Hot!Port Forwarding with static route to IPSEC tunnel

Author
elad.b
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/11/30 00:52:44
  • Status: offline
2020/11/30 01:13:56 (permalink)
0

Port Forwarding with static route to IPSEC tunnel

Hi all,
 
A new Fortigate 40F, i configured a Virtual IP with port forwarding and a policy for Cameras NVR and it worked, i succeeded to reach them from outside the network.
 
The problem is, that all the computers from the Lan should access the internet via IPSEC tunnel (to be recognized by different external IP address) so i configured a static route to 0.0.0.0/0 with the IPSEC interface and then policies from Lan to IPSEC interface and vice versa with NAT disabled.
The IPSEC Phase 2 is from the Lan subnet to 0.0.0.0/0 as well.
 
The computers can access the internet successfully but the cameras aren't reachable and i can't access the web management interface of the firewall as well from outside.
I tried to configure some route policy but still not working.
 
Anyone have an idea how can i make this work?
 
Thanks!
post edited by elad.b - 2020/11/30 01:29:32
#1

4 Replies Related Threads

    rwpatterson
    Expert Member
    • Total Posts : 8527
    • Scores: 207
    • Reward points: 0
    • Joined: 2006/08/08 10:08:18
    • Location: Long Island, New York, USA
    • Status: online
    Re: Port Forwarding with static route to IPSEC tunnel 2020/11/30 05:45:52 (permalink)
    0
    My first thought here would be to check the routing table and ensure that all local routes have a lower distance than the default gateway. A traceroute from a non-working source should confirm the bad route.

    -Bob - self proclaimed posting junkie!
    See my Fortigate related scripts at: http://fortigate.camerabob.com


    -5.0.14-b0323
    FWF81CM (1)
     
    -4.3.19-b0694
    FWF80CM (2)
    FWF81CM (2)
     
    #2
    brycemd
    Gold Member
    • Total Posts : 121
    • Scores: 10
    • Reward points: 0
    • Joined: 2016/12/03 11:24:30
    • Status: offline
    Re: Port Forwarding with static route to IPSEC tunnel 2020/11/30 08:07:43 (permalink)
    0
    You've created asymmetrical routing. The traffic is coming into the fortigate and being port forwarded, but the return traffic is going across the tunnel and out via a different public IP.
     
    You either need to setup policy routes for the camera(s) to go direct out to the internet, or setup the port forwarding on the other side of the tunnel.
     
    Same reason for not being able to externally manage it anymore. Traffic is being returned over the ipsec tunnel. As it is(unless you have other routes) it cannot access the internet unless that tunnel is up. And, if you didn't create a static route for the IP of the other end of the tunnel, if may not come back up if it goes down.
    post edited by brycemd - 2020/11/30 08:32:22
    #3
    Toshi Esumi
    Expert Member
    • Total Posts : 2403
    • Scores: 233
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: Port Forwarding with static route to IPSEC tunnel 2020/11/30 10:35:05 (permalink)
    0
    Or, the local static default route with a high number of priority in addition to the default route toward the tunnel (priority 0 by default). So that the incoming access to the camera from the local wan interface via VIP can go back out to the local wan instead of going across the tunnel.
    #4
    elad.b
    New Member
    • Total Posts : 3
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/11/30 00:52:44
    • Status: offline
    Re: Port Forwarding with static route to IPSEC tunnel 2020/12/02 10:50:29 (permalink)
    0
    Thanks for you comments.
     
    I already tried to configure policy routes for the NVR, from Wan to Lan and from Lan to Wan and it still didn't worked.
    Maybe i should set the policy route from Wan to Wan?
     
    I will try also the static route to original wan interface with higher priority.
    #5
    Jump to:
    © 2021 APG vNext Commercial Version 5.5