Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Not applicable

Setting up external access to QNAP webinterface

Hello, I hope you can help me, I am going mad. I am trying to enable external access to our NAS. The webinterface listens on port 8080, wan1 has a working dyndns configuration. I am trying this: VIP: config firewall vip edit " QNAP" set extintf " wan1" set portforward enable set mappedip 192.168.1.7 set extport 8080 set mappedport 8080 next Policy: edit 3 set srcintf " wan1" set dstintf " internal" set srcaddr " all" set dstaddr " QNAP" set action accept set schedule " always" set service " ANY" It isn' t working though. Any obvious reason you can see?
18 REPLIES 18
abelio
SuperUser
SuperUser

Does QNAP' s default gateway points to Fortigate internal IP number?

regards




/ Abel

regards / Abel
Not applicable

Thank you very much for your answer. Yes, the default gateway is the internal IP of the fortigate unit.
ede_pfau
SuperUser
SuperUser

Hard to tell from the little information given. You' ve done the configuration from the book, there is no obvious fault in it. I suspect the QNAP to have a problem with routing or authentication. Suggestion: change the VIP such that you don' t port forward. The effect will be that all traffic directed to your external IP will be forwarded to the QNAP. It' s only temporarily. Then replace the QNAP with a PC, without a personal firewall. Then you can ping the target and see if that works. (Maybe the QNAP will answer to pings as well so you don' t have to substitute it.) What does the documentation of QNAP say about web access - is it https, will it check for local source addresses,...?
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
rwpatterson
Valued Contributor III

Does this work from the LAN side? (inside)

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Not applicable

I have tested pinging the QNAP after turning off port forwarding from an outside machine to no avail. It responds to pings from inside the network. The webaccess is http. There is a https option, but I wanted to test this first. I don' t quite understand what checking for local source addresses means, could you elaborate? The administration from inside the network works flawlessly. The depressing thing is that I got it to work when no one was using it, but as soon as interest arose from my boss, the darn thing stopped working. Is there some option to somehow completely turn off the firewall for specific IPs? EDIT: I can in fact ping it from the outside. Some packets are lost, some say " Zielnetz nicht erreichbar" wich means something along the lines of target network not available. So I can at least tell it' s there. :D
ede_pfau
SuperUser
SuperUser

There is a https option, but I wanted to test this first. I don' t quite understand what checking for local source addresses means, could you elaborate?
Some webservers check if the HTTP request has a local source address. But as pings don' t come through at all we don' t need to bother about HTTP. You are not quite clear about the success of pings: are some of them returned, some rejected, some lost? You only have 1 external IP, don' t you? We can proceed with debugging on the Fortigate if needs be.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Not applicable

I cannot find anything regarding a check for local source addresses. Two packets timed out, the remaining two said " Zielnetz nicht erreichbar" (Target Network not reachable). EDIT: The answer is coming from the correct IP by the way. Actually I have two external IPs, only one of them updates dyndns though, so this shouldn' t be a problem I assumed. Stupid? :)
rwpatterson
Valued Contributor III

Does this unit have the correct subnet mask and default gateway set up? Either of these incorrectly set would prevent proper routing.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Not applicable

The default gateway is set correctly. Since I don' t work with subnets, the subnetmask 255.255.255.0 should also be correct? I don' t really know where to check subnet settings on the fortigate.
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors