Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
orbiter2001
New Contributor

Created on ‎05-15-2020 12:09 AM

DMZ with public subnet not working from wan

I give FortiGate 60F a try but I stuck with the DMZ configuration.

 

I have a subnet of public ip addresses configured on the DMZ Interface, and I have connected my Web-Server to this DMZ. I also have configured some Virtual IP's for devices which are located in the internal network and port forwarding is needed.

 

Now I'm trying to access all this from WAN and the Web-Server is not working. The Virtual IP's are working, so I think my problem is maybe NAT, but I have switched of NAT.

 

From internal network I have access to the Web-Server.

 

Is there another system configuration which I missed?

Preview file
195 KB
5040
0 Kudos
5 REPLIES 5
TheJaeene
Contributor

Created on ‎05-15-2020 02:44 AM

Hi Orbiter,

 

 

 

could you please tell us if you splitted the public Subnet you have to WAN and DMZ?

To fully understand the issue we need the adresses (could be obfuscated of course)

 

Most of the times you bind the public IPs on the WAN IF and then you DNAT them via VIP to the respective (private) Address in the DMZ.

 

If you have a separate Public Subnet on your DMZ IF, the Provider needs to route that Traffic to one of the WAN Interfaces IPs.

Sounds like that may be your problem.

 

 

 

3293
0 Kudos
orbiter2001
New Contributor
In response to TheJaeene

Created on ‎05-15-2020 03:22 AM

Thanks for your answer. 

 

WAN1

IP Address: xx.174.184.62/29

Gateway: xx.174.184.57

 

DMZ

IP Address: xx.174.189.33/29

 

The DMZ Subnet xx.174.189.32/29 is fully routed to the WAN 1 IP Address.

 

I Also tried with a computer in the WAN1 network to access the web-server in dmz, this is not working. the Gateway of the computer was set to the WAN1 ip address of the fortigate. so if the routing of the public subnet from provider woudl be wrong then I should be able to access the web-server in this scenario.

3294
0 Kudos
orbiter2001
New Contributor
In response to TheJaeene

Created on ‎05-15-2020 03:32 AM

Additional:

On the Web-Server in the DMZ i can ping WAN1 ip address of FortiGate but I cannot ping the computer which is in the WAN network.

3293
0 Kudos
TheJaeene
Contributor
In response to orbiter2001

Created on ‎05-15-2020 03:46 AM

How did you bind the VIP´s just to their respective nearest IF (Internal).

 

Just a quick idea:

Please try to disable the arp-reply on the VIPs via CLI

 

set arp-reply disable

 

EDIT:

 

Ahh, I see your VIPs are also external.. I thought they were Internal to DMZ.

Then forget my ARP reply Idea ;)

But please note that sometimes VIPs without a policy tend to genrerate arp replies for them.

 

Best thing to find out why the traffic is broken would be to do a debug flow.

 

Are you running FOS 6.2.4 already? 

3293
0 Kudos
orbiter2001
New Contributor
In response to TheJaeene

Created on ‎05-25-2020 05:05 AM

I did factory reset. After reconfiguring everything worked fine. Maybe I did some misconfiguring because I had to figure out how it works with this product.

 

thanks for your hints.

3294
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.