Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Port Forwarding with static route to IPSEC tunnel

Hi all,


A new Fortigate 40F, i configured a Virtual IP with port forwarding and a policy for Cameras NVR and it worked, i succeeded to reach them from outside the network.


The problem is, that all the computers from the Lan should access the internet via IPSEC tunnel (to be recognized by different external IP address) so i configured a static route to with the IPSEC interface and then policies from Lan to IPSEC interface and vice versa with NAT disabled.

The IPSEC Phase 2 is from the Lan subnet to as well.


The computers can access the internet successfully but the cameras aren't reachable and i can't access the web management interface of the firewall as well from outside.

I tried to configure some route policy but still not working.


Anyone have an idea how can i make this work?



Valued Contributor III

My first thought here would be to check the routing table and ensure that all local routes have a lower distance than the default gateway. A traceroute from a non-working source should confirm the bad route.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at:


You've created asymmetrical routing. The traffic is coming into the fortigate and being port forwarded, but the return traffic is going across the tunnel and out via a different public IP.


You either need to setup policy routes for the camera(s) to go direct out to the internet, or setup the port forwarding on the other side of the tunnel.


Same reason for not being able to externally manage it anymore. Traffic is being returned over the ipsec tunnel. As it is(unless you have other routes) it cannot access the internet unless that tunnel is up. And, if you didn't create a static route for the IP of the other end of the tunnel, if may not come back up if it goes down.

Esteemed Contributor III

Or, the local static default route with a high number of priority in addition to the default route toward the tunnel (priority 0 by default). So that the incoming access to the camera from the local wan interface via VIP can go back out to the local wan instead of going across the tunnel.


Thanks for you comments.


I already tried to configure policy routes for the NVR, from Wan to Lan and from Lan to Wan and it still didn't worked.

Maybe i should set the policy route from Wan to Wan?


I will try also the static route to original wan interface with higher priority.

Top Kudoed Authors