![]() This debug flow is for Example 2, option 2 scenario: In all examples, hairpin traffic will never leave FortiGate.ĭepending on the configuration, from debug flow it may look like traffic is coming from WAN after it is coming from LAN. One to allow access from LAN to WAN and the second policy from wan to DMZ. There is a need to have same set of firewall policies as in Example 1. With option 2, WAN as external interface. If LAN will not be a member of the filter, but only WAN, hairpin will not work even if firewall policies are corrected when srcintf will be wan directly (next option). In that case, the same firewall policy as the previous one will be enough. If srcintf-filter to VIP2 is configured, LAN port will need to be a member of that filter. If the interface is any, there will be just one firewall policy from LAN to DMZ with VIP2 as the destination address. There are two options to select extintf: any or specific. The external IP address is from the same subnet but does not belong to FortiGate directly. One to allow access from LAN to WANand second policy from WAN to DMZ. In both scenarios, extintf any or WAN, need to have two firewall policies. In this example, doesn’t matter if extintf is any or wan. In all examples, traffic will be flowing like this:Ĭlient -> external IP -> FortiGate -> internal IP -> Server.Įxternal IP is the same as the external interface and uses VIP1 from the diagram. If external IP belongs to FortiGate (IP address of external interface), FortiGate will require different set of rules when the external IP is just from range, but not directly configured on FortiGate’s interfaces. ![]() Article will describe how to configure Hairpin NAT depends on external IP.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |