Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Kess
New Contributor

Port Forwarding not working

Hi all guys,

I have a problem with port forwarding on my new FG61E with FortiOS 5.4.1.

 

Schema:

Internet <-> (Public IP) Router (192.168.123.1) <-> (192.168.123.10) FG61E (192.168.69.254) <-> Server1 (192.168.69.156)

 

In the provider router the needed ports are correctly forwarded, I can see the incoming traffin on the FG.

 

There the rules:

config firewall service custom
    edit "OpenVPN"
        set category "Tunneling"
        set udp-portrange 1195-1199
    next
end

config firewall vip
    edit "VIP_pfSense_OpenVPNUDP"
        set extintf "wan1"
        set portforward enable
        set mappedip "192.168.69.156"
        set protocol udp
        set extport 1195-1199
        set mappedport 1195-1199
    next
end

config firewall policy
    edit 5
        set srcintf "wan1"
        set dstintf "internal"
        set srcaddr "all"
        set dstaddr "VIP_pfSense_OpenVPNUDP"
        set action accept
        set schedule "always"
        set service "OpenVPN"
        set logtraffic all
    next
end

 

What i get logged:

Date 09/15/2016
Time 21:11:23
Duration 0s
Session ID 24784
Virtual Domain root
NAT Translation Destination
Source
IP 111.111.111.111
Port 48037
Country Switzerland
Interface wan1 (Internet)
Destination
IP 192.168.123.10
NAT IP 192.168.69.156
Port 1195
Country Reserved
Interface internal (Internal)
Application
Name OPENVPN
Category unscanned
Protocol udp
Service OpenVPN
Data
Received Bytes 0 B
Sent Bytes 0 B
Sent Packets 0
Action
Action Deny: policy violation
Threat 131072
Policy 0 (Implicit Deny)
Policy UUID c44ddfe6-7b73-51e6-3350-2b6860c088e1
Policy Type IPv4
Security
Level
Threat Level critical
Threat Score 30

 

Any help appreciated.

Thank you very much,

bye Kess.

9 REPLIES 9
ede_pfau
SuperUser
SuperUser

If you try a VIP without port forwarding, does it work then? Other debug output?

You should run a 'diag deb flow' on the FGT in any case.

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Kess
New Contributor

Hi Ede,

thank you for your reply.

 

There's my log:

id=20085 trace_id=102 func=print_pkt_detail line=4784 msg="vd-root received a packet(proto=17, 123.123.123.123:54519->192.168.123.10:1195) from wan1. "
id=20085 trace_id=102 func=init_ip_session_common line=4935 msg="allocate a new session-00001cd2"
id=20085 trace_id=102 func=fw_pre_route_handler line=182 msg="VIP-192.168.69.156:1195, outdev-wan1"
id=20085 trace_id=102 func=__ip_session_run_tuple line=2808 msg="DNAT 192.168.123.10:1195->192.168.69.156:1195"
id=20085 trace_id=102 func=vf_ip_route_input_common line=2584 msg="find a route: flag=00000000 gw-192.168.69.156 via internal"
id=20085 trace_id=102 func=fw_forward_handler line=558 msg="Denied by forward policy check (policy 0)"
id=20085 trace_id=103 func=print_pkt_detail line=4784 msg="vd-root received a packet(proto=17, 123.123.123.123:54519->192.168.123.10:1195) from wan1. "
id=20085 trace_id=103 func=init_ip_session_common line=4935 msg="allocate a new session-00001cde"
id=20085 trace_id=103 func=fw_pre_route_handler line=182 msg="VIP-192.168.69.156:1195, outdev-wan1"
id=20085 trace_id=103 func=__ip_session_run_tuple line=2808 msg="DNAT 192.168.123.10:1195->192.168.69.156:1195"
id=20085 trace_id=103 func=vf_ip_route_input_common line=2584 msg="find a route: flag=00000000 gw-192.168.69.156 via internal"
id=20085 trace_id=103 func=fw_forward_handler line=558 msg="Denied by forward policy check (policy 0)"

 

It seems correct, but unfortunately something I can't understand goes wrong and the policy is not matched...

 

Do you understand what's wrong here ?

Thank you very much.

Kess
New Contributor

Forgot to tell you.

Without Port Forwarding same problem...

Kess
New Contributor

There's no such policy, at least not in CLI.

Policy ID 0 is the "Implicit Deny" policy.

ede_pfau

Please check 2 things:

1- VIP

I cannot see from the definition which external address you are translating - surely from the 192.168.123 subnet, right?

2- routing

The FGT must have a route back to the source address of incoming traffic. Please post the 'get route info routing-table' data here. The route to 192.168.123 should be automatic. Then, for arbitrary external source addresses, you need a default route pointing to the ingress interface, gateway 192.168.123.1.

Otherwise the FGT will drop traffic from unknown sources.

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Kess
New Contributor

Hi Ede,

thx for reply.

To answer your questions:

1. I've not set it in the VIP, it's defined as 0.0.0.0. I also tried to set up an IP address to translate (Wan1 IP) but it doesn't change.

2.Default route to gateway is set as you can see there:

FG61E # get router info routing-table details 
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default

S* 0.0.0.0/0 [10/0] via 192.168.123.1, wan1
S 10.10.0.0/24 [2/0] is directly connected, ssl.root
C 192.168.50.0/24 is directly connected, WiFi-Company
C 192.168.51.0/24 is directly connected, WiFi-Guests
C 192.168.69.0/24 is directly connected, internal
C 192.168.70.0/24 is directly connected, internal
C 192.168.79.0/24 is directly connected, wan2
C 192.168.123.0/24 is directly connected, wan1

 

Thx for your help.

Bye Kess

MikePruett
Valued Contributor

There a particular reason why you don't just let the FortiGate handle the routing and remove the extra piece of equipment? (is this a legit router or is it just one of those modem/gateway things? if it is a modem/gateway have your ISP throw that thing in transparent / bridge mode and let the Gate handle your needs. Life will be much simpler and work more often.

Mike Pruett Fortinet GURU | Fortinet Training Videos
Kess

Hi Mike,

thank you for your reply.

 

Unfortunately this router must stay in routing mode with NAT enabled. I can set in in PPPoE Passthrough but I'm going to loose a feature that I don't want to lose, the 4G USB Internet Backup.

Kess
New Contributor

Didn't find any solution for that problem, so i decided to factory reset the firewall and to start from scratch again.

I've reconfigured everything again, and miracle, everything is now working correctly.

 

Thank you alll for the time you dedicated over that issue.

Bye Kess.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors