Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Summer 2024 badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiBridge
- FortiAuthenticator
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDDoS
- FortiDAST
- FortiDB
- FortiDNS
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGuard
- FortiGate Cloud
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiToken
- FortiTester
- FortiWAN
- FortiVoice
- FortiWeb
- FortiWebCloud
- RMA Information and Announcements
- Wireless Controller
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- virtual ip or port forwarding with 2 wans
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Not applicable
Created on 01-18-2007 09:46 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
virtual ip or port forwarding with 2 wans
Hi all,
i have 2 wan adsl access with my fgt60, i am trying to forward external port 22 (from WAN1 AND WAN2) to a server connected to DMZ port 22.
No problem with the first redirection (from WAN1) but when i am trying to do it on WAN2 i get an error message " A duplicate entry already exists." .
I must change the external service port to another port than 22.
I don' t understand why because the " duplicate" concern WAN1, not WAN2 ...
Any idea ?
Thanks in advance.
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When you create the VIP are you using an external IP of 0.0.0.0 (any)? If so, you will get this error as a duplicate even though it' s technically on a different interface. Try specifying an IP address to use for the public side on at least one of the VIPs.
FCSE > FCNSP 2.8 > FCNSP 3.0
(Former) FCT
FCSE > FCNSP 2.8 > FCNSP 3.0 (Former) FCT
Not applicable
Created on 01-18-2007 10:48 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yes i use 0.0.0.0 on WAN1, but i want to forward this port from all source (all internet) to the same internal server...
if i specify an ip address the forwarding will be only for this adress ...
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You are correct, it will only come from the address you specify. But then again, it' s better than nothing coming in from that interface.
I see people trying to do this a lot. What I don' t understand is why you need to use ALL your public IP addresses going to one node. People need to know what to connect to...wouldn' t it be just as easy to tell them one IP or FQDN and have all connections come in on that? This would free up additional IP addresses for other needs, now or in the future.
In my mind, the only time you would need to use 0.0.0.0 is when you have DHCP on the WAN rather than a static IP.
FCSE > FCNSP 2.8 > FCNSP 3.0
(Former) FCT
FCSE > FCNSP 2.8 > FCNSP 3.0 (Former) FCT
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The 0.0.0.0 is the virtual interface IP definition. It has nothing to do with where the source IP is coming from. That is determined in the policy! Besides, doing that will make you a target for a LOT of junk from hackers with ping sweeps and such. Imagine, every one of your public IP addresses being forwarded to your mail server. Not pretty! I have enough trouble keeping one IP address clean!
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Bob, you have enlightened me on the confusion people are having here. When you create a VIP, the fields are:
Name:
External Interface: <dropdown>
Type: O-Static NAT O-Load Balance
External IP Address/Range:
Mapped IP Address/Range:
Port Forwarding: | |
So what people are thinking is that the " External IP Address/Range" is where the traffic is coming from. You are correct - this is a false assumption. The " External IP Address/Range" is simply the public IP address that you own and the public traffic is DESTINED to. Now, this traffic will be redirected to the " Mapped IP Address/Range" so that external traffic can be destined internal.
So then, as Bob pointed out, you make a firewall policy allowing the traffic and this is where you define where the source IP is...this one is usually 0.0.0.0.
FCSE > FCNSP 2.8 > FCNSP 3.0
(Former) FCT
FCSE > FCNSP 2.8 > FCNSP 3.0 (Former) FCT
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can try to allow the wans to overlap.
