Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
shelzmike
New Contributor

Virtual IP Ranges - This is getting ridiculous!

I have what I thought was a very simple setup and of course it is not though from everything I have read it would seem that I have everything setup appropriately. I am evaluating a cloud-based Email Security Service. I have 2 Fortigate 80Cs, setup in HA Cluster in NAT operation mode. All I want to happen is the following: When anything comes in over SMTP protocol from ONLY a particular subnet, it then forwards it to my email server directly (to be permanent). When anything comes in over SMTP protocol NOT from this subnet, I want to be forwarded over to my current security appliance on site. There are 2 problems I am having with the Virtual IP Setup. 1.) When I try to create 2 rules that both forward port 25 but to different places, depending on the incoming address, I get " A Duplicate Entry Already Exists Error" . Now I understand in theory it would get confused if I simply had 2 different places to send SMTP traffic. However, if I delineate depending on the INCOMING address and set the policy order properly why would this not work? 2.) I am confused as to how I would delineate the from address. Currently, the only way I can get it to work is by setting an Address as the Subnet of the remote service. Then create a policy that uses that address as the source address on my WAN port. However, on my Virtual IP, I am unable to set the proper External IP Address/Range to the subnet of the hosted service. The reason is because when I do that and then try to specify only my email server as the mapped IP Address, it automatically creates an inappropriate ending address. I have uploaded the image to show what I mean. It automatically creates the 201.20.96.21 ending IP, which is not correct. It should be 255.255.255.255. Perhaps I am thinking about this the wrong way, but I really need to get this working ASAP. Thanks. Mike
5 REPLIES 5
romanr
Valued Contributor

Hi, as the VIP configuration uses a " RANGE" address feature the fields should use the start of the IP range and its end if more then one address is being used! So in your case, just leave the second field empty! If you need different VIP configurations for different sources, then just use the source address filter and fill in the correct source address! best regards, Roman
shelzmike

Roman, thanks for the response; however, I am a little confused - or rather perhaps just need a bit more clarification. So are you saying instead of using the beginning and end IP in External IP Address/Range that I need to just use the beginning IP Address? If that is the case, will this indeed apply to all addresses in the range of 64.235.144.0/20 subnet? (It is important that it does so). Or, are you saying to leave the Mapped IP Address/Range ending IP blank, because that of course is my problem - if I put an ending IP in the External, it automatically fills the Mapped IP address ending IP. Thanks.
ede_pfau
SuperUser
SuperUser

You used the network mask as the end address. No wonder this amounts to a vast number of hosts... A whole /24 subnet would be e.g. start = 64.235.144.1 end = 64.235.144.254 First field to fill in is start IP, second is end IP. Secondly, the " external IP Address" is not the source address of an external host connecting, but the destination IP address he' s trying to connect to. This is not mapping source addresses to internal addresses. To have 2 VIPs act differently depending on the source IP address of the host coming in you need to use the source IP filter feature.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
shelzmike
New Contributor

Ah, okay. That makes a little more sense. So you are saying the External IP should be my Public IP address on my WAN port then? That would certainly solve the issue I have been having. And then I can use the Address in the firewall (and consequently assign that to the source address in the policy) to have the Fortigate ONLY accept SMTP traffic from that particular address, correct? Thanks!
ede_pfau
SuperUser
SuperUser

Your first sentence is correct. The second is not how it' s done. You use the VIP as the destination address in a policy. In your case, the policy would be intf: WAN -> internal addr: ALL -> VIP to actually use the address/port translation. The firewall/VIP section only defines it. And to select the range of source addresses that are processed by one VIP you check the " Source Address Filter" setting in the VIP definition itself. Compare with the screenshot you posted above. This filter feature is newly introduced in 4.3.x somewhere.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors