Hello team,
I configured a loopback with WAN role and ssigned it a public ip address. Now I need the client network to go out to the outside world with the ip address of the loopback. To do this just make policies that have the client interface as the source and the loopback as the destination and enable the NAT flag in the policies or is it mandatory to configure an ip-pool? Thanks for the support
The source and destination interfaces need to be the real source and destination interfaces, i.e.:
srcintf = <some LAN interface/VLAN>
dstintf = <actual WAN uplink>
In this policy, you can apply a relevant IP pool to do the desired SNAT change. In such a scenario, the loopback is essentially just a "dummy" interface that owns the IP public IP, not much more. (as far as outgoing traffic sessions go)
Hello,
i have srcinf = <some LAN interface/VLAN>
i have dstinf = <loopback interface with WAN role and public ip/32>
So, i configure the policy with source srcinf and destination loopback interface with ip pool. It's correct?
Thanks for the support
BR
Can I use loopback interface in this way?
Created on 01-12-2024 02:07 AM Edited on 01-12-2024 02:08 AM
The loopback cannot be the destination interface for internet-bound traffic. The destination interface must be whichever interface has the default route (or whichever best route towards the destination IP).
As a rule of thumb, the inteface configuration of a firewall policy respects the real flow of traffic. Internet-bound traffic does not really end on the loopback, so the loopback is not the destination interface.
Thanks,
so if I run a test as I said it will not work or it will still work but the solution is not supported?
BR
A <LAN> -> <loopback> policy will not let internet-bound traffic pass through. So it will not work.
Hi Luca
Can I ask why do you use loopback? Do you have BGP?
Hi @luca1994,
Why do you want to use loopback? You can just add the new public IP as secondary IP address of your existing WAN interface. Please refer to https://community.fortinet.com/t5/FortiGate/Technical-Tip-Set-a-secondary-IP-on-a-FortiGate-interfac...
Regards,
Created on 01-12-2024 07:35 AM Edited on 01-12-2024 07:36 AM
because the provider running MPLS requires the traffic to be sent l MPLS router with the public ip assigned to the loopback. So I created the ip pool with public ip loopback and added it in the policies going from internal lan to physical interface of the Fortigate firewall that has MPLS ip.
Thanks
Hi Luca
Ok. You can keep the loopback and do the following as a solution for your question:
For the firewall policy, just use the actual wan interface as outgoing interface, and NAT the outgoing traffic with IP pool containing the loopback's IP address.
Also make sure your default GW is using the actual wan interface.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.