Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
BenJ
New Contributor

Yet another VIP thread

I have a 50-E running 5.4.4. It is currently configured and working fine. I have a second 50-E at another building that is also working and an IPsec tunnel exists between the two.

 

I am coming from Junipers, so I feel somewhat comfortable but am running into difficulty w/ VIPs. In fact I just deployed these 50Es to replace a Juniper 208 and 5gt. The VIP service on the Junipers worked without issue.

 

I am attempting to allow outside remote access directly to some DVR systems.

 

I have 5 public IPs attached to wan1 from the ISP box. 

 

Public IP of the wan1 is set to x.x.x.176

VIP I am configuring is x.x.x.168

 

I have configured custom services and grouped them for this task. I will be speaking specifically of just one as whatever the issue is will be resolved once that connects.

 

DVR1 service > TCP protocol. 10.0.0.150 internal IP. TCP Range: dest 0-65535 src 5000

VIP for DVR > external range x.x.x.168 to x.x.x.168. Mapped address is 10.0.0.1 NAT disabled. prt forwarding TCP external 5000 and mapped 5000.

Policy is: wan to lan. src all. destination address is the vip group. service is all the DVR services. This is the only wan to lan policy so nothing above it to create havoc.

 

I am able to connect directly to the DVRs on the internal so they are functioning fine.

 

I'm at a loss. Any help would be very appreciated.

 

8 REPLIES 8
EMES
Contributor

Hi,

 

Try removing the IP from the service, it looks like your src and dst service ports are backwards. it should be reversed. from any source port to destination port 5000. Also remove port forwarding from your VIP and let the security policy(and service) dictate what ports are allowed in.

 

Hope that helps

EMES

If that doesnt work then can you show us the CLI config for you have.

 

config firewall service custom

edit xxx

show

end

config firewall vip

edit xxx

show

end

config firewall policy

edit xx

show

end

 

put the name or number each entry where the x's are. Replace any sensitive information as needed.

 

BenJ
New Contributor

Eugene.milon wrote:

If that doesnt work then can you show us the CLI config for you have.

 

config firewall service custom

edit xxx

show

end

config firewall vip

edit xxx

show

end

config firewall policy

edit xx

show

end

 

put the name or number each entry where the x's are. Replace any sensitive information as needed.

 

I have verified that the other public addresses are routing as they should. That would've been easier to blame it on the ISP, but at least it's ruled out. 

 

CLI config

The two custom services:

--More-- edit "DVR1 Server"
--More-- set category "Camera Systems"
--More-- set iprange 10.0.0.150
--More-- set tcp-portrange 0-65535:5000 0-65535:100
--More-- next
--More-- edit "DVR2 Server"
--More-- set category "Camera Systems"
--More-- set iprange 10.0.0.151
--More-- set tcp-portrange 0-65535:5001 0-65535:100
--More-- next
--More-- end

VIPs

edit "DVR1 Server"
 set uuid xxxx
 set extip x.x.x.168
 set extintf "wan1"
 set portforward enable
 set mappedip "10.0.0.150"
 set extport 5000
 set mappedport 5000
 next
 edit "DVR2 Server"
 set uuid xxxx
 set extip x.x.x.168
 set extintf "wan1"
 set portforward enable
 set mappedip "10.0.0.1"
 set extport 5001
 set mappedport 5001

 

Policy

wan:

 set name "internet"
 set uuid xxxx
 set srcintf "lan"
 set dstintf "wan1"
 set srcaddr "all"
 set dstaddr "all"
 set action accept
 set schedule "always"
 set service "ALL"
 set nat enable

DVR

--More-- set name "DVR access"
--More-- set uuid xxxx
--More-- set srcintf "wan1"
--More-- set dstintf "lan"
--More-- set srcaddr "all"
--More-- set dstaddr "DVRs"
--More-- set action accept
--More-- set schedule "always"
--More-- set service "DVR1 Server" "DVR2 Server"
--More-- set logtraffic all

I have other policies related to the tunnel and wifi and such but shouldn't be relevant here.

 

Thanks again for the help. I will continue at this but will call support if need be.

EMES

On the inbound portforwarding is correct since were using the same public my mistake, VIPs are almost correct, but it seems to me your inbound VIP will not work because the service is not allowing that port. Try create a new service for testing and only set the destination for to 5000-5001. On the inbound your source port will always change due port address translation but the destination port will remain the same. If were talking about inbound traffic that's what I think would fix it. Also if your trying to do a uturn NAT (access the public IP from the inside) then you can remove the interface from the VIP. If you run the following commands it will show your the logic of allow/deny when your testing

 

diagnose debug flow filter daddr X.X.X.168

diagnose debug flow trace start 200

diagnose debug enable

BenJ
New Contributor

I tried removing the IP from the service, no change.

 

The src and dest ports are not backwards. src is 5000. dest is full range.

 

Attempting to remove port forwarding from the VIP and let it refer to the service comes back that a duplicate entry already exists. Besides, I understood that by removing port forwarding that it starts down the path of a one to one and I wouldn't be able to define multiple internal IPs.

 

I have plans for after hours to test to make sure this .168 public ip for remote VIP access is still being routed by the ISP.

rwpatterson
Valued Contributor III

BenJ wrote:

I tried removing the IP from the service, no change.

 

The src and dest ports are not backwards. src is 5000. dest is full range.

 

Attempting to remove port forwarding from the VIP and let it refer to the service comes back that a duplicate entry already exists. Besides, I understood that by removing port forwarding that it starts down the path of a one to one and I wouldn't be able to define multiple internal IPs.

 

I have plans for after hours to test to make sure this .168 public ip for remote VIP access is still being routed by the ISP.

To me that is reversed. Source should be any, destination should be 5000. When you go to a web page for example, you specify the destination port (80 for HTTP), not the source port. Try getting to a server when the port is a moving target. Makes no sense... That would be synonymous to delivering a package to an apartment building without knowing the apartment number. Who cares where it came from (source port 5000), the Internet needs to know where exactly it needs to go (destination 5000!).

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
rwpatterson
Valued Contributor III

Eugene.milon wrote:

Hi,

 

Try removing the IP from the service, it looks like your src and dst service ports are backwards. it should be reversed. from any source port to destination port 5000. Also remove port forwarding from your VIP and let the security policy(and service) dictate what ports are allowed in.

 

Hope that helps

If the port forwarding is removed from the VIP, then ALL ports will be forwarded basically clobbering any other access to that IP address. You should never do this if you only have a single IP address to work with.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
kurtli_FTNT
Staff
Staff

Hi there,

   What capture tells if run 'diag sniffer packet any 'host VIP or mappedIP' 4'?  Below debug commands are also helpful.

 

diag debug flow filter dport 5000

diag debug flow trace start 10

 

 

Regards

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors