Helpful ReplyHot!VIP - Redirect NTP traffic

Author
https
New Member
  • Total Posts : 5
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/09/11 01:34:05
  • Status: offline
2021/04/29 06:33:27 (permalink)
0

VIP - Redirect NTP traffic

Hi,
I'd like to forward whole NTP traffic to my NTP server.
I'd like to use VIP where source IP is in range from 0.0.0.0-239.255.255.255 and do portmapping 123-123 (use service NTP).
        set type load-balance
        set service "NTP"
        set extip 0.0.0.0-239.255.255.255
        set mappedip "10.20.68.192-20.121.12.194"
        set arp-reply disable
        set portforward enable
        set mappedport 123
And the problem is if any other VIP exists. For example:
        set extip 10.100.200.3
        set mappedip "10.20.3.35"
        set extintf "any"
I receive information that NTP is overlapping another VIP but if i use extip from 0.0.0.0 to 10.100.200.2 it works like a charm.
Do you have any idea how to configure this VIP to be working with extip "any"?
FortiOs 6.4.5
#1
emnoc
Expert Member
  • Total Posts : 6137
  • Scores: 422
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: VIP - Redirect NTP traffic 2021/04/29 14:24:52 (permalink) ☄ Helpfulby https 2021/05/04 07:41:38
0
You have a few choices all are nasty
 
1st have you tried with the src-ip left as-is 0.0.0.0 ?
 
config firewall vip
    edit "NTP"
        set mappedip "10.10.1.112"
        set extintf "wan1"
        set portforward enable
        set extport 123
        set mappedport 123 
    next
end
 
 
2nd you can't do what your asking  directly since you have overlap of ext-srcs and the mapped. if you think about it the mappedip is in the src-range
 
3rd , your next option is. you have to out-play the fortigate so speak,  since any local assigned address used will overlap in the src-range. You can try the following as a guide.
 
e.g a workaround is to eliminate the local address by breaking up the src-range and applying multiple vips
 
config firewall vip
    edit "test-vip1"
        set uuid 88b9508a-a92e-51eb-c370-f85b1c740d8a
        set type load-balance
        set extip 0.0.0.0-9.255.255.255
        set mappedip "10.0.1.112"
        set extintf "wan1"
        set portforward enable
        set extport 999
        set mappedport 999
    next
    edit "test-vip2"
        set uuid b40364f6-a92e-51eb-853d-7321802aaa2d
        set type load-balance
        set extip 11.0.0.0-192.167.255.2255
        set mappedip "10.0.1.112"
        set extintf "wan1"
        set portforward enable
        set extport 999
        set mappedport 999
    next
    edit "test-vip3"
        set uuid b40364f6-a92e-51eb-853d-7321802aaa2d
        set type load-balance
        set extip 192.169.0.0-239.255.255.255
        set mappedip "10.0.1.112"
        set extintf "wan1"
        set portforward enable
        set extport 999
        set mappedport 999
    next
 
and so on
 
You have to poke hole for all interfaces address , all static routes address, all vpns end-points, etc........that you have, and ip address assigned on the fortigate.
 
Like I said, not a clean  approach but very a nasty approach
 
if you come across a better way, please post what you ultimately do, but the above is what we did with mixed results. We have a test lab and had reasons for doing the above. I would not recommend the above in a production env. A proper SLB would be best suited.
 
I think using the 0.0.0.0 vip is the best approach  but let us know if it works 
 
Ken Felix
 
 

PCNSE 
NSE 
StrongSwan  
#2
https
New Member
  • Total Posts : 5
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/09/11 01:34:05
  • Status: offline
Re: VIP - Redirect NTP traffic 2021/05/04 07:41:10 (permalink)
0
In a perfect world (in other integrations :D ) it is done by one2one vip for each servicwe.
In this case i had to do this trick.
0.0.0.0/0 didn't work. I had to use elimination.
Thank you Ken
#3
Jump to:
© 2021 APG vNext Commercial Version 5.5