Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
RuuJan
New Contributor II

Strange VIP problem

Hi, I have a strange problem. I have a new Fortigate 60E and I've configured it to replace an old pfSense router. There is an OpenVPN server inside the network and I have to create a portforwarding to it. I'm not able to get this working. So I created another portforwarding to a Windows machine and tried to RDP into that. To my surprise this works. I can even test the policy with Policy Lookup to simulate a session to the external IP-adres. TCP 3389 works without a problem. TCP 943 (management page) and UDP 1194 (tunnel) don't match a policy.

 

I've checked it over and over but I guess I'm missing something.

 

 

 

This is my CLI configuration:

 

config firewall policy     edit 13         set name "OVPN"         set uuid eeb3d648-70dd-51e9-8b48-10597084cee0         set srcintf "wan1"         set dstintf "internal"         set srcaddr "all"         set dstaddr "OpenVPN"         set action accept         set schedule "always"         set service "SOpenVPN"         set logtraffic all         set fsso disable     next end   config firewall policy     edit 15         set name "RDPTest"         set uuid e9f28758-77bd-51e9-f8b4-0258a68224be         set srcintf "wan1"         set dstintf "internal"         set srcaddr "all"         set dstaddr "RDP"         set action accept         set schedule "always"         set service "RDP"         set logtraffic all         set fsso disable     next end

 

1 Solution
ede_pfau
Esteemed Contributor III

Regular routing directs traffic according to the destination address. Only.

Policy routing can match more criteria like source address or ports.


Ede

"Kernel panic: Aiee, killing interrupt handler!"

View solution in original post

Ede"Kernel panic: Aiee, killing interrupt handler!"
14 REPLIES 14
RuuJan
New Contributor II

Thanks. I'm afraid I don't get the idea of policy routing.

ede_pfau
Esteemed Contributor III

Regular routing directs traffic according to the destination address. Only.

Policy routing can match more criteria like source address or ports.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
RuuJan
New Contributor II

That's what I understood too. But the situation is rather complex. This router is in a shopping mall. There are two internet connections and about 18 VLAN's. VLAN's for customers are for public use and should be routed through WAN2, whereas all other traffic like CCTV, Contractors, doormanagement, climate control, Office and management should use WAN1. Each of these activities have a separated VLAN. And sometimes routing should also take place from one VLAN to another.

 

So I created two Policy routes to realize this, based on the source network and a couple of other more specific to route from one VLAN into another. I don't know how I should realize this without policy routing.

 

config router policy     edit 3         set input-device "internal" "internal6" "VACorp_20" "Bewegw_50" "Contractors_30" "Energie_27" "Evenementen_17" "GBSkoppeling_28" "Muziek_24"         set srcaddr "Beheer" "VACorp" "Bewegwijzering" "Contractors" "Energie_27 address" "Evenementen" "Muziek"         set dstaddr "all"         set gateway x.y.z.25         set output-device "wan1"     next end

config router policy     edit 1         set input-device "Public_Wifi_11" "Public_Wifi_12" "Public_Wifi_13" "Public_Wifi_14" "Public_Wifi_15" "PublVergader_16" "Bewegw_50" "Contractors_30" "Energie_27" "Evenementen_17" "GBSkoppeling_28" "Muziek_24" "VACorp_20"         set srcaddr "Bewegwijzering" "Contractors" "Energie_27 address" "Evenementen" "Public_LAN_VGZ" "Public_Wifi_11" "Public_Wifi_12" "Public_Wifi_13" "Public_Wifi_14" "Public_Wifi_15"         set dstaddr "all"         set output-device "wan2"     next end Wan1 is a routed subnet with /29 mask while wan2 is a simple Natted network in the 192.168.0/24 range.

 

 

RuuJan
New Contributor II

Thank you!!! You got me on the right track. First I deleted all my Policy Route settings. Besides that there was a problem with the WAN1 with an administrative cost of 5 and WAN2 witth an administrative cost of 0. I guesss most of the traffic was replied trough  WAN2 so it was never received (recognized) at the router at my (remote) location.

 

Once more thanks a million!

 

Ruud.

 

 

Matrix
New Contributor III

Hi, I have a similar problem I have an OpenVPN server inside the network.

So i created VIP 

edit OVPN
set comment "OVPN"
set extip 1.1.1.1
set mappedip "2.2.2.2"
set extintf "wan2"
set color 12


FW policy :-
set srcintf "wan2"
set dstintf "lan1"
set srcaddr "all"
set dstaddr "OVPN"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all

 

wan2 is my secondary circuit, so I created a route policy  for the return traffic 

edit 
set input-device "lan1"
set srcaddr "2.2.2.2"
set dstaddr "all"
set output-device "wan2"

set gateway 1.1.1.2
still no luck I have tried multiple things still not working, I ran debug on the srcaddress and I see tcp rst .

 

Labels
Top Kudoed Authors