hello, i want to ask, i have ip public 2.2.2.2 that mapped with virtual IP to internal network 192.168.10.5 to access CCTV,
if iam outside network and use mobile data with my phone i can access cctv with ip 2.2.2.2, but if i use my internal network and access cctv with my public ip 2.2.2.2 cannot access cctv, how to solve that problem? sory for my bad english.
Try to create a rule/policy from Internal to Internal with the VIP object as destination.
Not sure if this is working but give it a try.
The policy is necessary, and the VIP must be connected to the "any" interface, not "wan". Please search the forums for "hairpin", this problem has been posted several times (with solutions).
thx for your answer, i try to search with keyword hairpin in forums
Is this really a "bug" though or is it just that the FortiGate follows RFC exactly.
Mike Pruett
MikePruett wrote:Is this really a "bug" though or is it just that the FortiGate follows RFC exactly.
It's not a bug, it just how the firewall is working.
Same problem with Cisco ASA for example.
If not don't allow the traffic on a interface, the firewall will drop the traffic.
Never thought of this as being a bug. "Life of a packet" says NAT comes first, then policy. So essentially you make an 'internal' to 'internal' connection. This is reflected in the policy.
The only tricky (as in: hidden) part is that the VIP needs to be unbound, i.e. bound to 'any'. This is an implementation detail as the VIP triggers arp proxying as well as address translation. Specifying the VIP's interface restricts the arp action to what is necessary, releaving the CPU. In this case, it needs to be 'listen to all traffic' though.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1735 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.