Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Techontop
New Contributor

Created on ‎05-15-2024 09:37 PM

Port forward fail

Just inherited a site with Fortigate 60E. Old firmware 5.4.5 will be updated but now just need to get remote access using OpenVPN. All indications are port forwarding not working. Have read lots of docs and viewed numerous videos and tried assorted combinations but none work. (I use OpenVPN to other server sites, and similar routers (sonicwall)). Here are some of the address objects and policy combinations I've tried. Thanks.

 

forward1.pngforward2.pngforward3.png

T

 

 

forward4.png

Labels:
383
0 Kudos
2 Solutions
funkylicious
SuperUser
SuperUser

Created on ‎05-16-2024 09:44 PM Edited on ‎05-16-2024 09:47 PM

Hi,

To answer your question about VIP and named addresses as destination. They have different roles, first one should be used when you are trying to grant access to a port fwd from the Internet to your server/services in LAN, the last is when you are need to create firewall rules between different interfaces locally, LAN1 > LAN2 , LAN1 > WAN, etc.

 

Is your WAN having a static IP or is it via PPPoE/DHCP ? I would recommend if it's a static IP to have in the VIP configuration of OpenVPN2, manually entering the public IP addr in the external address range.

Also, the firewall policy should look like, wan > lan , all > VIP .

 

I assume that the local subnet 192.168.1.0/24 is defined locally on internal1 interface and not on another one, right ?

 

You can run the following commands to see if the traffic on port UDP/1194 is reaching the firewall and if it's permitted.

 

diag debug en

diag debug flow filter saddr <pub ip of initiatior>

diag debug flow filter daddr <private ip of openvpn srv>

diag debug flow trace start 100

 

afterwards, you can stop it with 

diag debug flow trace stop

diag debug disable

---------------------------
geek
---------------------------

View solution in original post

---------------------------geek---------------------------
259
0 Kudos
ozkanaltas
Contributor III

Created on ‎05-16-2024 09:44 PM

Hello @Techontop ,

 

You can review the below document for your situation. If you apply these steps in the document you can access your vpn server from outside.

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Virtual-IP-VIP-port-forwarding-configurati...


You can't create a policy with an address object when you want to allow connection from outside. You need to create with the VIP object.

 

Also in the VIP object, you need to configure your public IP or public side interface address. 

0.0.0.0 will not be working in the VIP object. 

 

You don't need to do anything to change. Click ok to apply all changing.

 

If you want to trace the package on the Firewall you can use this command.

 

diagnose sniffer packet any 'host x.x.x.x' 4 a 

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW

View solution in original post

If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
258
7 REPLIES 7
ozkanaltas
Contributor III

Created on ‎05-15-2024 10:27 PM Edited on ‎05-15-2024 10:27 PM

Hello @Techontop ,

 

First, you need to change the external IP address range area in vip setting. This IP address should be your wan1 IP address. 

 

After that, you need to use this VIP object on the firewall policy in the destination area. 

 

And also you can review this document about VIP configuration. 

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Virtual-IP-VIP-port-forwarding-configurati...

 

 

image.png

 

image.png

 

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
372
0 Kudos
ezhupa
Staff
Staff

Created on ‎05-16-2024 07:33 AM

Hello,

 

The logic should be the same as in the below KB article:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Virtual-IP-VIP-port-forwarding-configurati...
Also found this old document for 5.4 if helps:
https://docs.fortinet.com/document/fortigate/5.4.0/cookbook/657500/using-virtual-ips-to-configure-po...

Hope this helps!
Enea

328
0 Kudos
Techontop
New Contributor

Created on ‎05-16-2024 09:47 AM


ozkanaltas and ezhupa,
Thanks. I think the suggestions are things I've tried or looks like they apply but not for my case.
The VIP OpenVPN2 that has wan as interface is because the label "interface" is ambiguous so I made OpenVPN with interface Lan and OpenVPN2 with interface Wan and would experiment alternating between them as I tried things. I do want it accessible from anywhere so I've left External as 0.0.0.0
The link to the 5.4 doc is good because all the examples I've seen show setting a firewall policy but this Fortigate and revision doesn't have Firewall but does have similar policy menu under IPV4 Policy. That doc references setting specific external IPs whereas I'm using 0.0.0.0 but other than that it's what I'm already doing.
Does it matter if I use a VIP or a named Address object as the Destination? Looks like it should work either way.
BTW Windows Firewall port is open. OpenVPN log on server side shows ready and no activiy, no errors.
I looked at Fortigate logs but no info. Is there a way to log and see if Fortigate gets a request but rejects it? I could dig into WireShark but if router can log its own related actions that's better.
Thanks.

312
0 Kudos
Techontop
New Contributor

Created on ‎05-16-2024 08:35 PM

And is there something else I need to do to make changes take effect (besides just hitting okay at the bottom of it)? I tried turning ping on and off on the wan interface yet it still responds even when off. Like it shows I made a change but it hasn't happened yet.

273
0 Kudos
funkylicious
SuperUser
SuperUser

Created on ‎05-16-2024 09:44 PM Edited on ‎05-16-2024 09:47 PM

Hi,

To answer your question about VIP and named addresses as destination. They have different roles, first one should be used when you are trying to grant access to a port fwd from the Internet to your server/services in LAN, the last is when you are need to create firewall rules between different interfaces locally, LAN1 > LAN2 , LAN1 > WAN, etc.

 

Is your WAN having a static IP or is it via PPPoE/DHCP ? I would recommend if it's a static IP to have in the VIP configuration of OpenVPN2, manually entering the public IP addr in the external address range.

Also, the firewall policy should look like, wan > lan , all > VIP .

 

I assume that the local subnet 192.168.1.0/24 is defined locally on internal1 interface and not on another one, right ?

 

You can run the following commands to see if the traffic on port UDP/1194 is reaching the firewall and if it's permitted.

 

diag debug en

diag debug flow filter saddr <pub ip of initiatior>

diag debug flow filter daddr <private ip of openvpn srv>

diag debug flow trace start 100

 

afterwards, you can stop it with 

diag debug flow trace stop

diag debug disable

---------------------------
geek
---------------------------
---------------------------geek---------------------------
260
0 Kudos
ozkanaltas
Contributor III

Created on ‎05-16-2024 09:44 PM

Hello @Techontop ,

 

You can review the below document for your situation. If you apply these steps in the document you can access your vpn server from outside.

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Virtual-IP-VIP-port-forwarding-configurati...


You can't create a policy with an address object when you want to allow connection from outside. You need to create with the VIP object.

 

Also in the VIP object, you need to configure your public IP or public side interface address. 

0.0.0.0 will not be working in the VIP object. 

 

You don't need to do anything to change. Click ok to apply all changing.

 

If you want to trace the package on the Firewall you can use this command.

 

diagnose sniffer packet any 'host x.x.x.x' 4 a 

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
259
Techontop
New Contributor

Created on ‎05-17-2024 01:50 PM

I think I have some expired TLS issues to deal with. After that I suspect this will work. Thanks.

225
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.