Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Not applicable

Port range forwarding

When creating VIPs, using Port Forwarding (not Static NAT), it' s not possible to enter a range of ports - each has to be entered separately. If there is an application that uses a range of say 25 ports (ie.: 2101-2125), each of them would have to be entered separately. That' s a lot of work and clutter, where a quick fix would allow for entering ranges. Thanks, PRL
18 REPLIES 18
kevanbrown
New Contributor

Vonage is now working for me through my Fortigate-60 which is running MR10. But exactly where have you seen that the MR10 FortiOS supports port range forwarding? I just tried both through the web UI and the console to use every syntax I' ve seen them use for ranges in other places and any I could imagine; none worked. The extport and mappedport fields accept only a single integer value; not a range.
Not applicable

When you define a new service it seems you can define port ranges. So for vonage I am assuming you could simply define you ports and port ranges, bundle them into a service group and use that in your policy/rule... TJ
kevanbrown
New Contributor

I don' t think you completely understand the issue with port range forwarding. See, you are talking about port ranges for service definition, which is something that is very useful indeed. However, what we are discussing is the lack of ability to use a port range when defining a port-forwarding " virtual IP" . Remember, there are two types of " virtual IPs" you can define: Static NAT, and Port Forwarding. Currently, when you define a port-forwarding " virtual IP" , you can only specify a single external and mapped port.
Not applicable

Kevan, how did you get your Vonage working without being able to do port forwarding ranges? I assume outbound calls will work, but for the life of me I cannot understand how inbound can work, I have registered my linksys unit and have yet to hook it up just got it, but have been trying to figure this part out. It would be some what OK if I could even do a dynamic static NAT VIP (yes an oxymoron) but since this is a unit I am using at home where our external IP can change from time to time static NAT VIP as it is currently doesn' t help either.
Not applicable

Well looks like I answered my own question, it just works, I can dial in and out, I don' t understand how. I had already created some port forwardings fro 5060-5061, 53 and 69, but not the massive 10000-20000 range, so not sure if those help, will remove them later and see if it still works. Also have a policy from wan1 -> internal to the IP of the Linksys adapter allowing in the required ports. (This is a FW-60 BTW)
Not applicable

In my FWF60 I didn' t need any rules. Crazy I know (and kinda unnerving) TJ
Adrian_Lewis
Contributor

If you' ve been told to open port 5060 by Vonage it sounds like SIP to me. The fortinets will actually read and understand a certain amount of SIP messaging and open the relevant ports for you. It' s called and ALG or Application Layer Gateway. I don' t know the ins and outs of the Vonage service but doing things this way is a much more secure way than just opening huge ranges to accomodate ' unusual' protocols. Having said all that, I' d still like to see port ranges for port forwarding VIPs. How about protocol/type numbers as well for non TCP/UDP traffic like GRE and ICMP etc etc.
Geardo
New Contributor

port-range vips can be added via cli

 

 
config firewall vip
edit "VIPNAME"
set uuid {}
set extip "x.x.x.x"
set mappedip "x.x.x.x"
set extintf "any"
set portforward enable
set extport 21000-21511
set mappedport 21000-21511
Geardo
New Contributor

Port-ranges can be added via Cli
 
config firewall vip
edit "VIPNAME"
set uuid {}
set extip "x.x.x.x"
set mappedip "x.x.x.x.x"
set extintf "any"
set portforward enable
set extport 2101-2125
set mappedport 2101-2125
Labels
Top Kudoed Authors