Solved

Dual Wan Fortgate setup for SBS 2008

Posted on 2011-09-12
6
1,327 Views
Last Modified: 2012-06-27
Can anyone share a working setup for a Fortigate (60C-80C)  (FortiOS 4 MR2) for an SBS 2008 server.
Especially to make the firewall accept SMTP traffic (25) on both Wan Interfaces?
When using only one Wan you can use a VIP (Virtual IP) to forward all traffic on port 25 to the server but you can do this only once per port.
There is an example on Fortigates knowledge base but this assumes a seperate SMTP server in the DMZ.
Can it be done without the DMZ? Any examples?

http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD31240&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=23603459&stateId=0%200%2023605076

I have made all the ISP side changes with 2x diffrently weighted MX (and corresponding A records) pointing at the correct Permanent IP addresses on Wan1 and Wan2?

Any suggestions would be appreciated.

Olaf
0
Comment
Question by:Olaf De Ceuster
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 4

Expert Comment

by:iworks-uworks
ID: 36530590
In the VIP rule you must specify the external WAN IP for each rule:

NAME: SMTP_WAN1
Internaface: WAN1
External IP: x.x.x.x
Internal IP: 192.168.0.2
Port: 25 ->25

NAME: SMTP_WAN2
Internaface: WAN2
External IP: y.y.y.y
Internal IP: 192.168.0.2
Port: 25 ->25

Let me know if you have any problems with that.
0
 
LVL 22

Author Comment

by:Olaf De Ceuster
ID: 36532783
Thank you iworks,

Tried that already.
Seems the fortigate only lets me make one VIP per port.
Wan1 with forward 25-25 no problem
Wan2 : Duplicate entry found.
Olaf
0
 
LVL 4

Accepted Solution

by:
iworks-uworks earned 500 total points
ID: 36533144
Olafdc,
Please refer to the picture I've attached. You need to make sure you specify the EXTERNAL IP address for both VIPs. Don't leave it at 0.0.0.0, put in the actual external IP and it should work like the picture I've attached. Carefully review the IP addresses and Ports. DualWan-port25
0
Prevent Ransomware with Total Security Suite

With recent ransomware attacks topping the headlines, it might seem like there'e no hope in the battle against these advanced threats. Learn more about how WatchGuard's Total Security Suite can effectively prevent ransomware attacks including Petya 2.0 and WannaCry!

 
LVL 22

Author Comment

by:Olaf De Ceuster
ID: 36534019
Already been down that path. No Go...duplicate entry.
Might update firmware and try again.
Will let you know.
Thank you heaps so far.
Olaf
0
 
LVL 4

Expert Comment

by:iworks-uworks
ID: 36534027
What firmware are using on what box? Can you post a screen shot of your first VIP with the external IP blurred or changed and also what you have entered for the 2nd rule before you hit OK and get the error message?
0
 
LVL 22

Author Comment

by:Olaf De Ceuster
ID: 36534312
Update to: v4.0,build5840,110715 (MR2) did the trick.
Two instances on port 25 allowed. Yeeaah.
Was starting to doubt myself.
Thanks heaps for your help.
Olaf
0

Featured Post

Are Your IoT Devices Out to Get You?

IoT business is booming, with manufacturers connecting any and every “thing” to the Internet. But as pressure grows to release new products faster and faster, we’re all left to wonder: is security a priority? Join our webinar on June 29th for the answer.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

We sought a budget ($5,000) firewall solution that would provide all the performance we needed with no single point of failure.  Hosting a SAAS web application in our datacenter, it was critical that we find a way to keep connectivity up and inbound…
Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question