echo wrote:

Did you create policy from dmz1 to dmz2 where the source is dmz1's internal network and destination is that vip that gives access from internet to dmz2? And also vice versa if needed. You got that "forward policy check" refusal because there isn't any such policy yet. That kind of NAT-hairpinning is not enabled by default by FGT so you have to create a special rule.

 

Eg in a situation where public wifi users (possibly company's workers with their smartphones) have to get access to the mail server that is located behind the same router and they use the external IP-address / name for that access as if they were in any other outside network.

Hi Echo,

I have a policy from DMZ1 to DMZ2 where the source is dmz1's internal network and destinations are:

- DMZ2 host I need to reach via SMTP

- external IP of DMZ2 host I need to reach via SMTP

also I have a rule from any to WAN2 where the source is 0.0.0.0/0 and destination is VIP address. This because I configure VIP address on WAN2 and not on DMZ2 so I cannot insert VIP address in a rule where destination is DMZ2

Let me know

Thanks

Regards

First, when I recall creating policies so that the destination is both the internal address and internal via vip, it won't allow me to do that. You can also try to separate these rules just in case.

The rule that allows from any to wan2 should be, at least in my understanding, from wan2 to dmz2 with networks any to vip. But for the rule that is currently in question, from dmz1 to dmz2, should not be related to that one.

Maybe you need an extra rule from wan1 to wan2 too because of those policy routes.

echo wrote:

First, when I recall creating policies so that the destination is both the internal address and internal via vip, it won't allow me to do that. You can also try to separate these rules just in case.

The rule that allows from any to wan2 should be, at least in my understanding, from wan2 to dmz2 with networks any to vip. But for the rule that is currently in question, from dmz1 to dmz2, should not be related to that one.

Maybe you need an extra rule from wan1 to wan2 too because of those policy routes.

Yes... sorry.

I did a mistake unswering you

Those are my rules:

- From WAN2 (any) to DMZ2 (VIP)

- From DMZ (DMZ net) to WAN2 (wan2 net) (tried enabling NAT and also disabling NAT)

- From DMZ (DMZ net) to DMZ2 (DMZ2 host)

- From DMZ (DMZ net) to DMZ2 (DMZ2 host - external IP)

Now I create a new rule for make a new test

- From WAN (wan network) to WAN2 (wan2 network)

not works

Try this rule

- From WAN (0.0.0.0/0) to WAN2 (wan2 network)

not works

Where is this rule:

- From DMZ (DMZ net) to DMZ2 (VIP) (without additional NAT)

You mentioned that you tried this so -- you did but it is currently not active / was deleted? I just want to be sure you really tried that because in my cases, that's all that was needed.

There is also an option not to use policy routing. Create an untrust zone, put both interfaces into that, create one-element ippool's for both ISP's and use it in nat in the rules where needed. I can't remember if I have used it somewhere but if you don't need a failover solution then this might be an option to try out.

echo wrote:

Where is this rule:

- From DMZ (DMZ net) to DMZ2 (VIP) (without additional NAT)

You mentioned that you tried this so -- you did but it is currently not active / was deleted? I just want to be sure you really tried that because in my cases, that's all that was needed.

 

There is also an option not to use policy routing. Create an untrust zone, put both interfaces into that, create one-element ippool's for both ISP's and use it in nat in the rules where needed. I can't remember if I have used it somewhere but if you don't need a failover solution then this might be an option to try out.

This rule (without NAT) is still active

I also have this policy routes in this order:

- FROM DMZ2 (DMZ2 net) to DMZ net force traffic to Outgoing interface DMZ (no gateway address set)

- FROM DMZ (DMZ net) to DMZ2 net force traffic to Outgoing interface DMZ2 (no gateway address set)

- FROM DMZ (DMZ net) to any force traffic to Outgoing interface WAN (gateway set)

- FROM DMZ2 (DMZ2 net) to any force traffic to Outgoing interface WAN2 (gateway set)

(I have other rules but they are not from or to those networks)

I have almost the same issue. I have got fortigate 200D model, and i build on it a simple configuration. wan1 is connected to an isp and wan2 is connected to another isp. wan1 is connected internally to a servers that control the domain and mail server and web server, and VIPs is configured through wan1 port, and wan2 is connected internally to another server that serve anther hosts through policy route on the fortigate. everything is giong to be ok and access to the internet except one thing, hosts that connected to wan2 cant access to the mail site or the web site hosted through wan1. I create policies on the firewall wan2-->wan1 but it doesnt work.   anybody can give me a solution?

By now I have another idea why such traffic is blocked: if policy routes route traffic out then to reach one internal network from another, there has to be an additional policy route preceding the "default route" one: from dmz1 to dmz2 directly, and vice versa too if needed. In GUI you have to select "Stop policy routing" for these policy routes, and it looks later in the list like the gateway is 0.0.0.0. It is needed because Fortinet doesn't check if the traffic to external IP is allowed, it rather checks the internal NATed address, dmz in this case.

Of course, if there are certain all-all rules (policies), then for any other traffic between two internal dmz networks to be prevented, the all-all rules have to be reconfigured (remove all) or alternatively, a deny rule has to be added on top of all other rules.

I recently had to go through all this and that's what I did.