Hot!Looking for help with a hairpin route/policy

Author
dan231
New Member
  • Total Posts : 18
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/01/26 09:12:00
  • Status: offline
2017/04/28 06:56:37 (permalink)
0

Looking for help with a hairpin route/policy

Setup:
Internal MS Exchange Server
FortiWIFI (vlan'd from the internal network for guest access to the Internet)
Fortigate FW
Iphone with ActiveSync email access to MS Exchange
 
Internet = WAN1
Internal Network = WAN2
Public-WIFI = VLAN on WAN2
VIP = External IP --> Mail server (any int)
 
I have all my routes and policies setup so from my iPhone I can get WIFI internet AND not see any internal devices.
The problem is that I cannot get email access on my iPhone.  I now have a hairpin that I believe should work but doesn't.  From my iPhone, I can ping my mail server by name, but a tracert stops at the first hop: the FortiWIFI.
 
Current Hairpin policy:
Public-WIFI (VLAN on WAN2) --> WAN2 (internal) with Destination of my VIP
 
I've been stuck at this for over a week and I can't wrap my head around this.
I have a support ticket open and have reviewed the Fortigate docs on hairpin set.
#1

19 Replies Related Threads

    rwpatterson
    Expert Member
    • Total Posts : 8015
    • Scores: 154
    • Reward points: 0
    • Joined: 2006/08/08 10:08:18
    • Location: Long Island, New York, USA
    • Status: online
    Re: Loking for help with a haitpin route/policy 2017/04/28 08:31:36 (permalink)
    0
    What are the services in this hairpin policy?

    -Bob - self proclaimed posting junkie!
    See my Fortigate related scripts at: http://fortigate.camerabob.com

    -4.3.18-b0689
    FGT60B
    FWF60B
    FWF80CM (2)
    FWF81CM
     
    #2
    dan231
    New Member
    • Total Posts : 18
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/01/26 09:12:00
    • Status: offline
    Re: Loking for help with a haitpin route/policy 2017/04/28 08:40:36 (permalink)
    0
    Source = ALL
    Services = ALL
    NAT = OFF
    #3
    Selective
    Expert Member
    • Total Posts : 2676
    • Scores: 94
    • Reward points: 0
    • Joined: 2007/07/03 10:44:56
    • Location: Gothenburg - Sweden
    • Status: offline
    Re: Loking for help with a haitpin route/policy 2017/04/28 09:12:15 (permalink)
    0
    config firewall policy
    edit <policy ID>
    set match-vip enable
    end
     
    #4
    dan231
    New Member
    • Total Posts : 18
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/01/26 09:12:00
    • Status: offline
    Re: Loking for help with a haitpin route/policy 2017/04/28 09:18:25 (permalink)
    0
    Selective
    config firewall policy
    edit <policy ID>
    set match-vip enable
    end

    I thought that didn't matter if I already have the destination set as the VIP?
    I made that edit and that didn't change anything.
    #5
    Selective
    Expert Member
    • Total Posts : 2676
    • Scores: 94
    • Reward points: 0
    • Joined: 2007/07/03 10:44:56
    • Location: Gothenburg - Sweden
    • Status: offline
    Re: Loking for help with a haitpin route/policy 2017/04/28 09:35:43 (permalink)
    0
    Strange, I use it in our environment, please check the KB:
     
    http://kb.fortinet.com/kb...teId=0%200%20105621158
    #6
    tanr
    Gold Member
    • Total Posts : 241
    • Scores: 8
    • Reward points: 0
    • Joined: 2016/05/09 17:09:43
    • Status: offline
    Re: Loking for help with a haitpin route/policy 2017/04/28 09:47:51 (permalink)
    0
    I'm not sure I follow your reasons for using a hairpin here.  You stated that your iPhone should only have internet access, and not be able to access anything on the lan.  But doesn't a hairpin specifically connects you to the internal IP when you try to connect to the public IP?  Are you saying you want to allow only this particular access from the iPhone to your internal network?
     
    You said NAT was off?  For which security policies?  Hopefully NAT isn't off for the policies where your iPhone is connecting to the wan!  I assume your iPhone is going to a specific public IP for the Exchange Server?  And the hairpin you're using tries to have the iPhone's attempt to connect to the external IP of the mail server get routed back to it's internal IP?
      
