Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
hbuenafe81
New Contributor III

Created on ‎02-04-2024 04:43 AM Edited on ‎02-04-2024 04:56 AM

VIPs on loopback with s2s communication

Gents,

 

Need your assistance here.. i have a s2s connection and i want the remote side to access my server ports through loopback interface. s2s is up and able to reach my loopback interface, however my VIPs port forwarding using loopback is not responding.. base on my diagnose sniffer shows that remote are able to reach the loopback but no ack receive as shown below. 

 

3953.534013 TO-JED in 10.1.74.21.65027 -> 10.0.225.102.1200: syn 289683913
3956.547416 TO-JED in 10.1.74.21.65027 -> 10.0.225.102.1200: syn 289683913
3962.546623 TO-JED in 10.1.74.21.65027 -> 10.0.225.102.1200: syn 289683913

 

----config---

config system interface
edit "Loopback102"
set vdom "root"
set ip 10.0.225.102 255.255.255.255
set allowaccess ping https ssh http fgfm
set type loopback
set role lan
set snmp-index 25

-----------------

config firewall policy
edit 66
set name "ewew"
set uuid 7be5d9e4-c0fc-51ee-71e4-dc872d849459
set srcintf "TO-JED"
set dstintf "Loopback102"
set action accept
set srcaddr "JED-DMZ-SVR"
set dstaddr "iNET-1200"
set schedule "always"
set service "ALL"
set logtraffic all
set comments " "
next
end

edit "iNET-1200"
set uuid 5099f20a-c0f9-51ee-edd8-d4b4f6b515f3
set extip 10.0.225.102
set mappedip "10.3.131.160"
set extintf "any"
set portforward enable
set extport 1200
set mappedport 7000
next

 

 

TBogs
TBogs
Labels:
1343
0 Kudos
21 REPLIES 21
mpeddalla
Staff
Staff

Created on ‎02-04-2024 04:58 AM

Hello  @hbuenafe81 ,

 

Thank you for contacting the Fortinet Forum portal.

Once the traffic reaches the loopback interface does traffic reach the actual server not sure if you can achieve this, As once the traffic reaches from the remote site to the loopback interface private address session will offload on the interface is there any other route you have for end server from the loopback?

 

Please collect below debug logs to get flow in a better way

 

get router info routing-table details 10.0.255.102

get router info routing-table details 10.3.131.160

 

# diagnose debug reset

# diagnose debug flow trace stop

# diagnose debug flow filter clear

# diagnose debug flow filter addr [src-ip]    [remoteip address from were traffic is generated]

# diagnose debug flow filter port <portnumber>

# diagnose debug flow show function-name enable

# diagnose debug flow iprope en

# diagnose debug console timestamp enable

# diagnose debug flow trace start 999

# diagnose debug enable

 

# diagnose debug disable

 

Best regards,

Manasa.

 

If you feel the above steps helped to resolve the issue mark the reply as solved so that other customers can get it easily while searching on similar scenarios.

697
hbuenafe81
New Contributor III
In response to mpeddalla

Created on ‎02-04-2024 05:17 AM Edited on ‎02-04-2024 05:34 AM

Thanks for the prompts response.. as suggested below. When i tried lopbck interface to reach 10.3.131.160 ports is reachable/open, the thing is that its not mapping to loopback interface.

 

NSPTSDFW02 # get router info routing-table details 10.0.255.102

Routing table for VRF=0
Routing entry for 10.0.0.0/8
Known via "static", distance 1, metric 0, best
* via iNET-s2s tunnel x.x.x.x, tun_id

NSPTSDFW02 # get router info routing-table details 10.3.131.160

Routing table for VRF=0
Routing entry for 10.3.131.0/24
Known via "connected", distance 0, metric 0, best
* is directly connected, port4

NSPTSDFW02 # diag sniffer packet any "host 10.1.74.21 and port 1200" 4
interfaces=[any]
filters=[host 10.1.74.21 and port 1200]
13.643032 TO-JED in 10.1.74.21.65165 -> 10.0.225.102.1200: syn 1131091791
16.649474 TO-JED in 10.1.74.21.65165 -> 10.0.225.102.1200: syn 1131091791
22.649572 TO-JED in 10.1.74.21.65165 -> 10.0.225.102.1200: syn 1131091791

------

NSPTSDFW02 # execute telnet 10.3.131.160 7000
Trying 10.3.131.160...
Connected to 10.3.131.160.

TBogs
TBogs
693
0 Kudos
ebilcari
Staff
Staff
In response to hbuenafe81

Created on ‎02-04-2024 06:34 AM

If the server is behind another Router/NAT device make sure it can reach the loopback IP (10.0.225.102) in FGT and also based on this article you need another firewall policy allowing the traffic from loopback to the server.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
676
hbuenafe81
New Contributor III
In response to ebilcari

Created on ‎02-04-2024 07:06 AM Edited on ‎02-04-2024 07:54 AM

thanks @ebilcari, this is a fortigate loopback interface.. i dont have any problem using router loopback except for this loopbck on a fw. the problem here is that the loopback interface on fw is not mapping the internal server ports.. all communication are working properly and able to reach each other, except for this VIPs/port mapping using fortigate lopbck int. 

 

 

TBogs
TBogs
664
0 Kudos
mpeddalla
Staff
Staff
In response to hbuenafe81

Created on ‎02-04-2024 12:49 PM

Can you please confirm if you can verify the configuration using article Technical Note: How to configure a VIP using a loo... - Fortinet Community ? and make sure all firewall policies are in place?

609
hbuenafe81
New Contributor III
In response to mpeddalla

Created on ‎02-04-2024 08:49 PM Edited on ‎02-04-2024 08:51 PM

@mpeddalla - thanks for the info., this is actually what i was looking at earlier the only difference is that i'm did not use WAN interface instead i'm using a s2s port on this.. policies are also in place.

 

 

TBogs
TBogs
583
0 Kudos
hbuenafe81
New Contributor III
In response to hbuenafe81

Created on ‎02-04-2024 09:03 PM

config system interface
edit "Loopback102"
set vdom "root"
set ip 10.0.225.102 255.255.255.255
set allowaccess ping https ssh http fgfm
set type loopback
set snmp-index 25
next
end


config firewall vip
edit "iNET-1200"
set extip 10.0.225.102
set mappedip "10.3.131.160"
set extintf "any"
set portforward enable
set extport 1200
set mappedport 7000
next

** below policy also has reverse setup if dstaddr use all **
config firewall policy
edit 66
set name "Loopback"
set srcintf "TO-JED"
set dstintf "Loopback102"
set action accept
set srcaddr "JED-DMZ-SVR"
set dstaddr "iNET-1200" ----- for test purposes I also change this to ALL ----
set schedule "always"
set service "ALL"
set logtraffic all
set nat enable ------ for test I also disable this -----

next

TBogs
TBogs
580
0 Kudos
ebilcari
Staff
Staff
In response to hbuenafe81

Created on ‎02-05-2024 05:13 AM

I did a quick test (no VPN) and port forwarding pointing at loopback works (7.2.6):

GW # get system session list

tcp 3597 10.0.0.2:60838 - 100.0.0.5:10051 10.5.32.51:443

 

VIP/loopback is 100.0.0.5 and the "server" is 10.5.32.51

Don't forget to add a dedicated rule to allow request reaching the loopback interface itself:

fw-rules.PNG

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
549
hbuenafe81
New Contributor III
In response to ebilcari

Created on ‎02-05-2024 05:38 AM

 

Thanks Emirjohn - I'm using v7.0.13 

As you can see below the loopback is reachable but the port is not open. I tested this server port to same ip range (10.3.131.x) and port is open but not to map loopback interface.

 

policy.png

TBogs
TBogs
542
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.