What am I missing here ? My traffic is hitting my WAN address, but is not hitting the LAN. First of all, this is on an old 90D that I am playing with, so it's on it's highest release of 6.0.18
I am trying to hit a server inside my network from the outside. My ISP router is outside the Firewall, and has all ports Port Forwarded. I can see the traffic hit my Firewall
Spirit-FW # diag sniffer pack any "port 22" 4 0 a |
But it won't hit my inside LAN. I have a fully open Any Src / Any Dst / All services rule in place
I have a Virtual IP for 192.168.1.17 --> 10.10.5.100 (TCP: 22 --> 22)
Doing a Packet Capture too confirms the traffic to the WAN, but never his the LAN Interface
I'm sure that this is something stupidly simple that I am overlooking :(
Thanks in advance
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
The policy should have the VIP object as destination, and LAN interface as destination interface.
Created on 10-21-2024 08:36 AM Edited on 10-21-2024 09:41 AM
I actually created two rules, one for source specific IP to the VIP object, and then a secondary rule from Any to Any over interfaces WAN1 to LAN. By messing about with things, I'm gradually getting hits.
Hi,
Please refer to this article and make sure your configuration is correct :- How to configure VIP access where specifi... - Fortinet Community
Created on 10-21-2024 08:52 AM Edited on 10-21-2024 09:44 AM
This example if for a specific destination. What about when a specific port is required ? Suppose I want to route all traffic for HTTPS connections
As I see it, there are two options
Option 1 - Tick the Optional Filters and add HTTPS to Services, and in Port Forwarding, add 443
OR
Option 2 - Leave Optional Unticked, tick Port Forwarding, and add 443 as both External Service Port and the Map to Port
Or is there another way that I have missed ?
Also, regarding filtering for a specific source, is there any way to filter for a specific source DynDNS name FQDN rather than an IP ? If I wanted to allow a specific source only to reach a specific server internally, but if the source IP could change periodically ???
VIPs should only really be used for external access I've never used them for internal facing port forwarding. If you're trying to get internal to internal that's segregated via vlan then you just need a simple policy and route setup correctly from destination to destination. Throwing a VIP into the equation makes this a bit more complicated then it needs to be https://tutuapp.uno/ .
Why are you saying Internal to Internal ? Even the Diag Sniffer shows it arrives from a public IP on the WAN1 interface. Or am I missing something ?
Hello,
You can try to run the debug commands with public IP address of your test machine as that will give you clear idea on what is missing on the configuration part.
# diagnose debug reset
# diagnose debug flow filter addr x.x.x.x [public IP address of your test machine]
# diagnose debug flow show function-name enable
# diagnose debug console timestamp enable
# diagnose debug flow trace start 999
# diagnose debug enable
--- try to generate the traffic from test machine to external IP address of VIP ---
# diagnose debug disable ---- to stop the debug
Hi also attach your configuration related to vip to make sure the policies are correct and the vip is configured correctly
Created on 10-23-2024 02:02 PM Edited on 10-23-2024 02:08 PM
Hi again,
While I have got VIP from any IP working OK, I just cannot get VIP with a specific SOURCE working. The source connects to a Public ISP IP which port forwards All Ports to the WAN1 Ip address of 192.168.1.17. The VIP Points this IP at 10.10.5.111. I am trying to connect on Port 9000
Here is the config
[code]
config firewall vip
edit "Spirit-Portainer"
set uuid 75bbf530-8fc8-51ef-df2a-8a35661cf4f2
set src-filter "193.147.205.221"
set service "TCP-9000"
set extip 192.168.1.17
set extintf "wan1"
set portforward enable
set mappedip "10.10.5.111"
set mappedport 9000
next
end
[/code]
and then
[code]
config firewall policy
edit 17
set name "Spirit-Portainer"
set uuid 73b5e1e0-8fca-51ef-d361-71437267bdf5
set srcintf "wan1"
set dstintf "Mgmt"
set srcaddr "championc"
set dstaddr "Spirit-Portainer"
set action accept
set schedule "always"
set service "TCP-9000"
set logtraffic all
set fsso disable
set comments "Specific Source to port 9000"
next
end
[/code]
and
[code]
config firewall address
edit "championc"
set uuid c3dad6c2-8fd3-51ef-7151-8db0818b9447
set associated-interface "wan1"
set subnet 193.147.205.221 255.255.255.255
next
end
[/code]
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1714 | |
1093 | |
752 | |
447 | |
232 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.