hello I have created a Virtual IP to map to an inside private IP Address
the Virtual IP is spare IP address from the RIPE subnet allocated
x.x.x.84 --
I have configured a security rule to allow traffic to this IP
there are no matches in the packet capture & I cannot see the .84 in the arp address of the vdom
Q has anyone come across this issue before ?
Hello
In the firewall rule you allow traffic to the VIP object, not to the IP object.
Also in the VIP object, ensure the ARP reply is enabled.
config firewall vip
edit VIP1
set arp-reply enable
next
end
Hope it helps.
first many thanks all the help
please see cli output that might clarify
itsprdtnfcfw101 (vip) # show
config firewall vip
edit "Assurenet_122_Management"
set uuid 7f56b1a4-3968-51ef-460d-5158eca378f4
set service "ALL_TCP"
set extip 1.1.1.84
set mappedip "10.123.12.2"
set extintf "any"
next
edit 10
set name "VIP-2"
set uuid 7cfb9382-9adb-51ef-93a1-1cec1784ccf1
set srcintf "wan"
set dstintf "lan3"
set action accept
set srcaddr "home-VIP-2" ( my source IP on the Internet )
set dstaddr "VIP-84" (target VIP address )
set schedule "always"
set service "ALL"
set nat enable
If your FGT's wan interface IP is another IP in the same subnet like x.x.x.81 in x.x.x.80/29, your ISP wouldn't deliver packets destined to x.x.x.84/29 to the MAC address on your FGT's wan interface. Only packets destined to x.x.x.81 are delivered to your FGT's interface. The ISP would expect ARP reply back from a different MAC address (generally a different device).
Only in case if your FGT's wan interface IP is from a different subnet like a /30 then the /29 subnet is routed over the interface subnet as "additional IPs/subnet", your FGT would receive all packets destined to all 8 IP addresses within the /29 subnet.
Toshi
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.