Just inherited a site with Fortigate 60E. Old firmware 5.4.5 will be updated but now just need to get remote access using OpenVPN. All indications are port forwarding not working. Have read lots of docs and viewed numerous videos and tried assorted combinations but none work. (I use OpenVPN to other server sites, and similar routers (sonicwall)). Here are some of the address objects and policy combinations I've tried. Thanks.
T
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi,
To answer your question about VIP and named addresses as destination. They have different roles, first one should be used when you are trying to grant access to a port fwd from the Internet to your server/services in LAN, the last is when you are need to create firewall rules between different interfaces locally, LAN1 > LAN2 , LAN1 > WAN, etc.
Is your WAN having a static IP or is it via PPPoE/DHCP ? I would recommend if it's a static IP to have in the VIP configuration of OpenVPN2, manually entering the public IP addr in the external address range.
Also, the firewall policy should look like, wan > lan , all > VIP .
I assume that the local subnet 192.168.1.0/24 is defined locally on internal1 interface and not on another one, right ?
You can run the following commands to see if the traffic on port UDP/1194 is reaching the firewall and if it's permitted.
diag debug en
diag debug flow filter saddr <pub ip of initiatior>
diag debug flow filter daddr <private ip of openvpn srv>
diag debug flow trace start 100
afterwards, you can stop it with
diag debug flow trace stop
diag debug disable
Hello @Techontop ,
You can review the below document for your situation. If you apply these steps in the document you can access your vpn server from outside.
You can't create a policy with an address object when you want to allow connection from outside. You need to create with the VIP object.
Also in the VIP object, you need to configure your public IP or public side interface address.
0.0.0.0 will not be working in the VIP object.
You don't need to do anything to change. Click ok to apply all changing.
If you want to trace the package on the Firewall you can use this command.
diagnose sniffer packet any 'host x.x.x.x' 4 a
Hello @Techontop ,
First, you need to change the external IP address range area in vip setting. This IP address should be your wan1 IP address.
After that, you need to use this VIP object on the firewall policy in the destination area.
And also you can review this document about VIP configuration.
Hello,
The logic should be the same as in the below KB article:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Virtual-IP-VIP-port-forwarding-configurati...
Also found this old document for 5.4 if helps:
https://docs.fortinet.com/document/fortigate/5.4.0/cookbook/657500/using-virtual-ips-to-configure-po...
Hope this helps!
Enea
ozkanaltas and ezhupa,
Thanks. I think the suggestions are things I've tried or looks like they apply but not for my case.
The VIP OpenVPN2 that has wan as interface is because the label "interface" is ambiguous so I made OpenVPN with interface Lan and OpenVPN2 with interface Wan and would experiment alternating between them as I tried things. I do want it accessible from anywhere so I've left External as 0.0.0.0
The link to the 5.4 doc is good because all the examples I've seen show setting a firewall policy but this Fortigate and revision doesn't have Firewall but does have similar policy menu under IPV4 Policy. That doc references setting specific external IPs whereas I'm using 0.0.0.0 but other than that it's what I'm already doing.
Does it matter if I use a VIP or a named Address object as the Destination? Looks like it should work either way.
BTW Windows Firewall port is open. OpenVPN log on server side shows ready and no activiy, no errors.
I looked at Fortigate logs but no info. Is there a way to log and see if Fortigate gets a request but rejects it? I could dig into WireShark but if router can log its own related actions that's better.
Thanks.
And is there something else I need to do to make changes take effect (besides just hitting okay at the bottom of it)? I tried turning ping on and off on the wan interface yet it still responds even when off. Like it shows I made a change but it hasn't happened yet.
Hi,
To answer your question about VIP and named addresses as destination. They have different roles, first one should be used when you are trying to grant access to a port fwd from the Internet to your server/services in LAN, the last is when you are need to create firewall rules between different interfaces locally, LAN1 > LAN2 , LAN1 > WAN, etc.
Is your WAN having a static IP or is it via PPPoE/DHCP ? I would recommend if it's a static IP to have in the VIP configuration of OpenVPN2, manually entering the public IP addr in the external address range.
Also, the firewall policy should look like, wan > lan , all > VIP .
I assume that the local subnet 192.168.1.0/24 is defined locally on internal1 interface and not on another one, right ?
You can run the following commands to see if the traffic on port UDP/1194 is reaching the firewall and if it's permitted.
diag debug en
diag debug flow filter saddr <pub ip of initiatior>
diag debug flow filter daddr <private ip of openvpn srv>
diag debug flow trace start 100
afterwards, you can stop it with
diag debug flow trace stop
diag debug disable
Hello @Techontop ,
You can review the below document for your situation. If you apply these steps in the document you can access your vpn server from outside.
You can't create a policy with an address object when you want to allow connection from outside. You need to create with the VIP object.
Also in the VIP object, you need to configure your public IP or public side interface address.
0.0.0.0 will not be working in the VIP object.
You don't need to do anything to change. Click ok to apply all changing.
If you want to trace the package on the Firewall you can use this command.
diagnose sniffer packet any 'host x.x.x.x' 4 a
I think I have some expired TLS issues to deal with. After that I suspect this will work. Thanks.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1712 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.