    Assuming you still want the hairpin given the above, you probably need to track down if your issue is routing or security policies.  Try the access and check the logs.
     
    Have you created both outgoing and incoming security policies for the hairpin NAT?
    As Selective mentioned:  
    Are you following the steps from http://kb.fortinet.com/kb/documentLink.do?externalID=FD36202?
     
    #7
    localhost
    Silver Member
    • Total Posts : 64
    • Scores: 6
    • Reward points: 0
    • Joined: 2015/05/21 02:47:51
    • Location: Zug, Switzerland
    • Status: offline
    Re: Loking for help with a haitpin route/policy 2017/04/28 10:05:46 (permalink)
    0
    Your policies do look fine to me as well - if your configuration really matches your description.
     
    dan231
    From my iPhone, I can ping my mail server by name, but a tracert stops at the first hop: the FortiWIFI.

     
    Do the ping packets really go out to your mail server? Have you confirmed this by sniffing on the Fortigate?
    What happens to the HTTPS packets?
    #8
    dan231
    New Member
    • Total Posts : 18
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/01/26 09:12:00
    • Status: offline
    Re: Loking for help with a haitpin route/policy 2017/04/28 10:06:29 (permalink)
    0
    Thanks - I went over that doc previously and that's what I used to make my hairpin policy.
    I might be on the wrong track here with the hairpin, but that's what support told me I needed.
     
    What I need to accomplish:
    From the Pubic-WIFI, my iPhone needs to connect to my Exchange server so I get mail. 
     
    SelectiveYou said NAT was off?  For which security policies?  Hopefully NAT isn't off for the policies where your iPhone is connecting to the wan!  I assume your iPhone is going to a specific public IP for the Exchange Server?  And the hairpin you're using tries to have the iPhone's attempt to connect to the external IP of the mail server get routed back to it's internal IP?

     
    NAT is only off on the hairpin policy.  Like I said I can get to the internet just fine, so I'm having a difficult time understanding why it's just internal email that won't work.  If I'm in the Internet, shouldn't my phone be checking a public DNS to get my mail server ip, then just route traffic to that?
     
    My DNS for email is my public IP, could that be causing a routing conflict?
     
     
     
     
     
    #9
    dan231
    New Member
    • Total Posts : 18
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/01/26 09:12:00
    • Status: offline
    Re: Loking for help with a haitpin route/policy 2017/04/28 10:10:13 (permalink)
    0
    localhost
    Do the ping packets really go out to your mail server? Have you confirmed this by sniffing on the Fortigate?
    What happens to the HTTPS packets?



    When I do sniffer traffic with my iphone IP, I see no traffic listed. 
    #10
    dan231
    New Member
    • Total Posts : 18
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/01/26 09:12:00
    • Status: offline
    Re: Looking for help with a hairpin route/policy 2017/04/28 10:42:09 (permalink)
    0
    2017-04-28 10:13:15 id=20085 trace_id=137 func=print_pkt_detail line=4793 msg="vd-root received a packet(proto=6, MailserverIP:443->192.168.201.3:52631) from internal. flag [S.], seq 1020708212, ack 2966908897, win 8192"

    2017-04-28 10:13:15 id=20085 trace_id=137 func=vf_ip_route_input_common line=2586 msg="find a route: flag=04000000 gw-192.168.201.3 via Guest WiFi"

    2017-04-28 10:13:15 id=20085 trace_id=137 func=fw_forward_dirty_handler line=324 msg="no session matched"

     
    This is from my FortiWIFI.  192.168.201.3 is my iphone.  Does this state it can't route back from my mailserver to my vlan?
    #11
    rwpatterson
    Expert Member
    • Total Posts : 8015
    • Scores: 154
    • Reward points: 0
    • Joined: 2006/08/08 10:08:18
    • Location: Long Island, New York, USA
    • Status: online
    Re: Looking for help with a hairpin route/policy 2017/04/28 10:49:05 (permalink)
    0
    For a quick test, try enabling NAT on that policy.

