Hot!Port forwarding from IP-range to single IP

Author
Antti
New Member
  • Total Posts : 4
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/01/08 22:05:37
  • Status: offline
2019/01/08 22:24:59 (permalink)
0

Port forwarding from IP-range to single IP

Hi,
 
I'm quite new to the world of FortiGate.
 
I need to forward traffic from IP-range to specific ports of certain device.
(Everything from IP 123.123.123.XXX --> 192.192.192.123 TCP 111, 222 and UDP 111, 222)
 
What is the best way to do this? At the first glance with the VIPs I would be have to make four digit number of rules.
The firewall in use is FortiGate 60E
 
-Antti
 
 
#1

11 Replies Related Threads

    anasalomari@hotmail.com
    New Member
    • Total Posts : 6
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/01/08 05:09:07
    • Status: offline
    Re: Port forwarding from IP-range to single IP 2019/01/08 23:41:13 (permalink)
    0
    Hello,
     
    You need to create 2 VIP objects one for each port .
    then create VIP group, after that add these objects to that group.
    finaly, apply policy to the VIP group.
     
    Anas
     
    #2
    BrUz
    Gold Member
    • Total Posts : 398
    • Scores: 6
    • Reward points: 0
    • Joined: 2011/09/30 01:26:25
    • Location: Norway
    • Status: online
    Re: Port forwarding from IP-range to single IP 2019/01/08 23:51:17 (permalink)
    0
    You solve this with virtual IP. Yes, i would be nice to attach more ports at the same vip rule. Now you need one for each if its not in same range. But, you can group them in one vip group.
     

    Fortigate <3
    #3
    Antti
    New Member
    • Total Posts : 4
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/01/08 22:05:37
    • Status: offline
    Re: Port forwarding from IP-range to single IP 2019/01/08 23:57:09 (permalink)
    0
    Thank you for the answers.
     
    My problem here is that the incoming connection isn't an specific ip, but IP range 123.123.123.0-123.123.123.255. And all of them should point to single IP. If I set the external IP to range xxx.xxx.xxx.0-xxx.xxx.xxx.255 the mapped IP must be .0 - .255 also. But I need it to point single IP. Is this sovled using source address filter or something similar?
    #4
    anasalomari@hotmail.com
    New Member
    • Total Posts : 6
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/01/08 05:09:07
    • Status: offline
    Re: Port forwarding from IP-range to single IP 2019/01/09 00:00:38 (permalink)
    0
    hello,
     
    you can note add multi-ports to one VIP.
     
    Anas
     
    #5
    BrUz
    Gold Member
    • Total Posts : 398
    • Scores: 6
    • Reward points: 0
    • Joined: 2011/09/30 01:26:25
    • Location: Norway
    • Status: online
    Re: Port forwarding from IP-range to single IP 2019/01/09 00:05:19 (permalink)
    0
    anasalomari@hotmail.com
    hello,
     
    you can note add multi-ports to one VIP.
     
    Anas
     


    You can only add singel port or range, not many singel individual ports.
     
    post edited by BrUz - 2019/01/09 00:06:24

    Attached Image(s)


    Fortigate <3
    #6
    Antti
    New Member
    • Total Posts : 4
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/01/08 22:05:37
    • Status: offline
    Re: Port forwarding from IP-range to single IP 2019/01/09 00:05:27 (permalink)
    0
    The main problem I'm having is that the incoming IP can be anything between xxx.xxx.xxx.0 - xxx.xxx.xxx.255.
    In VIP settings, when the external ip is between .0 - .255 the mapped ip is also the same range. But in this case it should be single mapped ip.
     
    Is this done using Source Address Filter? Or how i forward the traffic from .0 - .255 to single IP?
    #7
    BrUz
    Gold Member
    • Total Posts : 398
    • Scores: 6
    • Reward points: 0
    • Joined: 2011/09/30 01:26:25
    • Location: Norway
    • Status: online
    Re: Port forwarding from IP-range to single IP 2019/01/09 01:21:37 (permalink)
    0
    Please explain some more, do i understand your last post correct if this is the case:
     
    You have a /24 subnet in external/WAN, and you want to NAT all the /24 addresses to on singel ip in the same subnet?

    Fortigate <3
    #8
    Antti
    New Member
    • Total Posts : 4
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/01/08 22:05:37
    • Status: offline
    Re: Port forwarding from IP-range to single IP 2019/01/09 01:33:59 (permalink)
    0
    Yes,
     
    Information is coming from /24 subnet and we need to receive the information in an specific machine.
    I'd know how to conf the VIP if the case was f.ex. from 123.123.123.321 ----> 192.192.192.291. But it is 123.123.123.0/24 -----> 192.192.192.291.
    #9
    BrUz
    Gold Member
    • Total Posts : 398
    • Scores: 6
    • Reward points: 0
    • Joined: 2011/09/30 01:26:25
    • Location: Norway
    • Status: online
    Re: Port forwarding from IP-range to single IP 2019/01/09 01:51:51 (permalink)
    0
    Ok, setup:
    External IP address/Range 0.0.0.0 - 0.0.0.0
    Mapped IP Address/Range machine - machine
     
    Create a policy from external to your machine interface that control access 

    Fortigate <3
    #10
    BrUz
    Gold Member
    • Total Posts : 398
    • Scores: 6
    • Reward points: 0
    • Joined: 2011/09/30 01:26:25
    • Location: Norway
    • Status: online
    Re: Port forwarding from IP-range to single IP 2019/01/09 01:58:28 (permalink)
    0
    I do not know setup of your complete network, this will only work if trafic hits fortigate 

    Fortigate <3
    #11
    ede_pfau
    Expert Member
    • Total Posts : 5771
    • Scores: 403
    • Reward points: 0
    • Joined: 2004/03/09 01:20:18
    • Location: Heidelberg, Germany
    • Status: offline
    Re: Port forwarding from IP-range to single IP 2019/01/09 09:03:19 (permalink)
    0
    I think @Antti has the right idea to employ a source address filter in the VIP definition. This requires a newer FortiOS (v5.4+ ?).
    The difference between source IP filter and source IP address object in the access policy is that in the first case the VIP will only be active for the source address range specified (think of arp replies) whereas with filtering in the policy the VIP will trigger for any source address, and block the inappropriate ones. This could easily lead to a 'black hole' sucking up all traffic on ports 111 and 222.

    Ede

    " Kernel panic: Aiee, killing interrupt handler!"
    #12
    Jump to:
    © 2019 APG vNext Commercial Version 5.5