Hi,
I'm hosting my websites on ispconfig3 server from my home, i was using pfsense as gateway and 2 days ago i've switched to 30E (Unlicenced), so forwarded necessary ports to my ispconfig3 server but my websites are not reachable, when i plug my old pfsense it works but when i switch to fortigate it stops working.
Checked ports over and over again through ping.eu it seems like all ports (specially 53 dns port) are open and reachable from outer world but when i check A record through https://dnschecker.org/#A/fscdepo.com (it's one of my domains runs on my server) it's not reachable.
Any ideas ?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
VIP (port forwarding) is too basic of a feature on the Fortigate to cause problems, so 99% probability it is misconfiguration. Have you followed docs in configuring VIPs (e.g. https://community.fortinet.com/t5/FortiGate/Technical-Tip-Using-Virtual-IPs-to-configure-port-forwar...) ?
In security policy you have in the upper bar "Policy lookup" button to simulate packets passing the firewall - use it putting src Ip of some client on the Internet, dst external IP of the server and see if match is done on the correct policy.
Created on 04-03-2022 10:08 AM Edited on 04-03-2022 10:11 AM
Hi Yuri,
First of all thanks for sharing your blog's url there are lots of information for me :)
Let me explain how my connection works, i'm using fiber modem to reach to the internet so my fortigate is connected to the my modem, i can't connect forti to the fiber directly because i'm also getting ip tv service from ISP and isp's iptv service is not working if i don't connect to modem to fiber directly ;
-Fiber Modem : 192.168.1.254
-Forti 30E: 192.168.2.254
-ISPCONFIG3 Web server : 192.168.2.245
I'm forwarding port 53 from modem to fortigate first, after that forwarding from forti to ispconfig3 server as below;
When i check from ping.eu port 53 seems open, but when i check through https://dnschecker.org/ my web sites are not reachable. If i connect my ipconfig3 server directly to the modem and forward ports to the server or if i connect my server to my old pfsense gw it works without any problem.
I also tested "Policy Lookup" as you mentioned and it seems like my policy works without any problem, i really don't know what causing this.
Strange thing is we are using similiar configuration at the company i work, with 600E + ispconfig3 and it works the same way i'm trying to do at home, there is no problem on 600E, the only difference between 600E and my 30E is the licence, 600E is licenced and my 30E is not. Is that makes a different? As far as i know i can use my 30E with basic operations without licence.
Hey sheshman,
can you also share the policy?
The VIP itself looks fine, so I would want to double-check that you have the correct policy from WAN -> LAN in place with VIP as destination object
In addition, you might want a policy in the reverse direction (LAN -> WAN) and ensure the traffic from your server is NATed to the VIP's external IP properly
Also, a question for my understanding:
- your Fiber modem translates the public IP to 192.168.1.254
- FortiGate translates that IP 192.168.1.254 to 192.168.2.245?
- if the modem translated to 192.168.2.245 directly, FortiGate wouldn't need any VIP configuration, it could just route and require a simple IPv4 policy
Created on 04-04-2022 02:59 AM Edited on 04-04-2022 02:59 AM
Hi
your Fiber modem translates the public IP to 192.168.1.254 - yeap
FortiGate translates that IP 192.168.1.254 to 192.168.2.245? - yeap
if the modem translated to 192.168.2.245 directly - no, modem can't do that because modem on 192.168.1.x and my LAN works on 192.168.2.x so modem can not reach to 192.168.2.x network.
My policy as below;
I'm not sure if this is required - but can you change the policy to use source interface 'wan' instead of SD-WAN, to line up with the external interface defined on your VIP?
Other than that, the policy looks fine as far as I can see (if the VIP is part of the VIP group you have set as destination).
Unfortunately there is no wan option, there is only SD-WAN
Hey sheshman,
in that case, can you remove the external interface from the VIP and set it to 'any' interface?
Or, if you're not using SD-WAN, you could remove the 'wan' interface from SD-WAN settings. You would have to rework your outgoing policies to use 'wan' interface instead of SD-WAN though.
changing interface to any on VIP didn't solved the problem.
The thing that i don't understand is i've also a Zimbra server and it works with same logic, i mean all port forwards are works without any problem to that server but when i forward to ispconfig3 than all of my websites goes offline, seems like somehow port53 is not communicating with outer world.
Hi again, thanks.
Configs seem OK.
Unlicensed - for hardware models it may matter for Application Control/IPS/AV features, but basic functions like VPN, NAT, routing, FW work just fine. So, no - license cannot cause traffic problems.
When switching to PFsense and it starts to work - is it possible the fiber modem is set to work with PFsense's MAC address?
Anyway, the best way to proceed is to run packet sniffer while trying to reach servers behind the FGT. You can do it while connected via SSH or use web Applet in the FGT GUI - right upper corner you have ">_" to open applet based CLI .
The syntax would be: dia sni pa any 'host Source_IP_of_client_here' 4
Where Source_IP_of_client_here is the IP address of some external (on the INternet) client trying to access server(s) on open port. The desired output will contain packet coming in on wan interface and going out on lan interface with proper NAT translations.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.