Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
RuuJan
New Contributor II

Strange VIP problem

Hi, I have a strange problem. I have a new Fortigate 60E and I've configured it to replace an old pfSense router. There is an OpenVPN server inside the network and I have to create a portforwarding to it. I'm not able to get this working. So I created another portforwarding to a Windows machine and tried to RDP into that. To my surprise this works. I can even test the policy with Policy Lookup to simulate a session to the external IP-adres. TCP 3389 works without a problem. TCP 943 (management page) and UDP 1194 (tunnel) don't match a policy.

 

I've checked it over and over but I guess I'm missing something.

 

 

 

This is my CLI configuration:

 

config firewall policy     edit 13         set name "OVPN"         set uuid eeb3d648-70dd-51e9-8b48-10597084cee0         set srcintf "wan1"         set dstintf "internal"         set srcaddr "all"         set dstaddr "OpenVPN"         set action accept         set schedule "always"         set service "SOpenVPN"         set logtraffic all         set fsso disable     next end   config firewall policy     edit 15         set name "RDPTest"         set uuid e9f28758-77bd-51e9-f8b4-0258a68224be         set srcintf "wan1"         set dstintf "internal"         set srcaddr "all"         set dstaddr "RDP"         set action accept         set schedule "always"         set service "RDP"         set logtraffic all         set fsso disable     next end

 

1 Solution
ede_pfau
Esteemed Contributor III

Regular routing directs traffic according to the destination address. Only.

Policy routing can match more criteria like source address or ports.


Ede

"Kernel panic: Aiee, killing interrupt handler!"

View solution in original post

Ede"Kernel panic: Aiee, killing interrupt handler!"
14 REPLIES 14
Fullmoon
Contributor III

may you please check if there's a built in firewall openvpn server.

Fortigate Newbie

Fortigate Newbie
RuuJan
New Contributor II

Hi Fullmoon, thanks, but that is not the issue. I tesetd from another VLAN and the management page on the VPN server is reacting normal. Besides that, the policy lookup shows there is a route.

 

Is there a way to test what rule is blocking my traffic?

rwpatterson
Valued Contributor III

RuuJan wrote:

       set service "SOpenVPN"

Please show the contents of the above custom service. Source ports should be 1024-65535, and destination should be the target port(s).

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
RuuJan
New Contributor II

This is the service as I created it. Is it necessary to specify the source ports?

 

config firewall service custom     edit "SOpenVPN"         set category "Tunneling"         set tcp-portrange 943         set udp-portrange 1194     next end  

rwpatterson
Valued Contributor III

That's fine. If you do not specify, it assumes source port range is 1-65535 which covers everything. Missing is the 'set protocol TCP/UDP/SCTP' line. Not sure if that is needed, but give it a shot.

 

 

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
RuuJan
New Contributor II

Thanks, I'll try that monday.

ede_pfau
Esteemed Contributor III

Strange...that we haven't seen the VIP yet. It's the crucial point here.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
RuuJan
New Contributor II

Here they are. I added the Policy route too.

 

config firewall vip     edit "OpenVPNTunnel"         set uuid 8dfb6470-78b6-51e9-d1bf-209636e5d072         set extip a.b.c.d         set extintf "wan1"         set portforward enable         set mappedip "192.168.2.6"         set protocol udp         set extport 1194         set mappedport 1194     next end config firewall vip     edit "OpenVPNMgt"         set uuid aceb1a56-78b6-51e9-fd50-393da876e859         set extip a.b.c.d         set extintf "wan1"         set portforward enable         set mappedip "192.168.2.6"         set extport 943         set mappedport 943     next end config firewall vip     edit "RDP"         set uuid 3f9ff56a-77bd-51e9-d494-21d7cd53b228         set extip a.b.c.d         set extintf "wan1"         set portforward enable         set mappedip "192.168.2.5"         set extport 3389         set mappedport 3389     next end config router policy     edit 15         set input-device "wan1"         set srcaddr "all"         set dstaddr "Beheer"         set output-device "internal"     next end  

ede_pfau
Esteemed Contributor III

Why would you use a Policy Route??

Either you use routing, or NAT, not both for the same purpose.

In your case, a simple VIP will do - destination NAT.

 

If you need to debug:

diag debug enable

diag sniffer packet any 'tcp and port 943' 4 0 l (ell)

 

will show you any traffic on tcp/943, including the NAT.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Labels
Top Kudoed Authors