Gents,
Need your assistance here.. i have a s2s connection and i want the remote side to access my server ports through loopback interface. s2s is up and able to reach my loopback interface, however my VIPs port forwarding using loopback is not responding.. base on my diagnose sniffer shows that remote are able to reach the loopback but no ack receive as shown below.
3953.534013 TO-JED in 10.1.74.21.65027 -> 10.0.225.102.1200: syn 289683913
3956.547416 TO-JED in 10.1.74.21.65027 -> 10.0.225.102.1200: syn 289683913
3962.546623 TO-JED in 10.1.74.21.65027 -> 10.0.225.102.1200: syn 289683913
----config---
config system interface
edit "Loopback102"
set vdom "root"
set ip 10.0.225.102 255.255.255.255
set allowaccess ping https ssh http fgfm
set type loopback
set role lan
set snmp-index 25
-----------------
config firewall policy
edit 66
set name "ewew"
set uuid 7be5d9e4-c0fc-51ee-71e4-dc872d849459
set srcintf "TO-JED"
set dstintf "Loopback102"
set action accept
set srcaddr "JED-DMZ-SVR"
set dstaddr "iNET-1200"
set schedule "always"
set service "ALL"
set logtraffic all
set comments " "
next
end
edit "iNET-1200"
set uuid 5099f20a-c0f9-51ee-edd8-d4b4f6b515f3
set extip 10.0.225.102
set mappedip "10.3.131.160"
set extintf "any"
set portforward enable
set extport 1200
set mappedport 7000
next
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello @hbuenafe81 ,
Thank you for contacting the Fortinet Forum portal.
Once the traffic reaches the loopback interface does traffic reach the actual server not sure if you can achieve this, As once the traffic reaches from the remote site to the loopback interface private address session will offload on the interface is there any other route you have for end server from the loopback?
Please collect below debug logs to get flow in a better way
get router info routing-table details 10.0.255.102
get router info routing-table details 10.3.131.160
# diagnose debug reset
# diagnose debug flow trace stop
# diagnose debug flow filter clear
# diagnose debug flow filter addr [src-ip] [remoteip address from were traffic is generated]
# diagnose debug flow filter port <portnumber>
# diagnose debug flow show function-name enable
# diagnose debug flow iprope en
# diagnose debug console timestamp enable
# diagnose debug flow trace start 999
# diagnose debug enable
# diagnose debug disable
Best regards,
Manasa.
If you feel the above steps helped to resolve the issue mark the reply as solved so that other customers can get it easily while searching on similar scenarios.
Created on 02-04-2024 05:17 AM Edited on 02-04-2024 05:34 AM
Thanks for the prompts response.. as suggested below. When i tried lopbck interface to reach 10.3.131.160 ports is reachable/open, the thing is that its not mapping to loopback interface.
NSPTSDFW02 # get router info routing-table details 10.0.255.102
Routing table for VRF=0
Routing entry for 10.0.0.0/8
Known via "static", distance 1, metric 0, best
* via iNET-s2s tunnel x.x.x.x, tun_id
NSPTSDFW02 # get router info routing-table details 10.3.131.160
Routing table for VRF=0
Routing entry for 10.3.131.0/24
Known via "connected", distance 0, metric 0, best
* is directly connected, port4
NSPTSDFW02 # diag sniffer packet any "host 10.1.74.21 and port 1200" 4
interfaces=[any]
filters=[host 10.1.74.21 and port 1200]
13.643032 TO-JED in 10.1.74.21.65165 -> 10.0.225.102.1200: syn 1131091791
16.649474 TO-JED in 10.1.74.21.65165 -> 10.0.225.102.1200: syn 1131091791
22.649572 TO-JED in 10.1.74.21.65165 -> 10.0.225.102.1200: syn 1131091791
------
NSPTSDFW02 # execute telnet 10.3.131.160 7000
Trying 10.3.131.160...
Connected to 10.3.131.160.
If the server is behind another Router/NAT device make sure it can reach the loopback IP (10.0.225.102) in FGT and also based on this article you need another firewall policy allowing the traffic from loopback to the server.
Created on 02-04-2024 07:06 AM Edited on 02-04-2024 07:54 AM
thanks @ebilcari, this is a fortigate loopback interface.. i dont have any problem using router loopback except for this loopbck on a fw. the problem here is that the loopback interface on fw is not mapping the internal server ports.. all communication are working properly and able to reach each other, except for this VIPs/port mapping using fortigate lopbck int.
Can you please confirm if you can verify the configuration using article Technical Note: How to configure a VIP using a loo... - Fortinet Community ? and make sure all firewall policies are in place?
Created on 02-04-2024 08:49 PM Edited on 02-04-2024 08:51 PM
@mpeddalla - thanks for the info., this is actually what i was looking at earlier the only difference is that i'm did not use WAN interface instead i'm using a s2s port on this.. policies are also in place.
config system interface
edit "Loopback102"
set vdom "root"
set ip 10.0.225.102 255.255.255.255
set allowaccess ping https ssh http fgfm
set type loopback
set snmp-index 25
next
end
config firewall vip
edit "iNET-1200"
set extip 10.0.225.102
set mappedip "10.3.131.160"
set extintf "any"
set portforward enable
set extport 1200
set mappedport 7000
next
** below policy also has reverse setup if dstaddr use all **
config firewall policy
edit 66
set name "Loopback"
set srcintf "TO-JED"
set dstintf "Loopback102"
set action accept
set srcaddr "JED-DMZ-SVR"
set dstaddr "iNET-1200" ----- for test purposes I also change this to ALL ----
set schedule "always"
set service "ALL"
set logtraffic all
set nat enable ------ for test I also disable this -----
next
I did a quick test (no VPN) and port forwarding pointing at loopback works (7.2.6):
GW # get system session list
tcp 3597 10.0.0.2:60838 - 100.0.0.5:10051 10.5.32.51:443
VIP/loopback is 100.0.0.5 and the "server" is 10.5.32.51
Don't forget to add a dedicated rule to allow request reaching the loopback interface itself:
Thanks Emirjohn - I'm using v7.0.13
As you can see below the loopback is reachable but the port is not open. I tested this server port to same ip range (10.3.131.x) and port is open but not to map loopback interface.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1710 | |
1093 | |
752 | |
446 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.