AnsweredHot!Strange VIP problem

Author
RuuJan
New Member
  • Total Posts : 10
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/03/22 09:13:15
  • Status: offline
2019/05/17 05:02:03 (permalink)
0

Strange VIP problem

Hi, I have a strange problem. I have a new Fortigate 60E and I've configured it to replace an old pfSense router. There is an OpenVPN server inside the network and I have to create a portforwarding to it. I'm not able to get this working. So I created another portforwarding to a Windows machine and tried to RDP into that. To my surprise this works. I can even test the policy with Policy Lookup to simulate a session to the external IP-adres. TCP 3389 works without a problem. TCP 943 (management page) and UDP 1194 (tunnel) don't match a policy.
 
I've checked it over and over but I guess I'm missing something.
 
 
 
This is my CLI configuration:
 

config firewall policy
    edit 13
        set name "OVPN"
        set uuid eeb3d648-70dd-51e9-8b48-10597084cee0
        set srcintf "wan1"
        set dstintf "internal"
        set srcaddr "all"
        set dstaddr "OpenVPN"
        set action accept
        set schedule "always"
        set service "SOpenVPN"
        set logtraffic all
        set fsso disable
    next
end

 
config firewall policy
    edit 15
        set name "RDPTest"
        set uuid e9f28758-77bd-51e9-f8b4-0258a68224be
        set srcintf "wan1"
        set dstintf "internal"
        set srcaddr "all"
        set dstaddr "RDP"
        set action accept
        set schedule "always"
        set service "RDP"
        set logtraffic all
        set fsso disable
    next
end
 
#1
Fullmoon
Platinum Member
  • Total Posts : 837
  • Scores: 11
  • Reward points: 0
  • Joined: 2010/08/02 18:02:10
  • Status: offline
Re: Strange VIP problem 2019/05/17 05:30:20 (permalink)
0
may you please check if there's a built in firewall openvpn server.

Fortigate Newbie
#2
RuuJan
New Member
  • Total Posts : 10
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/03/22 09:13:15
  • Status: offline
Re: Strange VIP problem 2019/05/17 06:02:57 (permalink)
0
Hi Fullmoon, thanks, but that is not the issue. I tesetd from another VLAN and the management page on the VPN server is reacting normal. Besides that, the policy lookup shows there is a route.
 
Is there a way to test what rule is blocking my traffic?
#3
rwpatterson
Expert Member
  • Total Posts : 8370
  • Scores: 195
  • Reward points: 0
  • Joined: 2006/08/08 10:08:18
  • Location: Long Island, New York, USA
  • Status: online
Re: Strange VIP problem 2019/05/17 08:43:41 (permalink)
0
RuuJan
       set service "SOpenVPN"

Please show the contents of the above custom service. Source ports should be 1024-65535, and destination should be the target port(s).

-Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

-4.3.19-b0694
FWF60B
FWF80CM (4)
FWF81CM (2)
 
#4
RuuJan
New Member
  • Total Posts : 10
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/03/22 09:13:15
  • Status: offline
Re: Strange VIP problem 2019/05/17 09:52:41 (permalink)
0
This is the service as I created it. Is it necessary to specify the source ports?
 
config firewall service custom
    edit "SOpenVPN"
        set category "Tunneling"
        set tcp-portrange 943
        set udp-portrange 1194
    next
end

 
#5
rwpatterson
Expert Member
  • Total Posts : 8370
  • Scores: 195
  • Reward points: 0
  • Joined: 2006/08/08 10:08:18
  • Location: Long Island, New York, USA
  • Status: online
Re: Strange VIP problem 2019/05/17 11:34:13 (permalink)
0
That's fine. If you do not specify, it assumes source port range is 1-65535 which covers everything. Missing is the 'set protocol TCP/UDP/SCTP' line. Not sure if that is needed, but give it a shot.
 
 

-Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

-4.3.19-b0694
FWF60B
FWF80CM (4)
FWF81CM (2)
 
#6
RuuJan
New Member
  • Total Posts : 10
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/03/22 09:13:15
  • Status: offline
Re: Strange VIP problem 2019/05/18 06:26:17 (permalink)
0
Thanks, I'll try that monday.
#7
ede_pfau
Expert Member
  • Total Posts : 5962
  • Scores: 468
  • Reward points: 0
  • Joined: 2004/03/09 01:20:18
  • Location: Heidelberg, Germany
  • Status: offline
Re: Strange VIP problem 2019/05/18 07:54:02 (permalink)
0
Strange...that we haven't seen the VIP yet. It's the crucial point here.

Ede

" Kernel panic: Aiee, killing interrupt handler!"
#8
RuuJan
New Member
  • Total Posts : 10
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/03/22 09:13:15
  • Status: offline
Re: Strange VIP problem 2019/05/20 03:41:08 (permalink)
0
Here they are. I added the Policy route too.
 

config firewall vip
    edit "OpenVPNTunnel"
        set uuid 8dfb6470-78b6-51e9-d1bf-209636e5d072
        set extip a.b.c.d
        set extintf "wan1"
        set portforward enable
        set mappedip "192.168.2.6"
        set protocol udp
        set extport 1194
        set mappedport 1194
    next
end

config firewall vip
    edit "OpenVPNMgt"
        set uuid aceb1a56-78b6-51e9-fd50-393da876e859
        set extip a.b.c.d
        set extintf "wan1"
        set portforward enable
        set mappedip "192.168.2.6"
        set extport 943
        set mappedport 943
    next
end

config firewall vip
    edit "RDP"
        set uuid 3f9ff56a-77bd-51e9-d494-21d7cd53b228
        set extip a.b.c.d
        set extintf "wan1"
        set portforward enable
        set mappedip "192.168.2.5"
        set extport 3389
        set mappedport 3389
    next
end

config router policy
    edit 15
        set input-device "wan1"
        set srcaddr "all"
        set dstaddr "Beheer"
        set output-device "internal"
    next
end

 
post edited by RuuJan - 2019/05/20 03:43:11
#9
ede_pfau
Expert Member
  • Total Posts : 5962
  • Scores: 468
  • Reward points: 0
  • Joined: 2004/03/09 01:20:18
  • Location: Heidelberg, Germany
  • Status: offline
Re: Strange VIP problem 2019/05/20 05:02:33 (permalink)
0
Why would you use a Policy Route??
Either you use routing, or NAT, not both for the same purpose.
In your case, a simple VIP will do - destination NAT.
 
If you need to debug:
diag debug enable
diag sniffer packet any 'tcp and port 943' 4 0 l (ell)
 
will show you any traffic on tcp/943, including the NAT.

Ede

" Kernel panic: Aiee, killing interrupt handler!"
#10
RuuJan
New Member
  • Total Posts : 10
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/03/22 09:13:15
  • Status: offline
Re: Strange VIP problem 2019/05/20 05:38:43 (permalink)
0
Thanks. I'm afraid I don't get the idea of policy routing.
#11
ede_pfau
Expert Member
  • Total Posts : 5962
  • Scores: 468
  • Reward points: 0
  • Joined: 2004/03/09 01:20:18
  • Location: Heidelberg, Germany
  • Status: offline
Re: Strange VIP problem 2019/05/20 06:01:13 (permalink) ☼ Best Answerby RuuJan 2019/05/22 13:00:59
0
Regular routing directs traffic according to the destination address. Only.
Policy routing can match more criteria like source address or ports.

Ede

" Kernel panic: Aiee, killing interrupt handler!"
#12
RuuJan
New Member
  • Total Posts : 10
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/03/22 09:13:15
  • Status: offline
Re: Strange VIP problem 2019/05/20 10:55:12 (permalink)
0
That's what I understood too. But the situation is rather complex. This router is in a shopping mall. There are two internet connections and about 18 VLAN's. VLAN's for customers are for public use and should be routed through WAN2, whereas all other traffic like CCTV, Contractors, doormanagement, climate control, Office and management should use WAN1. Each of these activities have a separated VLAN. And sometimes routing should also take place from one VLAN to another.
 
So I created two Policy routes to realize this, based on the source network and a couple of other more specific to route from one VLAN into another. I don't know how I should realize this without policy routing.
 
config router policy
    edit 3
        set input-device "internal" "internal6" "VACorp_20" "Bewegw_50" "Contractors_30" "Energie_27" "Evenementen_17" "GBSkoppeling_28" "Muziek_24"
        set srcaddr "Beheer" "VACorp" "Bewegwijzering" "Contractors" "Energie_27 address" "Evenementen" "Muziek"
        set dstaddr "all"
        set gateway x.y.z.25
        set output-device "wan1"
    next
end


config router policy
    edit 1
        set input-device "Public_Wifi_11" "Public_Wifi_12" "Public_Wifi_13" "Public_Wifi_14" "Public_Wifi_15" "PublVergader_16" "Bewegw_50" "Contractors_30" "Energie_27" "Evenementen_17" "GBSkoppeling_28" "Muziek_24" "VACorp_20"
        set srcaddr "Bewegwijzering" "Contractors" "Energie_27 address" "Evenementen" "Public_LAN_VGZ" "Public_Wifi_11" "Public_Wifi_12" "Public_Wifi_13" "Public_Wifi_14" "Public_Wifi_15"
        set dstaddr "all"
        set output-device "wan2"
    next
end

Wan1 is a routed subnet with /29 mask while wan2 is a simple Natted network in the 192.168.0/24 range.
 
 
#13
RuuJan
New Member
  • Total Posts : 10
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/03/22 09:13:15
  • Status: offline
Re: Strange VIP problem 2019/05/22 13:06:49 (permalink)
0
Thank you!!! You got me on the right track. First I deleted all my Policy Route settings. Besides that there was a problem with the WAN1 with an administrative cost of 5 and WAN2 witth an administrative cost of 0. I guesss most of the traffic was replied trough  WAN2 so it was never received (recognized) at the router at my (remote) location.
 
Once more thanks a million!
 
Ruud.
 
 
#14
Jump to:
© 2019 APG vNext Commercial Version 5.5