Helpful ReplyHot!Virtual IPs don't appear to be working

Author
lhsit
New Member
  • Total Posts : 18
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/09/19 18:58:49
  • Status: offline
2020/07/14 13:27:28 (permalink)
0

Virtual IPs don't appear to be working

Hello All,
I am running 6.2.4.  I have a new Internet connection via AussieBroadBand here in Aus.  Our link is DHCP but we have two static IP addresses coming in on the same link.  The two IP Addresses are both /32 addresses.
 
I have created a virtual IP as per the following documentation. This is very similar to the pfSense and I have done this previously with the pfsense in a separate environment.
https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/502582/creating-a-security-policy
 
I have also created the IPv4 policy as per the documentation.  However, it doesn't seem to work.  In the port forwarding section I forwarded ICMP and have monitored for incoming ICMP on the target machine but don't see any packets reaching the internal machine.
 
I am starting to wonder whether my ISP is in fact forwarding those packets to me.  It's been a long time since I've done any packet sniffing on the fortigate, I'm hoping someone can help me with the commands I need to issue in the cli on the fortigate to attempt to see those packets coming in.
 
Any other advice would be most welcome.

Thanks,
Chris.
 
ps.  moved from the routing forum. this seems more appropriate here.
#1
lobstercreed
Gold Member
  • Total Posts : 251
  • Scores: 32
  • Reward points: 0
  • Joined: 2018/11/28 14:57:58
  • Location: Sedalia, MO
  • Status: offline
Re: Virtual IPs don't appear to be working 2020/07/14 13:35:15 (permalink)
0
No need to do any port forwarding.  Not sure why the documentation tells you to do that unless the different applications live on different servers and share the same public IP.  Especially since you're not having it work, I would turn all port forwarding off and then just make sure your policy specifies the services (PING for example) that you want to allow inbound.
 
There is a place to create packet captures in the GUI depending on your platform under Network -> Packet Capture.  That's what I would use to see if your ISP is even sending you the packets.
 
diag debug flow is what a couple of the more active folks in here will recommend using though...so if you prefer CLI you might investigate that.  It's useful for a lot of more advanced situations.
#2
lhsit
New Member
  • Total Posts : 18
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/09/19 18:58:49
  • Status: offline
Re: Virtual IPs don't appear to be working 2020/07/14 13:38:01 (permalink)
0
I have managed to figure out how to do a packet sniffer.  I can see pings coming into the device for the DHCP ip address, but I don't see any pings coming in for the virtual IP.  I'm thinking I should be able to see those packets coming in at that port?
 
Cheers,
Chris.
#3
lobstercreed
Gold Member
  • Total Posts : 251
  • Scores: 32
  • Reward points: 0
  • Joined: 2018/11/28 14:57:58
  • Location: Sedalia, MO
  • Status: offline
Re: Virtual IPs don't appear to be working 2020/07/14 13:50:03 (permalink)
0
You seem to be saying that you can and that you can't do a packet sniffer?  The GUI option I just gave you and also suggested about the CLI.  But if you're seeing the packets like you're describing then it sounds like you've already figured it out and the answer is that your ISP isn't sending them to you.
#4
lhsit
New Member
  • Total Posts : 18
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/09/19 18:58:49
  • Status: offline
Re: Virtual IPs don't appear to be working 2020/07/14 13:53:30 (permalink)
0
lobstercreed
No need to do any port forwarding.  Not sure why the documentation tells you to do that unless the different applications live on different servers and share the same public IP. 
 
<snip>
 
diag debug flow is what a couple of the more active folks in here will recommend using though...so if you prefer CLI you might investigate that.  It's useful for a lot of more advanced situations.



Thanks lobstercreed, I turned off the portfowarding and found an example of diag debug flow - that was a great suggestion.
 
Again, I can see the packets if I ping the dhcp address, but nothing if I ping the static IP address.  I am starting to wonder if the ISP is actually forwarding those packets.  That will be my next port of call.
 
Cheers,
Chris.
#5
rwpatterson
Expert Member
  • Total Posts : 8490
  • Scores: 205
  • Reward points: 0
  • Joined: 2006/08/08 10:08:18
  • Location: Long Island, New York, USA
  • Status: online
Re: Virtual IPs don't appear to be working 2020/07/16 05:56:33 (permalink)
0
From what I recall, ICMP will only be forwarded if port forwarding is disabled on an interface. As a test, disable port forwarding and see if the internal device does indeed receive the packets. For what it's worth, I wouldn't use that as a test. Packet sniffing on the correct protocol and destination IP would be how I would go about it.
post edited by rwpatterson - 2020/07/16 05:57:35

-Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

-4.3.19-b0694
FWF80CM (2)
FWF81CM (3)
 
#6
drmorg
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/11/10 04:23:37
  • Status: offline
Re: Virtual IPs don't appear to be working 2020/07/17 22:21:50 (permalink)
0
I am having a similar issue after upgrading to 6.2.4. 
Approximately 12 hours after reboot dnat stops working: our site doesn't respond, ssl-vpn does not connect etc. This happens only on primary ISP interface, i can connect to secondary (but it's really slow)
'diag sniffer packet any "host {external ip} and port 443" 4 0 a' - shows only inbound packets, there is no outbound to lan
diagnose debug flow - show nothing at all
Reboot help but temporary.
My gues it's a bug and i am now considering downgrade to 6.2.3.
#7
James_G
Gold Member
  • Total Posts : 235
  • Scores: 9
  • Reward points: 0
  • Joined: 2016/02/28 02:55:47
  • Status: offline
Re: Virtual IPs don't appear to be working 2020/07/18 02:05:59 (permalink) ☄ Helpfulby drmorg 2020/07/18 02:38:54
5 (1)
It’s a known bug with denial of service ‘dos’ policy, disable dos policy or downgrade are only options.
#8
Jump to:
© 2020 APG vNext Commercial Version 5.5