    -Bob - self proclaimed posting junkie!
    See my Fortigate related scripts at: http://fortigate.camerabob.com

    -4.3.18-b0689
    FGT60B
    FWF60B
    FWF80CM (2)
    FWF81CM
     
    #12
    dan231
    New Member
    • Total Posts : 18
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/01/26 09:12:00
    • Status: offline
    Re: Looking for help with a hairpin route/policy 2017/04/28 10:50:32 (permalink)
    0
    I 've done NAT and NO NAT previously.  That has no affect
    #13
    rwpatterson
    Expert Member
    • Total Posts : 8015
    • Scores: 154
    • Reward points: 0
    • Joined: 2006/08/08 10:08:18
    • Location: Long Island, New York, USA
    • Status: online
    Re: Looking for help with a hairpin route/policy 2017/04/28 10:54:07 (permalink)
    0
    By some chance, are the two subnets (WiFi and internal) in the same subnet range?

    -Bob - self proclaimed posting junkie!
    See my Fortigate related scripts at: http://fortigate.camerabob.com

    -4.3.18-b0689
    FGT60B
    FWF60B
    FWF80CM (2)
    FWF81CM
     
    #14
    dan231
    New Member
    • Total Posts : 18
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/01/26 09:12:00
    • Status: offline
    Re: Looking for help with a hairpin route/policy 2017/04/28 10:56:52 (permalink)
    0
    No.  the WIFI is it's own VLAN
    They are both on WAN2, though, but I don;t think that should matter.
     
    Since I see no email traffic, I am leaning that my hairpin is still wrong somehow.
    #15
    rwpatterson
    Expert Member
    • Total Posts : 8015
    • Scores: 154
    • Reward points: 0
    • Joined: 2006/08/08 10:08:18
    • Location: Long Island, New York, USA
    • Status: online
    Re: Looking for help with a hairpin route/policy 2017/04/28 11:04:15 (permalink)
    0
    dan231
    No.  the WIFI is it's own VLAN
    They are both on WAN2, though, but I don;t think that should matter.

    Are you using WAN2 as a trunk port? Can you traceroute from the WiFi to see the traffic path?

    -Bob - self proclaimed posting junkie!
    See my Fortigate related scripts at: http://fortigate.camerabob.com

    -4.3.18-b0689
    FGT60B
    FWF60B
    FWF80CM (2)
    FWF81CM
     
    #16
    dan231
    New Member
    • Total Posts : 18
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/01/26 09:12:00
    • Status: offline
    Re: Looking for help with a hairpin route/policy 2017/04/28 11:13:20 (permalink)
    0
    Not sure on truck port meaning
     
    Traceroute is one hop, since the outgoing ip is the mailserver IP.
    So it recognizes that my mail server is ABC, so it doesn't look any farther in the Internet for more info.Which would mean it dies right here.  Would I need something to route the traffic to the VIP then?
     
    Which should be my hairpin policy, yes?
    Should my hairpin be on the FortiWIFI then?
    #17
    dan231
    New Member
    • Total Posts : 18
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/01/26 09:12:00
    • Status: offline
    Re: Looking for help with a hairpin route/policy 2017/04/28 11:24:39 (permalink)
    0
    YES!!!
     
    I've got it!  I added the hairpin at the FortiWIFI and BOOM!  Works.
    Thank you all as I would never have gotten this far without your suggestions/guidance.
    #18
    rwpatterson
    Expert Member
    • Total Posts : 8015
    • Scores: 154
    • Reward points: 0
    • Joined: 2006/08/08 10:08:18
    • Location: Long Island, New York, USA
    • Status: online
    Re: Looking for help with a hairpin route/policy 2017/04/28 11:43:42 (permalink)
    0
    dan231
    Should my hairpin be on the FortiWIFI then?

    This is the only place your hairpin should have been. This is the gatekeeper between the Internet and your LAN. Glad you're up and running.

    -Bob - self proclaimed posting junkie!
    See my Fortigate related scripts at: http://fortigate.camerabob.com

    -4.3.18-b0689
    FGT60B
    FWF60B
    FWF80CM (2)
    FWF81CM
     
    #19
    dan231
    New Member
    • Total Posts : 18
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/01/26 09:12:00
    • Status: offline
    Re: Looking for help with a hairpin route/policy 2017/04/28 11:51:53 (permalink)
    0
    I would agree..but then here we are... LOL
    #20
    Jump to:
    © 2017 APG vNext Commercial Version 5.5