Re: Cannot access webserver behind DMZ on Fortigate E61
So after alot of tests and trials, I've finally got this to work correctly.
Quite simply, I added 2 more VIPs with the external IPs actually matching our real external ip( i.e. 18.104.22.168) and mapped it to the DMZ based web server's IP (192.168.2.10) along with HTTPS and HTTP ports forwarded. This was my primary struggle. To realise that I needed 4 VIPs (2 for normal WAN to DMZ traffic and 2 for..well WAN to DMZ traffic but actually its for LAN to DMZ).
A while back while testing this, I had setup a policy to allow LAN to DMZ traffic, but specified the original VIPs (the ones that map the internet breakout IPs on our network stack, not our ACTUAL external IP) but that never worked. One needed to specify the new 2 VIPs (the Hairpin ones) and suddenly it worked!
Also, one should remember to enable match-vip on the LAN to DMZ (your hairpin policy) to make this work.