Hot!forward HTTP (80) and HTTPS (443) on router

Author
Camilian
New Member
  • Total Posts : 7
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/10/10 12:14:07
  • Status: offline
2018/02/13 09:55:17 (permalink)
0

forward HTTP (80) and HTTPS (443) on router

I have FortiWIFI 60E. I have a domain name with my public routed IP address.
I am working on adding a web page to my server.
I configured IIS and DNS but is not working.
 
I need to forward HTTP (80) and HTTPS (443) traffic on my router (FortiWIFI) from the public IP address to the server local IP address. Can you please let me know what I need to do?
 
Thank you
 
 
 
 
 
#1
emnoc
Expert Member
  • Total Posts : 5020
  • Scores: 308
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: forward HTTP (80) and HTTPS (443) on router 2018/02/13 10:09:41 (permalink)
0
Fortinet has a  few cookbook and articles. Here's one for example.
 
http://cookbook.fortinet.com/port-forwarding/

PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
#2
ericli_FTNT
Gold Member
  • Total Posts : 127
  • Scores: 4
  • Reward points: 0
  • Joined: 2018/02/08 11:12:27
  • Status: offline
Re: forward HTTP (80) and HTTPS (443) on router 2018/02/13 16:55:25 (permalink)
0
Hi Camilian,
 
A series of VIP or virtual servers configuration could help you out of this.
 
Let's say, 10.10.10.1/30 is your Internet public IP, which is configured on the "wan" interface of your FortiWifi.
192.168.1.1/24 is your server-1(80), which connected with port1 of the Fortiwifi.
192.168.2.1/24 is your server-2(443), which connected with port2 of the Fortiwifi.
 
Now, firstly you need to configure 2 VIPs.
 
config firewall vip
    edit "Server-1"
        set extip 10.10.10.1
        set extintf "wan"
        set portforward enable
        set mappedip "192.168.1.1"
        set extport 8080
        set mappedport 80
    next
    edit "Server-2"
        set extip 10.10.10.1
        set extintf "wan"
        set portforward enable
        set mappedip "192.168.2.1"
        set extport 8443
        set mappedport 443
    next
end
 
Second, you need to configure a policy with these two VIPs.
config firewall policy
edit 1
        set name "To_Server-1"
        set srcintf "wan"
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "Server-1"    ### The first VIP you configured.
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set nat enable
next
edit 2
edit 1
        set name "To_Server-2"
        set srcintf "wan"
        set dstintf "port2"
        set srcaddr "all"
        set dstaddr "Server-2"    ### The first VIP you configured.
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set nat enable
next
end
 
Now, you should be able visit your 2 servers from Internet. For your 80 server, use URL "http://10.10.10.1:8080" and for 443 server, use URL "https://10.10.10.1:8443".
#3
emnoc
Expert Member
  • Total Posts : 5020
  • Scores: 308
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: forward HTTP (80) and HTTPS (443) on router 2018/02/13 19:00:54 (permalink)
0
Good examples, but I would not do that.
 
1: no need for NAT enable in the two fwpolicies ( it will work but understand what NAT is actuallky doing a DNAT  VIP )
 
2: 2nd I would define fwpolicy for a port-based_forwarding  VIP with understand the  fact it's a port-based-forwarding
 
OUtside it's 2 thumbs up from me
 
Ken
 

PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
#4
ede_pfau
Expert Member
  • Total Posts : 5695
  • Scores: 385
  • Reward points: 0
  • Joined: 2004/03/09 01:20:18
  • Location: Heidelberg, Germany
  • Status: offline
Re: forward HTTP (80) and HTTPS (443) on router 2018/02/14 08:22:18 (permalink)
0
just to add that a VIP is much more general than as used in the example. You can map from port 80 to 80 (to just forward HTTP traffic but not changing the port number), and you can forward multiples ports with multiple VIPs to the same internal address if you port-forward.
And don't expect that you can ping your server from outside! ICMP is not port-forwarded, it's not even TCP. But you can create an ICMP forwarding VIP...
In the end, if you've got multiple VIPs you can group them all together in a VIP group and just use one policy. As service you should only allow the forwarded ports, of course.

Ede

" Kernel panic: Aiee, killing interrupt handler!"
#5
Camilian
New Member
  • Total Posts : 7
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/10/10 12:14:07
  • Status: offline
Re: forward HTTP (80) and HTTPS (443) on router 2018/02/14 15:06:45 (permalink)
0
Thank you for the detail information.
I am new to the configuration. I am getting the following message.
 
This page can’t be displayed
Make sure the web address https://x.x.x.x:8443 is correct.Look for the page with your search engine.Refresh the page in a few minutes.Do I need to configure NDS?
 
I configured IIS with the web site. The internal web page (local) is working but the external https is giving an error.
 
Thank you
#6
ericli_FTNT
Gold Member
  • Total Posts : 127
  • Scores: 4
  • Reward points: 0
  • Joined: 2018/02/08 11:12:27
  • Status: offline
Re: forward HTTP (80) and HTTPS (443) on router 2018/02/16 14:17:53 (permalink)
0
Camilian
Thank you for the detail information.
I am new to the configuration. I am getting the following message.
 
This page can’t be displayed
Make sure the web address https://x.x.x.x:8443 is correct.Look for the page with your search engine.Refresh the page in a few minutes.
Do I need to configure NDS?
 
I configured IIS with the web site. The internal web page (local) is working but the external https is giving an error.
 
Thank you




Hi, did you mean DNS?
#7
ede_pfau
Expert Member
  • Total Posts : 5695
  • Scores: 385
  • Reward points: 0
  • Joined: 2004/03/09 01:20:18
  • Location: Heidelberg, Germany
  • Status: offline
Re: forward HTTP (80) and HTTPS (443) on router 2018/02/17 04:11:52 (permalink)
0
Truth of the Day: "if you use an URL with a numeric IP address you don't need DNS."
 
Seriously, without your configuration we can't even guess -

Ede

" Kernel panic: Aiee, killing interrupt handler!"
#8
Jump to:
© 2018 APG vNext Commercial Version 5.5