I have a 50-E running 5.4.4. It is currently configured and working fine. I have a second 50-E at another building that is also working and an IPsec tunnel exists between the two.
I am coming from Junipers, so I feel somewhat comfortable but am running into difficulty w/ VIPs. In fact I just deployed these 50Es to replace a Juniper 208 and 5gt. The VIP service on the Junipers worked without issue.
I am attempting to allow outside remote access directly to some DVR systems.
I have 5 public IPs attached to wan1 from the ISP box.
Public IP of the wan1 is set to x.x.x.176
VIP I am configuring is x.x.x.168
I have configured custom services and grouped them for this task. I will be speaking specifically of just one as whatever the issue is will be resolved once that connects.
DVR1 service > TCP protocol. 10.0.0.150 internal IP. TCP Range: dest 0-65535 src 5000
VIP for DVR > external range x.x.x.168 to x.x.x.168. Mapped address is 10.0.0.1 NAT disabled. prt forwarding TCP external 5000 and mapped 5000.
Policy is: wan to lan. src all. destination address is the vip group. service is all the DVR services. This is the only wan to lan policy so nothing above it to create havoc.
I am able to connect directly to the DVRs on the internal so they are functioning fine.
I'm at a loss. Any help would be very appreciated.
Hi,
Try removing the IP from the service, it looks like your src and dst service ports are backwards. it should be reversed. from any source port to destination port 5000. Also remove port forwarding from your VIP and let the security policy(and service) dictate what ports are allowed in.
Hope that helps
If that doesnt work then can you show us the CLI config for you have.
config firewall service custom
edit xxx
show
end
config firewall vip
edit xxx
show
end
config firewall policy
edit xx
show
end
put the name or number each entry where the x's are. Replace any sensitive information as needed.
Eugene.milon wrote:I have verified that the other public addresses are routing as they should. That would've been easier to blame it on the ISP, but at least it's ruled out.If that doesnt work then can you show us the CLI config for you have.
config firewall service custom
edit xxx
show
end
config firewall vip
edit xxx
show
end
config firewall policy
edit xx
show
end
put the name or number each entry where the x's are. Replace any sensitive information as needed.
CLI config
The two custom services:
--More-- edit "DVR1 Server"
--More-- set category "Camera Systems"
--More-- set iprange 10.0.0.150
--More-- set tcp-portrange 0-65535:5000 0-65535:100
--More-- next
--More-- edit "DVR2 Server"
--More-- set category "Camera Systems"
--More-- set iprange 10.0.0.151
--More-- set tcp-portrange 0-65535:5001 0-65535:100
--More-- next
--More-- end
VIPs
edit "DVR1 Server"
set uuid xxxx
set extip x.x.x.168
set extintf "wan1"
set portforward enable
set mappedip "10.0.0.150"
set extport 5000
set mappedport 5000
next
edit "DVR2 Server"
set uuid xxxx
set extip x.x.x.168
set extintf "wan1"
set portforward enable
set mappedip "10.0.0.1"
set extport 5001
set mappedport 5001
Policy
wan:
set name "internet"
set uuid xxxx
set srcintf "lan"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set nat enable
DVR
--More-- set name "DVR access"
--More-- set uuid xxxx
--More-- set srcintf "wan1"
--More-- set dstintf "lan"
--More-- set srcaddr "all"
--More-- set dstaddr "DVRs"
--More-- set action accept
--More-- set schedule "always"
--More-- set service "DVR1 Server" "DVR2 Server"
--More-- set logtraffic all
I have other policies related to the tunnel and wifi and such but shouldn't be relevant here.
Thanks again for the help. I will continue at this but will call support if need be.
On the inbound portforwarding is correct since were using the same public my mistake, VIPs are almost correct, but it seems to me your inbound VIP will not work because the service is not allowing that port. Try create a new service for testing and only set the destination for to 5000-5001. On the inbound your source port will always change due port address translation but the destination port will remain the same. If were talking about inbound traffic that's what I think would fix it. Also if your trying to do a uturn NAT (access the public IP from the inside) then you can remove the interface from the VIP. If you run the following commands it will show your the logic of allow/deny when your testing
diagnose debug flow filter daddr X.X.X.168
diagnose debug flow trace start 200
diagnose debug enable
I tried removing the IP from the service, no change.
The src and dest ports are not backwards. src is 5000. dest is full range.
Attempting to remove port forwarding from the VIP and let it refer to the service comes back that a duplicate entry already exists. Besides, I understood that by removing port forwarding that it starts down the path of a one to one and I wouldn't be able to define multiple internal IPs.
I have plans for after hours to test to make sure this .168 public ip for remote VIP access is still being routed by the ISP.
BenJ wrote:To me that is reversed. Source should be any, destination should be 5000. When you go to a web page for example, you specify the destination port (80 for HTTP), not the source port. Try getting to a server when the port is a moving target. Makes no sense... That would be synonymous to delivering a package to an apartment building without knowing the apartment number. Who cares where it came from (source port 5000), the Internet needs to know where exactly it needs to go (destination 5000!).I tried removing the IP from the service, no change.
The src and dest ports are not backwards. src is 5000. dest is full range.
Attempting to remove port forwarding from the VIP and let it refer to the service comes back that a duplicate entry already exists. Besides, I understood that by removing port forwarding that it starts down the path of a one to one and I wouldn't be able to define multiple internal IPs.
I have plans for after hours to test to make sure this .168 public ip for remote VIP access is still being routed by the ISP.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Eugene.milon wrote:If the port forwarding is removed from the VIP, then ALL ports will be forwarded basically clobbering any other access to that IP address. You should never do this if you only have a single IP address to work with.Hi,
Try removing the IP from the service, it looks like your src and dst service ports are backwards. it should be reversed. from any source port to destination port 5000. Also remove port forwarding from your VIP and let the security policy(and service) dictate what ports are allowed in.
Hope that helps
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Hi there,
What capture tells if run 'diag sniffer packet any 'host VIP or mappedIP' 4'? Below debug commands are also helpful.
diag debug flow filter dport 5000
diag debug flow trace start 10
Regards
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.