Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Juraj
New Contributor

SMTP to the mail server from 2 WAN

Hi everyone, I have a dual WAN scenario - on WAN1 VIP on port 25 to the server on internal. I' d like to setup a disaster scenario in case that WAN1 goes down so we can continue business through WAN2. The problem is that I obviously can' t setup another VIP on port 25. How to go around that? How do you solve those problems? I had a lok in kb http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD31240&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=21224799&stateId=0%200%2021226533 but that' s a bit different issue as it uses WAN2 solely for SMTP. FW is v4.0,build0291,100824 (MR2 Patch 2) Thank you.
Quality of your life depends on the quality of the questions you ask.
Quality of your life depends on the quality of the questions you ask.
12 REPLIES 12
Jan_Scholten
Contributor

AFIAK you can a static NAT on both WAN Interfaces, not sure whether this works with port forwardiung (but shouldn' t it as well?)
ede_pfau
SuperUser
SuperUser

Hi, you can create 2 VIPs from different public IPs to the same internal IP. In case of emergency you' d have to change the DNS MX record to specify your WAN2 public IP instead of the WAN1 IP. Of course you need the same set of policies from WAN2 to internal and vice versa.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Jan_Scholten
Contributor

@ede: You are rightm, but a short test shows that when you do port forwarding it says duplicate Entry, when having WAN1/0.0.0.0:443 and you try to created WAN2/0.0.0.0:443 This may work when you have static ip adresses, and therefore a static external Adress but fails (at least in my test ) when you have two dial-up- lines. (tested with 4.1.9)
ede_pfau
SuperUser
SuperUser

yes, there seems to always be an exception. I had no clue that the OP was talking about dynamic WAN IPs. Juraj, do you?
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
rwpatterson
Valued Contributor III

I have found a while ago the the FGT units treat 0.0.0.0 as an address (as opposed to a subnet), so having this on both interfaces leads to the ' duplicate' error. very dumb, IMO...

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Juraj
New Contributor

@ede_pfau no, both WAN addresses are static @rwpatterson that' s because of the port, not the address. I' ve found that no matter what device, you can only setup one VIP for one port so if I have 25 on WAN1 I can' t setup 25 on WAN2...
Quality of your life depends on the quality of the questions you ask.
Quality of your life depends on the quality of the questions you ask.
ede_pfau
SuperUser
SuperUser

I just configured both WAN lines to map a higher port to port 22 for ssh, to the same internal host. No problem. You cannot specify the wildcard ' 0.0.0.0' on both interfaces but you can use one wildcard and one static IP. And even with 3 identical mappings to the same host and port I do not have any problems - just added a VIP on ' internal' . So I have VIPs on one wildcard IP and 2 static IPs.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Juraj
New Contributor

aha, OK. but the problem is that I need to be able to receive emails from everyone, not just one IP address which means that I need to have both as 0.0.0.0 or something that' ll guarantee me to receive emails from everyone. Is there a wildcard that' ll give me such option?
Quality of your life depends on the quality of the questions you ask.
Quality of your life depends on the quality of the questions you ask.
ede_pfau
SuperUser
SuperUser

Maybe there' s a little confusion about the ' wildcard' IP. A VIP maps an external IP to another (usually internal) IP. The external IP might be a single host address (a.b.c.d/32) or a subnet. In your example if you host an internal mail server you map a single external IP to it which is specified in the MX record of your DNS setup. If your ISP provides one public static IP only, this is the external address of your Fortigate. You can use it in a port-forwarding VIP to direct SMTP (or other services) to your internal mail server. You cannot use a VIP without port forwarding in this case (as you have to share this one address for many different services). If the ISP provides a public subnet (like 1.2.3.4/28 with 16 addresses) you use one of these public addresses for your mailserver. This usually will not be the FGT' s WAN IP. The FGT will proxy-arp for it and redirect all traffic with this destination IP to the internal IP given in the VIP. This might use port forwarding or not. Often the ISP assigns one public dynamic IP address to you; then you cannot specify it in the VIP definition. To enable use of the public IP you can use the ' 0.0.0.0' wildcard meaning ' traffic to the actual external IP address at this moment will be mapped to the internal address' . A VIP only handles destination address(es) not source addresses. What you are concerned about are source addresses of hosts sending mails to your server. As a VIP doesn' t touch source addresses you don' t need to be concerned about it here.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors