Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Camilian
New Contributor

forward HTTP (80) and HTTPS (443) on router

I have FortiWIFI 60E. I have a domain name with my public routed IP address.

I am working on adding a web page to my server.

I configured IIS and DNS but is not working.

 

I need to forward HTTP (80) and HTTPS (443) traffic on my router (FortiWIFI) from the public IP address to the server local IP address. Can you please let me know what I need to do?

 

Thank you

 

 

 

 

 

7 REPLIES 7
emnoc
Esteemed Contributor III

Fortinet has a  few cookbook and articles. Here's one for example.

 

http://cookbook.fortinet.com/port-forwarding/

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
ericli_FTNT

Hi Camilian,

 

A series of VIP or virtual servers configuration could help you out of this.

 

Let's say, 10.10.10.1/30 is your Internet public IP, which is configured on the "wan" interface of your FortiWifi.

192.168.1.1/24 is your server-1(80), which connected with port1 of the Fortiwifi.

192.168.2.1/24 is your server-2(443), which connected with port2 of the Fortiwifi.

 

Now, firstly you need to configure 2 VIPs.

 

config firewall vip     edit "Server-1"         set extip 10.10.10.1         set extintf "wan"         set portforward enable         set mappedip "192.168.1.1"         set extport 8080         set mappedport 80     next

    edit "Server-2"         set extip 10.10.10.1         set extintf "wan"         set portforward enable         set mappedip "192.168.2.1"         set extport 8443         set mappedport 443

    next

end

 

Second, you need to configure a policy with these two VIPs.

config firewall policy

edit 1         set name "To_Server-1"         set srcintf "wan"         set dstintf "port1"         set srcaddr "all"         set dstaddr "Server-1"    ### The first VIP you configured.         set action accept         set schedule "always"         set service "ALL"         set logtraffic all         set nat enable

next

edit 2

edit 1         set name "To_Server-2"         set srcintf "wan"         set dstintf "port2"         set srcaddr "all"         set dstaddr "Server-2"    ### The first VIP you configured.         set action accept         set schedule "always"         set service "ALL"         set logtraffic all         set nat enable

next

end

 

Now, you should be able visit your 2 servers from Internet. For your 80 server, use URL "http://10.10.10.1:8080" and for 443 server, use URL "https://10.10.10.1:8443".

emnoc
Esteemed Contributor III

Good examples, but I would not do that.

 

1: no need for NAT enable in the two fwpolicies ( it will work but understand what NAT is actuallky doing a DNAT  VIP )

 

2: 2nd I would define fwpolicy for a port-based_forwarding  VIP with understand the  fact it's a port-based-forwarding

 

OUtside it's 2 thumbs up from me

 

Ken

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
ede_pfau
Esteemed Contributor III

just to add that a VIP is much more general than as used in the example. You can map from port 80 to 80 (to just forward HTTP traffic but not changing the port number), and you can forward multiples ports with multiple VIPs to the same internal address if you port-forward.

And don't expect that you can ping your server from outside! ICMP is not port-forwarded, it's not even TCP. But you can create an ICMP forwarding VIP...

In the end, if you've got multiple VIPs you can group them all together in a VIP group and just use one policy. As service you should only allow the forwarded ports, of course.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Camilian
New Contributor

Thank you for the detail information.

I am new to the configuration. I am getting the following message.

 

This page can’t be displayed Make sure the web address [link]https://x.x.x.x:8443[/link] is correct.Look for the page with your search engine.Refresh the page in a few minutes.[/ul]

Do I need to configure NDS?

 

I configured IIS with the web site. The internal web page (local) is working but the external https is giving an error.

 

Thank you

ericli_FTNT

Camilian wrote:

Thank you for the detail information.

I am new to the configuration. I am getting the following message.

 

This page can’t be displayed Make sure the web address https://x.x.x.x:8443 is correct.Look for the page with your search engine.Refresh the page in a few minutes.

Do I need to configure NDS?

 

I configured IIS with the web site. The internal web page (local) is working but the external https is giving an error.

 

Thank you

Hi, did you mean DNS?

ede_pfau
Esteemed Contributor III

Truth of the Day: "if you use an URL with a numeric IP address you don't need DNS."

 

Seriously, without your configuration we can't even guess -


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Labels
Top Kudoed Authors