Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
KDMac
New Contributor

Virtual IP and portforwarding

Device: FortiGate 60E, FortiOS 6.4.1

I am a bit ashamed to ask this, but I'm not able to correctly configure port forwarding for external access.

My goal is to make a web-interface of the office-automation system accessible from a mobile device outside the network. With all the previous routers I have used, setting this up was a matter of minutes, however with the FortiGate I really don't understand how to do this. I have watched all the videos I could find, searched and read recipes, without success.

 

The situation: SD-Wan zone with 2 members (2 providers who both give me a dynamic IP)

I use the FortiDDNS service. The internal IP I want to reach is 172.19.183.45 (internal port 8080). External port would be 8100.

I would like have with a link that looks like: myname.fortiddns.com:8100 to reach my office-automation system.

To achieve this I have tried to create a Virtual IP but I face an immediate first problem: what do I enter in the field 'External IP address'? In my case, this is dynamic.

 

Even if a enter my current WAN IP for test purposes it still doesn't work. What am I missing here?

 

In my old router I just enter the protocol (TCP), the public port, private IP and private port, witch WAN interface. Next I open the public port and that's it. 

 

Help would be much appreciated.

 

Many thanks in advance. 

2 REPLIES 2
Fullmoon
Contributor III

KDMac wrote:

 

 

To achieve this I have tried to create a Virtual IP but I face an immediate first problem: what do I enter in the field 'External IP address'? In my case, this is dynamic.

 

 

Have you tried to define as 0.0.0.0/0 to the External IP address?

Fortigate Newbie

Fortigate Newbie
ede_pfau
Esteemed Contributor III

@Fullmoon is right, '0.0.0.0/0' is the FortiOS notation for a wildcard address. It's documented in the Handbook.

 

Besides, port forwarding on a FGT is a 2 step process:

1- create a VIP

2- create a policy from WAN to LAN with the VIP as the destination address (!), like

srcif: sd-wan

srcaddr: all

dstif: LAN

dstaddr: myVIP

service: myCustomServiceTCP8100

NAT: disable

 

Place this policy above other policies with the same srcif/dstif combo.

If you cannot choose 'sd-wan' for source interface, specify 'any'.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Top Kudoed Authors