Hi all guys,
I have a problem with port forwarding on my new FG61E with FortiOS 5.4.1.
Schema:
Internet <-> (Public IP) Router (192.168.123.1) <-> (192.168.123.10) FG61E (192.168.69.254) <-> Server1 (192.168.69.156)
In the provider router the needed ports are correctly forwarded, I can see the incoming traffin on the FG.
There the rules:
config firewall service custom
edit "OpenVPN"
set category "Tunneling"
set udp-portrange 1195-1199
next
end
config firewall vip
edit "VIP_pfSense_OpenVPNUDP"
set extintf "wan1"
set portforward enable
set mappedip "192.168.69.156"
set protocol udp
set extport 1195-1199
set mappedport 1195-1199
next
end
config firewall policy
edit 5
set srcintf "wan1"
set dstintf "internal"
set srcaddr "all"
set dstaddr "VIP_pfSense_OpenVPNUDP"
set action accept
set schedule "always"
set service "OpenVPN"
set logtraffic all
next
end
What i get logged:
Date 09/15/2016
Time 21:11:23
Duration 0s
Session ID 24784
Virtual Domain root
NAT Translation Destination
Source
IP 111.111.111.111
Port 48037
Country Switzerland
Interface wan1 (Internet)
Destination
IP 192.168.123.10
NAT IP 192.168.69.156
Port 1195
Country Reserved
Interface internal (Internal)
Application
Name OPENVPN
Category unscanned
Protocol udp
Service OpenVPN
Data
Received Bytes 0 B
Sent Bytes 0 B
Sent Packets 0
Action
Action Deny: policy violation
Threat 131072
Policy 0 (Implicit Deny)
Policy UUID c44ddfe6-7b73-51e6-3350-2b6860c088e1
Policy Type IPv4
Security
Level
Threat Level critical
Threat Score 30
Any help appreciated.
Thank you very much,
bye Kess.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
If you try a VIP without port forwarding, does it work then? Other debug output?
You should run a 'diag deb flow' on the FGT in any case.
Hi Ede,
thank you for your reply.
There's my log:
id=20085 trace_id=102 func=print_pkt_detail line=4784 msg="vd-root received a packet(proto=17, 123.123.123.123:54519->192.168.123.10:1195) from wan1. "
id=20085 trace_id=102 func=init_ip_session_common line=4935 msg="allocate a new session-00001cd2"
id=20085 trace_id=102 func=fw_pre_route_handler line=182 msg="VIP-192.168.69.156:1195, outdev-wan1"
id=20085 trace_id=102 func=__ip_session_run_tuple line=2808 msg="DNAT 192.168.123.10:1195->192.168.69.156:1195"
id=20085 trace_id=102 func=vf_ip_route_input_common line=2584 msg="find a route: flag=00000000 gw-192.168.69.156 via internal"
id=20085 trace_id=102 func=fw_forward_handler line=558 msg="Denied by forward policy check (policy 0)"
id=20085 trace_id=103 func=print_pkt_detail line=4784 msg="vd-root received a packet(proto=17, 123.123.123.123:54519->192.168.123.10:1195) from wan1. "
id=20085 trace_id=103 func=init_ip_session_common line=4935 msg="allocate a new session-00001cde"
id=20085 trace_id=103 func=fw_pre_route_handler line=182 msg="VIP-192.168.69.156:1195, outdev-wan1"
id=20085 trace_id=103 func=__ip_session_run_tuple line=2808 msg="DNAT 192.168.123.10:1195->192.168.69.156:1195"
id=20085 trace_id=103 func=vf_ip_route_input_common line=2584 msg="find a route: flag=00000000 gw-192.168.69.156 via internal"
id=20085 trace_id=103 func=fw_forward_handler line=558 msg="Denied by forward policy check (policy 0)"
It seems correct, but unfortunately something I can't understand goes wrong and the policy is not matched...
Do you understand what's wrong here ?
Thank you very much.
Forgot to tell you.
Without Port Forwarding same problem...
There's no such policy, at least not in CLI.
Policy ID 0 is the "Implicit Deny" policy.
Please check 2 things:
1- VIP
I cannot see from the definition which external address you are translating - surely from the 192.168.123 subnet, right?
2- routing
The FGT must have a route back to the source address of incoming traffic. Please post the 'get route info routing-table' data here. The route to 192.168.123 should be automatic. Then, for arbitrary external source addresses, you need a default route pointing to the ingress interface, gateway 192.168.123.1.
Otherwise the FGT will drop traffic from unknown sources.
Hi Ede,
thx for reply.
To answer your questions:
1. I've not set it in the VIP, it's defined as 0.0.0.0. I also tried to set up an IP address to translate (Wan1 IP) but it doesn't change.
2.Default route to gateway is set as you can see there:
FG61E # get router info routing-table details
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
S* 0.0.0.0/0 [10/0] via 192.168.123.1, wan1
S 10.10.0.0/24 [2/0] is directly connected, ssl.root
C 192.168.50.0/24 is directly connected, WiFi-Company
C 192.168.51.0/24 is directly connected, WiFi-Guests
C 192.168.69.0/24 is directly connected, internal
C 192.168.70.0/24 is directly connected, internal
C 192.168.79.0/24 is directly connected, wan2
C 192.168.123.0/24 is directly connected, wan1
Thx for your help.
Bye Kess
There a particular reason why you don't just let the FortiGate handle the routing and remove the extra piece of equipment? (is this a legit router or is it just one of those modem/gateway things? if it is a modem/gateway have your ISP throw that thing in transparent / bridge mode and let the Gate handle your needs. Life will be much simpler and work more often.
Mike Pruett
Hi Mike,
thank you for your reply.
Unfortunately this router must stay in routing mode with NAT enabled. I can set in in PPPoE Passthrough but I'm going to loose a feature that I don't want to lose, the 4G USB Internet Backup.
Didn't find any solution for that problem, so i decided to factory reset the firewall and to start from scratch again.
I've reconfigured everything again, and miracle, everything is now working correctly.
Thank you alll for the time you dedicated over that issue.
Bye Kess.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1711 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.