From the CLI:
config sys global
(global)# set allow-interface-subnet-overlap enable
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- Assistance to allow external access to... 1126 Views
- Help Needed: DDNS Not Working and... 699 Views
- FortiGate FGT200F - Firmware 7.4.4 Slow... 256 Views
- Log messages when forwarding traffic 376 Views
- Two different websites (domains) on two... 343 Views
Labels
-
FortiGate
7,511 -
FortiClient
1,477 -
5.2
801 -
FortiManager
641 -
5.4
639 -
FortiAnalyzer
487 -
6.0
416 -
FortiAP
390 -
FortiSwitch
388 -
5.6
362 -
FortiClient EMS
319 -
FortiMail
288 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
182 -
FortiNAC
139 -
SSL-VPN
131 -
6.4
128 -
IPsec
127 -
FortiGuard
122 -
FortiGateCloud
97 -
FortiCloud Products
93 -
FortiSIEM
91 -
FortiToken
80 -
Customer Service
73 -
Wireless Controller
68 -
SD-WAN
66 -
4.0MR3
64 -
FortiProxy
54 -
FortiEDR
48 -
FortiADC
48 -
FortiAuthenticator
47 -
Fortivoice
46 -
FortiDNS
43 -
Firewall policy
41 -
FortiSandbox
39 -
FortiExtender
39 -
VLAN
37 -
FortiGate v5.4
36 -
High Availability
34 -
FortiSwitch v6.4
32 -
DNS
28 -
BGP
27 -
LDAP
27 -
FortiConnect
26 -
ZTNA
26 -
FortiGate v5.2
24 -
FortiWAN
24 -
Routing
24 -
FortiConverter
23 -
Interface
23 -
SAML
22 -
Certificate
22 -
Authentication
21 -
FortiSwitch v6.2
20 -
NAT
20 -
VDOM
19 -
FortiLink
19 -
FortiPortal
18 -
RADIUS
16 -
Logging
16 -
FortiMonitor
16 -
Virtual IP
16 -
Web profile
16 -
FortiGate v5.0
15 -
SSL SSH inspection
15 -
Fortigate Cloud
14 -
FortiDDoS
14 -
SSO
14 -
Application control
14 -
Traffic shaping
13 -
FortiManager v5.0
12 -
FortiCASB
12 -
IP address management - IPAM
11 -
FortiRecorder
10 -
SSID
10 -
Static route
10 -
WAN optimization
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiAnalyzer v5.0
9 -
FortiSOAR
9 -
FortiWeb v5.0
9 -
SNMP
9 -
RMA Information and Announcements
9 -
OSPF
9 -
FortiAP profile
9 -
FortiManager v4.0
8 -
FortiBridge
8 -
Admin
8 -
Security profile
8 -
Proxy policy
8 -
Web application firewall profile
8 -
4.0
7 -
FortiCache
7 -
Automation
7 -
trunk
6 -
IPS signature
6 -
Antivirus profile
6 -
Traffic shaping policy
6 -
System settings
6 -
FortiCarrier
5 -
FortiDirector
5 -
DNS Filter
5 -
Packet capture
5 -
FortiPAM
5 -
FortiTester
5 -
Users
5 -
Port policy
5 -
Intrusion prevention
5 -
Fortinet Engage Partner Program
5 -
3.6
4 -
FortiDeceptor
4 -
FortiToken Cloud
4 -
FortiScan
4 -
Explicit proxy
4 -
Traffic shaping profile
4 -
Application signature
4 -
DLP sensor
4 -
DoS policy
4 -
Web rating
4 -
FortiInsight
3 -
FortiDB
3 -
FortiCWP
3 -
FortiHypervisor
3 -
NAC policy
3 -
Authentication rule and scheme
3 -
DLP Dictionary
3 -
DLP profile
3 -
Email filter profile
3 -
Fabric connector
3 -
File filter
3 -
Multicast routing
3 -
FortiAI
2 -
FortiNDR
2 -
Internet service database
2 -
Netflow
2 -
Protocol option
2 -
Replacement messages
2 -
Schedule
2 -
Service
2 -
VoIP profile
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
Kerberos
1 -
RIP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
TACACS
1 -
SDN connector
1 -
Multicast policy
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1276 | |
| 943 | |
| 676 | |
| 441 | |
| 177 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.