Good Afternoon,
I have a 110C forti with two internet connections (WAN1 distance 10 priority 0 WAN2 distance 11 priority 0) all the traffic in WAN1 is correct.
I have generated a static routing policy for a particular server through the WAN2 and a policy to allow access to internet (LAN - WAN2) and works OK.
The problem comes when I expose a web on that server, i can´t access from Internet (from lan internally entered correctly), I have generated policy WAN2 - LAN and does not work (that policy works correctly, i prioritized WAN2 on WAN1 and the access is ok).
Many thanks for your attention.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Is NAT enabled in the policy?
hi tuumke,
Yes, I try removing it and nothing happens...
Make the distances the same, and change the priorities. Higher number=lower priority.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Okai,
So you need a port forward on the fortigate.
http://docs-legacy.fortinet.com/cb/html/index.html#page/FOS_Cookbook/Firewall/cb-firewall-dnat3.html
1. Go to Firewall Objects > Virtual IP > Virtual IP and select Create New to add a virtual IP that maps connections to the wan2
Name TCP80-Webserver
External Interface wan2 Type Static NAT External IP Address/Range 0.0.0.0-0.0.0.0 (i think) Mapped IP Address/Range ip webserver - ip webserver
2. Select Port Forwarding and configure the following port forwarding settings:
Protocol TCP External Service Port 80-80 Map to Port 80-80
Repeat for TCP443
4. Go to Firewall Objects > Virtual IP > VIP Group and select Create New to add a VIP Group that includes both VIPs.
Group Name TCP80-443-Webserver Interface wan2
Add both created vips (TCP80 and TCP443) to the members list
5. Go to Policy > Policy > Policy and select Create New to add a policy that accepts includes the VIP Group.
Source Interface/Zone wan2 Source Address all Destination Interface/Zone internal Destination Address TCP80-443-Webserver Schedule always Service HTTP and HTTPS Action ACCEPT
(edited because tables didnt work for some reason lol)
eneko wrote:And you also created the VIPs? (that is the test group i assume?) Screenshot? :)Good morning,
The policy is created as you say, take a look.
Test (destination address) is a virtual ip configure correctly, if i priorize wan2 on wan1 it works well but if wan1 is priorize on wan2 doesn´t work.
Trank you very much!
yes
eneko wrote:yes
And i assume you still have the problem?
Can you give screenshots of the created VIPs?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1468 | |
1006 | |
748 | |
443 | |
206 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.