Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
luca1994
New Contributor III

loopback for internet traffic

Hello team,

 

I configured a loopback with WAN role and ssigned it a public ip address. Now I need the client network to go out to the outside world with the ip address of the loopback. To do this just make policies that have the client interface as the source and the loopback as the destination and enable the NAT flag in the policies or is it mandatory to configure an ip-pool? Thanks for the support

19 REPLIES 19
pminarik
Staff
Staff

The source and destination interfaces need to be the real source and destination interfaces, i.e.:

srcintf = <some LAN interface/VLAN>

dstintf = <actual WAN uplink>

 

In this policy, you can apply a relevant IP pool to do the desired SNAT change. In such a scenario, the loopback is essentially just a "dummy" interface that owns the IP public IP, not much more. (as far as outgoing traffic sessions go)

[ corrections always welcome ]
luca1994
New Contributor III

Hello,

 

i have srcinf = <some LAN interface/VLAN>

i have dstinf = <loopback interface with WAN role and public ip/32>

 

So, i configure the policy with source srcinf and destination loopback interface with ip pool. It's correct?

 

Thanks for the support

BR

Can I use loopback interface in this way?

pminarik

The loopback cannot be the destination interface for internet-bound traffic. The destination interface must be whichever interface has the default route (or whichever best route towards the destination IP).

As a rule of thumb, the inteface configuration of a firewall policy respects the real flow of traffic. Internet-bound traffic does not really end on the loopback, so the loopback is not the destination interface.

[ corrections always welcome ]
luca1994
New Contributor III

Thanks,

so if I run a test as I said it will not work or it will still work but the solution is not supported?

BR

pminarik

A <LAN> -> <loopback> policy will not let internet-bound traffic pass through. So it will not work.

[ corrections always welcome ]
AEK
Honored Contributor II

Hi Luca

Can I ask why do you use loopback? Do you have BGP?

AEK
AEK
hbac
Staff
Staff

Hi @luca1994,

 

Why do you want to use loopback? You can just add the new public IP as secondary IP address of your existing WAN interface. Please refer to https://community.fortinet.com/t5/FortiGate/Technical-Tip-Set-a-secondary-IP-on-a-FortiGate-interfac...

 

Regards, 

luca1994
New Contributor III

Hello @hbac and @AEK 

 

because the provider running MPLS requires the traffic to be sent l MPLS router with the public ip assigned to the loopback. So I created the ip pool with public ip loopback and added it in the policies going from internal lan to physical interface of the Fortigate firewall that has MPLS ip.

Thanks

AEK
Honored Contributor II

Hi Luca

Ok. You can keep the loopback and do the following as a solution for your question:

For the firewall policy, just use the actual wan interface as outgoing interface, and NAT the outgoing traffic with IP pool containing the loopback's IP address.

Also make sure your default GW is using the actual wan interface.

AEK
AEK
Labels
Top Kudoed Authors