hi there,
need advice and guidance.
I've created virtual Ip and its grup.
and already make DDNS for my WAN connection.
policy also already create it.
I try to enter web address (ddns ID I've registered), but page not found.
Am I missing something?
my internet connection is behind NAT.
thank you.
Solved! Go to Solution.
I'm afraid you're missing the point from the other thread. It is impossible to route across the Internet to a private IP address. There are millions of networks that use the same private addressing, so how could the routers of the Internet know where to deliver that particular traffic? They can't, and by design they drop that traffic (RFC 1918).
You HAVE to have a public IP address if you want to be able to remotely access anything (SSL VPN, IPSEC VPN, DDNS, etc). If your ISP won't give you a public IP, maybe they can port-forward for you as I described on your other post. That's the only way it can work....fundamentals of the Internet here.
Just in case you DO get a public address but just not on the WAN port of the FGT...
Then it would matter how the internet router hands down traffic to the FGT. Most preferably it would be called "exposed host" or such, effectively forwarding all traffic to the FGT's WAN port. You would then use a VIP on the WAN interface to NAT traffic to an internal target.
I'm afraid you're missing the point from the other thread. It is impossible to route across the Internet to a private IP address. There are millions of networks that use the same private addressing, so how could the routers of the Internet know where to deliver that particular traffic? They can't, and by design they drop that traffic (RFC 1918).
You HAVE to have a public IP address if you want to be able to remotely access anything (SSL VPN, IPSEC VPN, DDNS, etc). If your ISP won't give you a public IP, maybe they can port-forward for you as I described on your other post. That's the only way it can work....fundamentals of the Internet here.
Just in case you DO get a public address but just not on the WAN port of the FGT...
Then it would matter how the internet router hands down traffic to the FGT. Most preferably it would be called "exposed host" or such, effectively forwarding all traffic to the FGT's WAN port. You would then use a VIP on the WAN interface to NAT traffic to an internal target.
hi there,
thanks for answers.
I've asked, provider not possible to forward the port. And yes Ede_pfau, got you mean, thanks for reminder.
well, so there is no way to publish internal web server where there is no public address. I though setting "use ip public" on menu DNS, fortigate somehow can convert private ip to public IP
thanks all for help.
@Pengguna
Re your original post - setting up DDNS requires you register with a DDNS provider and possiblably setting up DNS records too. I like using fortinet's own ddns service as it seems to be automatic (when using a fgt device). eg.
config system ddns edit 1 set ddns-server FortiGuardDDNS set ddns-domain "server-hostname.fortiddns.com" set monitor-interface "wan1" next end
Things to keep in mind is it takes time for DNS records to propagate, so I suggest using an online ping service to test the FQDN resolves to your current IP.
And if your web server is going to be behind your fgt device you will need to change the default port access to your fgt device (e.g. port 80 and/or port 443) then set up port forwards on the WAN interface -> internal static IP:80 (or internal static IP:443) if you want to use standard HTTP/HTTPS web port access.
Admin Port access is done via
system global admin-port <port_number> admin-sport <port_number> end Personally, if you are going to expose an internal web server in such a manner, I advise putting the web server in a DMZ zone and think hard about what other security or UTM measures to put in place.
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.