Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
https
New Contributor

VIP - Redirect NTP traffic

Hi,

I'd like to forward whole NTP traffic to my NTP server.

I'd like to use VIP where source IP is in range from 0.0.0.0-239.255.255.255 and do portmapping 123-123 (use service NTP).

        set type load-balance         set service "NTP"         set extip 0.0.0.0-239.255.255.255         set mappedip "10.20.68.192-20.121.12.194"         set arp-reply disable         set portforward enable         set mappedport 123

And the problem is if any other VIP exists. For example:

        set extip 10.100.200.3         set mappedip "10.20.3.35"         set extintf "any"

I receive information that NTP is overlapping another VIP but if i use extip from 0.0.0.0 to 10.100.200.2 it works like a charm.

Do you have any idea how to configure this VIP to be working with extip "any"?

FortiOs 6.4.5

1 Solution
emnoc
Esteemed Contributor III

You have a few choices all are nasty

 

1st have you tried with the src-ip left as-is 0.0.0.0 ?

 

config firewall vip

    edit "NTP"

        set mappedip "10.10.1.112"

        set extintf "wan1"

        set portforward enable

        set extport 123

        set mappedport 123 

    next

end

 

 

2nd you can't do what your asking  directly since you have overlap of ext-srcs and the mapped. if you think about it the mappedip is in the src-range

 

3rd , your next option is. you have to out-play the fortigate so speak,  since any local assigned address used will overlap in the src-range. You can try the following as a guide.

 

e.g a workaround is to eliminate the local address by breaking up the src-range and applying multiple vips

 

config firewall vip

    edit "test-vip1"

        set uuid 88b9508a-a92e-51eb-c370-f85b1c740d8a

        set type load-balance

        set extip 0.0.0.0-9.255.255.255

        set mappedip "10.0.1.112"

        set extintf "wan1"

        set portforward enable

        set extport 999

        set mappedport 999

    next

    edit "test-vip2"

        set uuid b40364f6-a92e-51eb-853d-7321802aaa2d

        set type load-balance

        set extip 11.0.0.0-192.167.255.2255

        set mappedip "10.0.1.112"

        set extintf "wan1"

        set portforward enable

        set extport 999

        set mappedport 999

    next

    edit "test-vip3"

        set uuid b40364f6-a92e-51eb-853d-7321802aaa2d

        set type load-balance

        set extip 192.169.0.0-239.255.255.255

        set mappedip "10.0.1.112"

        set extintf "wan1"

        set portforward enable

        set extport 999

        set mappedport 999

    next

 

and so on

 

You have to poke hole for all interfaces address , all static routes address, all vpns end-points, etc........that you have, and ip address assigned on the fortigate.

 

Like I said, not a clean  approach but very a nasty approach

 

if you come across a better way, please post what you ultimately do, but the above is what we did with mixed results. We have a test lab and had reasons for doing the above. I would not recommend the above in a production env. A proper SLB would be best suited.

 

I think using the 0.0.0.0 vip is the best approach  but let us know if it works 

 

Ken Felix

 

 

PCNSE 

NSE 

StrongSwan  

View solution in original post

PCNSE NSE StrongSwan
2 REPLIES 2
emnoc
Esteemed Contributor III

You have a few choices all are nasty

 

1st have you tried with the src-ip left as-is 0.0.0.0 ?

 

config firewall vip

    edit "NTP"

        set mappedip "10.10.1.112"

        set extintf "wan1"

        set portforward enable

        set extport 123

        set mappedport 123 

    next

end

 

 

2nd you can't do what your asking  directly since you have overlap of ext-srcs and the mapped. if you think about it the mappedip is in the src-range

 

3rd , your next option is. you have to out-play the fortigate so speak,  since any local assigned address used will overlap in the src-range. You can try the following as a guide.

 

e.g a workaround is to eliminate the local address by breaking up the src-range and applying multiple vips

 

config firewall vip

    edit "test-vip1"

        set uuid 88b9508a-a92e-51eb-c370-f85b1c740d8a

        set type load-balance

        set extip 0.0.0.0-9.255.255.255

        set mappedip "10.0.1.112"

        set extintf "wan1"

        set portforward enable

        set extport 999

        set mappedport 999

    next

    edit "test-vip2"

        set uuid b40364f6-a92e-51eb-853d-7321802aaa2d

        set type load-balance

        set extip 11.0.0.0-192.167.255.2255

        set mappedip "10.0.1.112"

        set extintf "wan1"

        set portforward enable

        set extport 999

        set mappedport 999

    next

    edit "test-vip3"

        set uuid b40364f6-a92e-51eb-853d-7321802aaa2d

        set type load-balance

        set extip 192.169.0.0-239.255.255.255

        set mappedip "10.0.1.112"

        set extintf "wan1"

        set portforward enable

        set extport 999

        set mappedport 999

    next

 

and so on

 

You have to poke hole for all interfaces address , all static routes address, all vpns end-points, etc........that you have, and ip address assigned on the fortigate.

 

Like I said, not a clean  approach but very a nasty approach

 

if you come across a better way, please post what you ultimately do, but the above is what we did with mixed results. We have a test lab and had reasons for doing the above. I would not recommend the above in a production env. A proper SLB would be best suited.

 

I think using the 0.0.0.0 vip is the best approach  but let us know if it works 

 

Ken Felix

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
https
New Contributor

In a perfect world (in other integrations :D ) it is done by one2one vip for each servicwe.

In this case i had to do this trick.

0.0.0.0/0 didn't work. I had to use elimination.

Thank you Ken

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors