One virtual server for external and internal access

RDM · ‎11-18-2022

Hello,

I'm playing with virtual servers that load balance https servers and running under FortiOS 7.2.3.

I configured an internal virtual server like this:

VIP_LB_INT --- HTTPS checks --- Real servers

Internal people access the VIP directly from the LAN and everything is working smoothly.

The need changed. I need to give external people access to this load balancer.

So now I have configued a static NAT from one of my public IP to my VIP_LB_INT IP.

Unfortunately this is not working and I don't know why it couldn't work.

I tried to diagnose and I can see that the Fortigate send an ARP request on my VIP_LB_INT interface, asking who is VIP_LB_INT. Of course, no one is answering because this is itself.

why it does even try. the fortigate is not aware of his own virtual IP ?

From Outside:

6.290750 PORT1 in 178.****.51856 -> 80.*.*.*.443: syn 3730813839
6.290769 INTERNAL out arp who-has 172.28.26.90 tell 172.28.27.100
6.290769 LAGG0 out arp who-has 172.28.26.90 tell 172.28.27.100
6.290770 x2 out arp who-has 172.28.26.90 tell 172.28.27.100

From inside:

445.345921 INTERNAL in arp who-has 172.28.26.90 tell 172.28.26.83
445.345925 INTERNAL out arp reply 172.28.26.90 is-at 0:9:f:9:0:12
445.345926 LAGG0 out arp reply 172.28.26.90 is-at 0:9:f:9:0:12
445.345926 x2 out arp reply 172.28.26.90 is-at 0:9:f:9:0:12
445.346031 INTERNAL in 172.28.26.83.53126 -> 172.28.26.90.443: syn 3757113778

Legend:

PORT1 is my WAN

INTERNAL my LAN

LAGG0 my aggregate

x2 one member of my aggregate

Is it possible to do what i'm trying to do or do i simply need to create a second virtual server for my outside access ?

Thanks

RDM

Anthony_E · ‎11-20-2022

Hello RDM,

Thank you for using the Community Forum.

I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.

Regards,

Anthony-Fortinet Community Team.

RDM · ‎11-20-2022

Thanks Anthony.

Let me know if you needs some precision ?

Anthony_E · ‎11-20-2022

Hello RDM,

Sure, I will come back to you if we need more information.

Regards,

Anthony-Fortinet Community Team.

Anthony_E · ‎11-21-2022

Hello RDM,

Waiting an answer, I found this KB article:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configure-virtual-server/ta-p/194457

Is that giving any help?

Regards,

Anthony-Fortinet Community Team.

RDM · ‎11-21-2022

Unfortunately no.

I know how to configure a virtual server. But I need my virtual server to be available internally and externally.

Do I need to create two different virtual server or can I create only one (the one internally) and then do a static nat to the internal one (if so how as I can figure a way to make it works) ?

Best

RDM

Anthony_E · ‎11-21-2022

Hello RDM,

Oh ok!

We will then continue to work on it!

Regards,

Anthony-Fortinet Community Team.

RDM · ‎11-21-2022

maybe the answer is: this is not possible and I need to create two different object for the same "role".

however I just looking for some feedback and be sure it cannot work like this.

Anthony_E · ‎11-21-2022

Sure!

Makes sense to me.

Regards,

Anthony-Fortinet Community Team.

RDM · ‎11-22-2022

I guess I will end by creating multiple LB...

https://community.fortinet.com/t5/Fortinet-Forum/Virtual-IP-with-port-forwarding-to-Virtual-Server/t...

It could be so simple to have one Internal LB and then a vip to forward port to it, instead of having two different object that make the same thing.