Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Not applicable

virtual ip or port forwarding with 2 wans

Hi all, i have 2 wan adsl access with my fgt60, i am trying to forward external port 22 (from WAN1 AND WAN2) to a server connected to DMZ port 22. No problem with the first redirection (from WAN1) but when i am trying to do it on WAN2 i get an error message " A duplicate entry already exists." . I must change the external service port to another port than 22. I don' t understand why because the " duplicate" concern WAN1, not WAN2 ... Any idea ? Thanks in advance.
6 REPLIES 6
Fireshield
New Contributor

When you create the VIP are you using an external IP of 0.0.0.0 (any)? If so, you will get this error as a duplicate even though it' s technically on a different interface. Try specifying an IP address to use for the public side on at least one of the VIPs.
FCSE > FCNSP 2.8 > FCNSP 3.0 (Former) FCT
FCSE > FCNSP 2.8 > FCNSP 3.0 (Former) FCT
Not applicable

yes i use 0.0.0.0 on WAN1, but i want to forward this port from all source (all internet) to the same internal server... if i specify an ip address the forwarding will be only for this adress ...
Fireshield
New Contributor

You are correct, it will only come from the address you specify. But then again, it' s better than nothing coming in from that interface. I see people trying to do this a lot. What I don' t understand is why you need to use ALL your public IP addresses going to one node. People need to know what to connect to...wouldn' t it be just as easy to tell them one IP or FQDN and have all connections come in on that? This would free up additional IP addresses for other needs, now or in the future. In my mind, the only time you would need to use 0.0.0.0 is when you have DHCP on the WAN rather than a static IP.
FCSE > FCNSP 2.8 > FCNSP 3.0 (Former) FCT
FCSE > FCNSP 2.8 > FCNSP 3.0 (Former) FCT
rwpatterson
Valued Contributor III

The 0.0.0.0 is the virtual interface IP definition. It has nothing to do with where the source IP is coming from. That is determined in the policy! Besides, doing that will make you a target for a LOT of junk from hackers with ping sweeps and such. Imagine, every one of your public IP addresses being forwarded to your mail server. Not pretty! I have enough trouble keeping one IP address clean!

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Fireshield
New Contributor

Bob, you have enlightened me on the confusion people are having here. When you create a VIP, the fields are: Name: External Interface: <dropdown> Type: O-Static NAT O-Load Balance External IP Address/Range: Mapped IP Address/Range: Port Forwarding: | | So what people are thinking is that the " External IP Address/Range" is where the traffic is coming from. You are correct - this is a false assumption. The " External IP Address/Range" is simply the public IP address that you own and the public traffic is DESTINED to. Now, this traffic will be redirected to the " Mapped IP Address/Range" so that external traffic can be destined internal. So then, as Bob pointed out, you make a firewall policy allowing the traffic and this is where you define where the source IP is...this one is usually 0.0.0.0.
FCSE > FCNSP 2.8 > FCNSP 3.0 (Former) FCT
FCSE > FCNSP 2.8 > FCNSP 3.0 (Former) FCT
nsantin
New Contributor III

You can try to allow the wans to overlap. From the CLI: config sys global (global)# set allow-interface-subnet-overlap enable
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors