outside party IP first and use it to sniff because that's the only IP never change.
"diag sniffer packet any 'host OUTSIDE_PARTY_IP' 4"
Thank you very much for the answer.
So I thought "could I even make it work on the current WAN1 address?" and I found that when I set up port forwarding to the WAN1 address of 12.12.12.230 it worked straight away and I could SSH in!
So at least I was able to see that worked! I then sniffed the external address and could see what was happening..
This is from testing from ping.eu
FG100E4Q16006136 # diag sniffer packet any 'host 88.198.46.51' 4
interfaces=[any]
filters=[host 88.198.46.51]
6.236897 wan1 in 88.198.46.51.37370 -> 12.12.12.230.22: syn 862005192
6.237097 port14 out 88.198.46.51.37370 -> 192.168.45.10.22: syn 862005192
6.237244 port14 in 192.168.45.10.22 -> 88.198.46.51.37370: syn 2176301595 ack 862005193
6.237324 wan1 out 12.12.12.230.22 -> 88.198.46.51.37370: syn 2176301595 ack 862005193
6.538807 wan1 in 88.198.46.51.37370 -> 12.12.12.230.22: ack 2176301596
6.538879 port14 out 88.198.46.51.37370 -> 192.168.45.10.22: ack 2176301596
6.538944 wan1 in 88.198.46.51.37370 -> 12.12.12.230.22: fin 862005193 ack 2176301596
6.538972 port14 out 88.198.46.51.37370 -> 192.168.45.10.22: fin 862005193 ack 2176301596
6.547045 port14 in 192.168.45.10.22 -> 88.198.46.51.37370: fin 2176301637 ack 862005194
6.547077 wan1 out 12.12.12.230.22 -> 88.198.46.51.37370: fin 2176301637 ack 862005194
6.848139 wan1 in 88.198.46.51.37370 -> 12.12.12.230.22: rst 862005194
6.848175 port14 out 88.198.46.51.37370 -> 192.168.45.10.22: rst 862005194
6.848615 wan1 in 88.198.46.51.37370 -> 12.12.12.230.22: rst 862005194
6.848642 port14 out 88.198.46.51.37370 -> 192.168.45.10.22: rst 862005194
Now the problem is that I still do not have the additional subnet part working....
I tried the following with port forwarding set to 5.5.5.227 (thought I would change this to try one of the other IPs in the subnet) This is from testing from ping.eu
FG100E4Q16006136 # diag sniffer packet any 'host 88.198.46.51' 4
interfaces=[any]
filters=[host 88.198.46.51]
5.295172 wan1 in 88.198.46.51.59512 -> 5.5.5.227.22: syn 3997822561
5.295307 port14 out 88.198.46.51.59512 -> 192.168.45.10.22: syn 3997822561
5.295457 port14 in 192.168.45.10.22 -> 88.198.46.51.59512: syn 68515733 ack 3997822562
5.295524 wan1 out 5.5.5.227.22 -> 88.198.46.51.59512: syn 68515733 ack 3997822562
5.597932 wan1 in 88.198.46.51.59512 -> 5.5.5.227.22: ack 68515734
5.598015 port14 out 88.198.46.51.59512 -> 192.168.45.10.22: ack 68515734
5.598041 wan1 in 88.198.46.51.59512 -> 5.5.5.227.22: fin 3997822562 ack 68515734
5.598078 port14 out 88.198.46.51.59512 -> 192.168.45.10.22: fin 3997822562 ack 68515734
5.606338 port14 in 192.168.45.10.22 -> 88.198.46.51.59512: fin 68515775 ack 3997822563
5.606371 wan1 out 5.5.5.227.22 -> 88.198.46.51.59512: fin 68515775 ack 3997822563
5.908154 wan1 in 88.198.46.51.59512 -> 5.5.5.227.22: rst 3997822563
5.908189 port14 out 88.198.46.51.59512 -> 192.168.45.10.22: rst 3997822563
5.908685 wan1 in 88.198.46.51.59512 -> 5.5.5.227.22: rst 3997822563
5.908713 port14 out 88.198.46.51.59512 -> 192.168.45.10.22: rst 3997822563
But now when I try to ssh into the server I get nothing!
I feel a bit lost now....
Remove the port forwarding to 5.5.5.x. Create a Virtual IP residing on the WAN1 interface with a source IP of 5.5.5.224 and the destination of your SSH host with port forwarding enabled (Source TCP 1024-65535, Destination TCP 22). Then use this VIP definition as the target in a policy allowing SSH.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Not sure if I ever found the correct config on this but the ISP was accommodating and changed my main WAN subnet to a /29 WAN subnet so I had the extra IP addresses that I needed. Now I at least have port forwarding working as I wanted, but just not using the additional subnet.
Thanks Rob and Thank you Toshi for your help! Totally appreciate the work and hopefully this thread assists anyone else with their endeavours.
Cheers
dave
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1739 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.