- set external ip range to the one host on my side I need traffic forwarded from
- set mapped ip to the broadcast ip of the remote subnet on the other side of the ipsec (FGT has a static route to this)
- set the source interface filter to the ipsec tunnel interface that connects the remote subnet
- disabled optional filters
- enabled port forwarding and set it to forward eternel port 9 UDP to internal 9 UDP
- enabled RP Reply (set by default)
- did not add it to a group
the goal behind this is that I wanted to be able to send WOL packets from a specific host here on our subnet to the local subnet. Due to this I also enabled broadcast forwarding on all involved interfaces (but not on any WAN interface).
WOL packets are broadcast packets so you cannot route those directly.
We are connected to our shops via IPSec Tunnels with an FGT on both ends.
The problem I ran into was this:
Once the vip was active on the remote firewall it caused all traffic coming from my specific host to go to nirvana and that host could not reach anything on remote side anymore.
I read that somwhere in FortiNet KB and it was supposed to only match traffic from this host which goes via Port 9 with UDP but it didn't.
Does anyone have any advice or idea what went wrong?
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.