Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Allwyn_Mascarenhas
Contributor

Port forward from LAN-1 using WAN-1 internet to LAN-2 using WAN-2 internet on the same for

As seen in the diagram is such a network setup possible? The port forwarding works just fine when I try it from an internet connection from somewhere outside my office but says timeout when trying it from the 6.0 network.

 

I am also using policy route to force the 6.0 traffic through wan1. I tried various ways to access the 5.0 network through internal routing itself but that did not work out too. Not sure what i am missing. appreciate all help, thanks.

 

10 REPLIES 10
ede_pfau
SuperUser
SuperUser

Both ways should be possible.

To reach LAN2 from LAN1, you need

- the route automatically added by FortiOS for the subnet behind LAN2

- a policy allowing traffic from LAN1 to LAN2

 

The policy route will be effective before FOS looks at the regular route. If you force ALL traffic out WAN1 then you won't be able to go this way. Try to exempt traffic destinated to LAN2 from the policy route (e.g. by putting a second policy route on top of it, forcing traffic to LAN2 to ... well, LAN2).

 

Even if this doesn't lead to a successful connection, traffic should be able to reach WAN2 via your ISPs. Then you would need a policy allowing traffic from LAN1 to WAN1, and incoming traffic from WAN2 to LAN2. Please check that for the first (outbound) policy NAT is enabled!

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Allwyn_Mascarenhas

ede_pfau wrote:

Both ways should be possible.

To reach LAN2 from LAN1, you need

- the route automatically added by FortiOS for the subnet behind LAN2

- a policy allowing traffic from LAN1 to LAN2

 

The policy route will be effective before FOS looks at the regular route. If you force ALL traffic out WAN1 then you won't be able to go this way. Try to exempt traffic destinated to LAN2 from the policy route (e.g. by putting a second policy route on top of it, forcing traffic to LAN2 to ... well, LAN2).

 

Even if this doesn't lead to a successful connection, traffic should be able to reach WAN2 via your ISPs. Then you would need a policy allowing traffic from LAN1 to WAN1, and incoming traffic from WAN2 to LAN2. Please check that for the first (outbound) policy NAT is enabled!

Hi Thanks for the response.

Yes the policy route forcing traffic from 6.0 to wan1 doesn't allow traffic to LAN2.

 

And I need all machines on the 6 subnet to be able to access the the 5.101 ip address either through port forwarding or directly.

 

So should i put a policy route with dstn 5.101 and drag it above the route for wan1?

 

ede_pfau
SuperUser
SuperUser

yes.

Or follow my second suggestion.

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Allwyn_Mascarenhas

ede_pfau wrote:

yes.

Or follow my second suggestion.

Adding a pol route for 5.101 WAS the 2nd solution right. The first not possible since im using pol route for 6subnet -> wan1.

Allwyn_Mascarenhas

ede_pfau wrote:

yes.

Or follow my second suggestion.

I tried this method:

created firewall policies from lan1-lan2(all -> 5.101) and lan2-lan1(5.101 -> all)

 

and policy routes

 

6.0 to destination 5.101 and pushing it out through lan2's interface with gw as 0/0.

 

I still can't ping or access the 5.101 server from the lan1 subnet.

rwpatterson

You won't be able to PING the VIP through the WAN2 unless it's a NON port-forwarded VIP.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Allwyn_Mascarenhas

rwpatterson wrote:

You won't be able to PING the VIP through the WAN2 unless it's a NON port-forwarded VIP.

Hi I am not trying to ping it through the VIP but through my LAN itself. As i said in my last comment I enabled policies and routing for 5.101 from lan1 so i should be able to ping it right. 

ede_pfau
SuperUser
SuperUser

A port-forwarding VIP won't let ICMP pass to the internal server as ICMP is not port-based.

Switch to a non-port forwarding VIP to test if you can ping the server, or connect to the server with the protocol you have allowed.

This is true for all versions except v5.2.4 where Fortinet changed this behavior: ICMP is now implicitely allowed through a port-forwarding VIP.

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Allwyn_Mascarenhas

ede_pfau wrote:

A port-forwarding VIP won't let ICMP pass to the internal server as ICMP is not port-based.

Switch to a non-port forwarding VIP to test if you can ping the server, or connect to the server with the protocol you have allowed.

This is true for all versions except v5.2.4 where Fortinet changed this behavior: ICMP is now implicitely allowed through a port-forwarding VIP.

hi i am trying to ping between to interfaces by making to and reverse policies and policy routing. I am not getting what does pinging a VIP mean? Are you thinking i am trying to ping with "ping public-ip:port" ?

 

i have both subnets on the fgt which use different wan connections. The 192.168.5.101 server is the one i need to access from the 6 subnet. It is accessible through the internet on wan:8888 -> 192.168.5.101 using VIP but doesn't work from the 6 subnet.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors