Unlock Exclusive Benefits
Join Our Community Today!
Join our Community and post in the forum to earn your exclusive badge; celebrating 3 years of the Fortinet Community!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- RE: SMTP to the mail server from 2 WAN
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SMTP to the mail server from 2 WAN
Hi everyone,
I have a dual WAN scenario - on WAN1 VIP on port 25 to the server on internal.
I' d like to setup a disaster scenario in case that WAN1 goes down so we can continue business through WAN2.
The problem is that I obviously can' t setup another VIP on port 25. How to go around that? How do you solve those problems?
I had a lok in kb http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD31240&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=21224799&stateId=0%200%2021226533
but that' s a bit different issue as it uses WAN2 solely for SMTP.
FW is v4.0,build0291,100824 (MR2 Patch 2)
Thank you.
Quality of your life depends on the quality of the questions you ask.
Quality of your life depends on the quality of the questions you ask.
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
12 REPLIES 12
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
AFIAK you can a static NAT on both WAN Interfaces, not sure whether this works with port forwardiung (but shouldn' t it as well?)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
you can create 2 VIPs from different public IPs to the same internal IP. In case of emergency you' d have to change the DNS MX record to specify your WAN2 public IP instead of the WAN1 IP.
Of course you need the same set of policies from WAN2 to internal and vice versa.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@ede:
You are rightm, but a short test shows that when you do port forwarding it says duplicate Entry, when having WAN1/0.0.0.0:443 and you try to created WAN2/0.0.0.0:443
This may work when you have static ip adresses, and therefore a static external Adress but fails (at least in my test ) when you have two dial-up- lines. (tested with 4.1.9)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yes, there seems to always be an exception. I had no clue that the OP was talking about dynamic WAN IPs.
Juraj, do you?
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have found a while ago the the FGT units treat 0.0.0.0 as an address (as opposed to a subnet), so having this on both interfaces leads to the ' duplicate' error. very dumb, IMO...
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@ede_pfau no, both WAN addresses are static
@rwpatterson that' s because of the port, not the address. I' ve found that no matter what device, you can only setup one VIP for one port so if I have 25 on WAN1 I can' t setup 25 on WAN2...
Quality of your life depends on the quality of the questions you ask.
Quality of your life depends on the quality of the questions you ask.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I just configured both WAN lines to map a higher port to port 22 for ssh, to the same internal host. No problem. You cannot specify the wildcard ' 0.0.0.0' on both interfaces but you can use one wildcard and one static IP.
And even with 3 identical mappings to the same host and port I do not have any problems - just added a VIP on ' internal' . So I have VIPs on one wildcard IP and 2 static IPs.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
aha, OK.
but the problem is that I need to be able to receive emails from everyone, not just one IP address which means that I need to have both as 0.0.0.0 or something that' ll guarantee me to receive emails from everyone.
Is there a wildcard that' ll give me such option?
Quality of your life depends on the quality of the questions you ask.
Quality of your life depends on the quality of the questions you ask.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Maybe there' s a little confusion about the ' wildcard' IP.
A VIP maps an external IP to another (usually internal) IP. The external IP might be a single host address (a.b.c.d/32) or a subnet.
In your example if you host an internal mail server you map a single external IP to it which is specified in the MX record of your DNS setup.
If your ISP provides one public static IP only, this is the external address of your Fortigate. You can use it in a port-forwarding VIP to direct SMTP (or other services) to your internal mail server. You cannot use a VIP without port forwarding in this case (as you have to share this one address for many different services).
If the ISP provides a public subnet (like 1.2.3.4/28 with 16 addresses) you use one of these public addresses for your mailserver. This usually will not be the FGT' s WAN IP. The FGT will proxy-arp for it and redirect all traffic with this destination IP to the internal IP given in the VIP. This might use port forwarding or not.
Often the ISP assigns one public dynamic IP address to you; then you cannot specify it in the VIP definition. To enable use of the public IP you can use the ' 0.0.0.0' wildcard meaning ' traffic to the actual external IP address at this moment will be mapped to the internal address' .
A VIP only handles destination address(es) not source addresses. What you are concerned about are source addresses of hosts sending mails to your server. As a VIP doesn' t touch source addresses you don' t need to be concerned about it here.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
Labels
-
FortiGate
8,464 -
FortiClient
1,712 -
5.2
801 -
FortiManager
710 -
5.4
639 -
FortiAnalyzer
547 -
FortiAP
457 -
FortiSwitch
456 -
6.0
416 -
FortiClient EMS
407 -
5.6
362 -
FortiMail
308 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
219 -
FortiWeb
199 -
5.0
196 -
IPsec
185 -
FortiNAC
176 -
FortiGuard
136 -
6.4
128 -
SD-WAN
110 -
FortiGateCloud
100 -
FortiSIEM
97 -
FortiCloud Products
96 -
FortiToken
89 -
FortiAuthenticator
84 -
Customer Service
78 -
Wireless Controller
75 -
Firewall policy
70 -
4.0MR3
64 -
FortiProxy
59 -
FortiADC
53 -
Fortivoice
52 -
High Availability
52 -
FortiEDR
50 -
vlan
47 -
ZTNA
46 -
FortiExtender
44 -
FortiSandbox
43 -
FortiDNS
42 -
DNS
40 -
Routing
39 -
BGP
38 -
LDAP
38 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SAML
34 -
Certificate
33 -
Authentication
31 -
SSO
31 -
Interface
31 -
NAT
30 -
RADIUS
29 -
FortiConnect
27 -
FortiLink
26 -
FortiWAN
25 -
FortiConverter
25 -
VDOM
25 -
Application control
25 -
FortiGate v5.2
24 -
Logging
24 -
Web profile
23 -
FortiPAM
22 -
Virtual IP
22 -
Fortigate Cloud
20 -
FortiPortal
19 -
FortiSwitch v6.2
18 -
FortiMonitor
18 -
SSL SSH inspection
18 -
Traffic shaping
17 -
FortiDDoS
15 -
OSPF
15 -
WAN optimization
15 -
FortiGate v5.0
14 -
System settings
14 -
IP address management - IPAM
14 -
FortiSOAR
13 -
SSID
13 -
Static route
13 -
FortiCASB
12 -
snmp
12 -
Automation
12 -
Admin
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiManager v4.0
10 -
FortiRecorder
10 -
IPS signature
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
Traffic shaping policy
9 -
FortiAP profile
9 -
Proxy policy
9 -
RMA Information and Announcements
8 -
Security profile
8 -
Port policy
8 -
4.0
7 -
FortiDeceptor
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
Fabric connector
7 -
Intrusion prevention
7 -
Explicit proxy
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Antivirus profile
6 -
Traffic shaping profile
6 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
Web rating
5 -
Fortinet Engage Partner Program
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
Cloud Management Security
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
TACACS
2 -
Schedule
2 -
SDN connector
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1660 | |
| 1077 | |
| 752 | |
| 443 | |
| 220 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.