- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
VIPs on loopback with s2s communication
Gents,
Need your assistance here.. i have a s2s connection and i want the remote side to access my server ports through loopback interface. s2s is up and able to reach my loopback interface, however my VIPs port forwarding using loopback is not responding.. base on my diagnose sniffer shows that remote are able to reach the loopback but no ack receive as shown below.
3953.534013 TO-JED in 10.1.74.21.65027 -> 10.0.225.102.1200: syn 289683913
3956.547416 TO-JED in 10.1.74.21.65027 -> 10.0.225.102.1200: syn 289683913
3962.546623 TO-JED in 10.1.74.21.65027 -> 10.0.225.102.1200: syn 289683913
----config---
config system interface
edit "Loopback102"
set vdom "root"
set ip 10.0.225.102 255.255.255.255
set allowaccess ping https ssh http fgfm
set type loopback
set role lan
set snmp-index 25
-----------------
config firewall policy
edit 66
set name "ewew"
set uuid 7be5d9e4-c0fc-51ee-71e4-dc872d849459
set srcintf "TO-JED"
set dstintf "Loopback102"
set action accept
set srcaddr "JED-DMZ-SVR"
set dstaddr "iNET-1200"
set schedule "always"
set service "ALL"
set logtraffic all
set comments " "
next
end
edit "iNET-1200"
set uuid 5099f20a-c0f9-51ee-edd8-d4b4f6b515f3
set extip 10.0.225.102
set mappedip "10.3.131.160"
set extintf "any"
set portforward enable
set extport 1200
set mappedport 7000
next
- Labels:
-
FortiGate
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @hbuenafe81 ,
Thank you for contacting the Fortinet Forum portal.
Once the traffic reaches the loopback interface does traffic reach the actual server not sure if you can achieve this, As once the traffic reaches from the remote site to the loopback interface private address session will offload on the interface is there any other route you have for end server from the loopback?
Please collect below debug logs to get flow in a better way
get router info routing-table details 10.0.255.102
get router info routing-table details 10.3.131.160
# diagnose debug reset
# diagnose debug flow trace stop
# diagnose debug flow filter clear
# diagnose debug flow filter addr [src-ip] [remoteip address from were traffic is generated]
# diagnose debug flow filter port <portnumber>
# diagnose debug flow show function-name enable
# diagnose debug flow iprope en
# diagnose debug console timestamp enable
# diagnose debug flow trace start 999
# diagnose debug enable
# diagnose debug disable
Best regards,
Manasa.
If you feel the above steps helped to resolve the issue mark the reply as solved so that other customers can get it easily while searching on similar scenarios.
Created on ‎02-04-2024 05:17 AM Edited on ‎02-04-2024 05:34 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the prompts response.. as suggested below. When i tried lopbck interface to reach 10.3.131.160 ports is reachable/open, the thing is that its not mapping to loopback interface.
NSPTSDFW02 # get router info routing-table details 10.0.255.102
Routing table for VRF=0
Routing entry for 10.0.0.0/8
Known via "static", distance 1, metric 0, best
* via iNET-s2s tunnel x.x.x.x, tun_id
NSPTSDFW02 # get router info routing-table details 10.3.131.160
Routing table for VRF=0
Routing entry for 10.3.131.0/24
Known via "connected", distance 0, metric 0, best
* is directly connected, port4
NSPTSDFW02 # diag sniffer packet any "host 10.1.74.21 and port 1200" 4
interfaces=[any]
filters=[host 10.1.74.21 and port 1200]
13.643032 TO-JED in 10.1.74.21.65165 -> 10.0.225.102.1200: syn 1131091791
16.649474 TO-JED in 10.1.74.21.65165 -> 10.0.225.102.1200: syn 1131091791
22.649572 TO-JED in 10.1.74.21.65165 -> 10.0.225.102.1200: syn 1131091791
------
NSPTSDFW02 # execute telnet 10.3.131.160 7000
Trying 10.3.131.160...
Connected to 10.3.131.160.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If the server is behind another Router/NAT device make sure it can reach the loopback IP (10.0.225.102) in FGT and also based on this article you need another firewall policy allowing the traffic from loopback to the server.
If you have found a solution, please like and accept it to make it easily accessible for others.
Created on ‎02-04-2024 07:06 AM Edited on ‎02-04-2024 07:54 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks @ebilcari, this is a fortigate loopback interface.. i dont have any problem using router loopback except for this loopbck on a fw. the problem here is that the loopback interface on fw is not mapping the internal server ports.. all communication are working properly and able to reach each other, except for this VIPs/port mapping using fortigate lopbck int.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you please confirm if you can verify the configuration using article Technical Note: How to configure a VIP using a loo... - Fortinet Community ? and make sure all firewall policies are in place?
Created on ‎02-04-2024 08:49 PM Edited on ‎02-04-2024 08:51 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@mpeddalla - thanks for the info., this is actually what i was looking at earlier the only difference is that i'm did not use WAN interface instead i'm using a s2s port on this.. policies are also in place.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
config system interface
edit "Loopback102"
set vdom "root"
set ip 10.0.225.102 255.255.255.255
set allowaccess ping https ssh http fgfm
set type loopback
set snmp-index 25
next
end
config firewall vip
edit "iNET-1200"
set extip 10.0.225.102
set mappedip "10.3.131.160"
set extintf "any"
set portforward enable
set extport 1200
set mappedport 7000
next
** below policy also has reverse setup if dstaddr use all **
config firewall policy
edit 66
set name "Loopback"
set srcintf "TO-JED"
set dstintf "Loopback102"
set action accept
set srcaddr "JED-DMZ-SVR"
set dstaddr "iNET-1200" ----- for test purposes I also change this to ALL ----
set schedule "always"
set service "ALL"
set logtraffic all
set nat enable ------ for test I also disable this -----
next
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I did a quick test (no VPN) and port forwarding pointing at loopback works (7.2.6):
GW # get system session list
tcp 3597 10.0.0.2:60838 - 100.0.0.5:10051 10.5.32.51:443
VIP/loopback is 100.0.0.5 and the "server" is 10.5.32.51
Don't forget to add a dedicated rule to allow request reaching the loopback interface itself:
If you have found a solution, please like and accept it to make it easily accessible for others.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Emirjohn - I'm using v7.0.13
As you can see below the loopback is reachable but the port is not open. I tested this server port to same ip range (10.3.131.x) and port is open but not to map loopback interface.
