Solved

Configuring Fortigate 100D with 2 public ip and 2 internal servers (mail and web server)

Posted on 2016-09-21
11
52 Views
Last Modified: 2016-10-12
Hi everybody,
I would like your help in configuring Fortigate 100D.
 
My initial configuration was like this.
I put the one public ip address (I have more ip addresses) on my fortigate 100D wan1. Created VIPs with port forwarding.
 
Server-1: running Exchange server 2013 with virtual directories (HTTPS), so I will need ports 25 and 443 to be used on it. The email works so as OWA when accessed externally.
Server-2: will be running web server: so port 80 and port 443 also will be used.
But I tried to create VIP for 443 again it FAILED, it said you already created one, which is for the mail server.
 
So I thought since I have another wan port, wan2. I can use the other public ip for wan2. So my current configuration is like this:
 
Wan1 will be used only for incoming mail traffic (ports 24 and 443)
Wan2 will be used only for incoming web traffic (ports 80 and 443)
 
x.x.x.x - public ip
y.y.y.y - private ip
 
Wan1: x.x.x.84
Wan2: x.x.x.83
 
created 2 VIPs for mail and 2 VIPs for web
mail:
x.x.x.84 --> y.y.y.11  port: 25 (mail server)
x.x.x.84 --> y.y.y.11  port:443 (mail server)
 
web:
x.x.x.83 --> y.y.y.12  port: 80 (web server)
x.x.x.83 --> y.y.y.12  port:443 (web server)
 
I put these in 2 different VIPs groups: Mail traffic and web traffic
 
Created 2 policy:
Mail:
incoming interface : wan1
source address: all
outgoing interface: LAN
destination address: Mail traffic (VIP)
Schedule: always
services: Https, Smtp
Action: accept
NAT NOT ENABLED
 
Web:
incoming interface : wan2
source address: all
outgoing interface: LAN
destination address: web traffic (VIP)
Schedule: always
services: Https, http
Action: accept
NAT NOT ENABLED
 
There is another policy for internal users to surf the internet:
 
internet:
incoming interface : LAN
source address: all
outgoing interface: wan1
destination address: all
Schedule: always
services: all
Action: accept
NAT ENABLED: Use Outgoing Interface Address
 
And finally static route: 0.0.0.0/0.0.0.0, wan1, gateway x.x.x.x
 
My questions are:
 
1. Does this configuration work when someone surf to the company's website or sends mail to us? I mean using our website ti they get x.x.x.83 --> y.y.y.12 and the same goes for the mail x.x.x.84 --> y.y.y.11? Do i need to do something else?
 
2. I have read that the public ip used for the incoming mail must also be used for outbound mail: (The SMTP server, when initiating traffic towards the Internet , must use the same the same source IP address).
http://kb.fortinet.com/kb/viewContent.do?externalId=FD31240 
 
Then what should I do? use policy routes or ip pool? How should I configure it?
 
3. For me doesn't matter if LAN users use wan1 or wan2 to surf the internet. but does it matter which port should be used?
 
I appreciate any help. Please advice. :)
 
Thank you.
0
Comment
Question by:Kadoian Arman
  • 7
  • 3
11 Comments
 
LVL 3

Expert Comment

by:Etienne Lau
ID: 41809721
You don't want to use multiple WAN interfaces for this. What is your current WAN1 config? For example is it set as 12.184.217.226/28 ? This would mean your WAN1 default gateway should be 12.184.217.225. With this config, you would create VIP1 as: 12.184.217.227----->192.168.1.10, VIP2: 12.184.217.228-----> 192.168.1.12

0.0.0.0/0 ----> 12.184.217.225
0
 

Author Comment

by:Kadoian Arman
ID: 41810185
Hello Etienne,

Thank you for helping me.

I want to use multiple wan, because with one wan I can not create 2 VIP with same port forwarding 443 to different internal services. I can use only one wan public ip on one interface. So my current config:

Mail
x.x.x.84 --> y.y.y.11  port: 25 (mail server)
x.x.x.84 --> y.y.y.11  port:443 (mail server)
 
web:
x.x.x.83 --> y.y.y.12  port: 80 (web server)
x.x.x.83 --> y.y.y.12  port:443 (web server)

Initially I wanted to like this:

Mail
x.x.x.84 --> y.y.y.11  port: 25 (mail server)
x.x.x.84 --> y.y.y.11  port:443 (mail server)
 
web:
x.x.x.84 --> y.y.y.12  port: 80 (web server)
x.x.x.84 --> y.y.y.12  port:443 (web server) but This entry is refused by fortigate.

because I think the fortigate doesn't know to which internal server should forward to since they are using the same port 443. The web server or the mail server.

 (With this config, you would create VIP1 as: 12.184.217.227----->192.168.1.10, VIP2: 12.184.217.228-----> 192.168.1.12)

This what I did as I wrote above, but I have to use 2 wan, one public ip on each fortigate interface(wan1 and wan2).
0
 
LVL 3

Expert Comment

by:Etienne Lau
ID: 41811872
That will not work, ie using 2 WAN interfaces. If you configure proper VIPs it will work just fine, the fact that you have 2 internal servers using same port 443 will not matter:

Mail:
x.x.x.84--->y.y.y.11 port:25 (mail server)
x.x.x.84--->y.y.y.11 port: 443 (mail server)

Web:
x.x.x.85---->y.y.y.12 port:80 (web server)
x.x.x.85---->y.y.y.12 port:443 (web server)

Note the .85 is being used for the Web Server and not .84, if you use .84 for both port 443 then yes, the entry is refused by fortigate.
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 3

Expert Comment

by:Etienne Lau
ID: 41811876
Quoting you: " I can use only one wan public ip on one interface." , what subnet mask are you using on y our WAN interface? Depending on your ISP, and what subnet they gave you, you can assign as many public ip addresses you want.

For example: 12.184.217.226/28 means you can have 14 device on the WAN side. 12.184.217.225 is your WAN 1 default gateway, 12.184.217.226 is your WAN1 ip address, 12.184.217.227 is your next device(mail server), 12.184.217.228 (web server).
0
 

Author Comment

by:Kadoian Arman
ID: 41812035
Hi Etienne,

We have /29 subnet, so we can use 6 addressees. From x.x.x.82-x.x.x.87, with x.x.x.81 as gateway.
The thing is I didn't know that I can add a secondary ip address  on the same interface in fortigate.
Now I added one then I created VIP accordingly.

But there is one issue that when the mail server initiates it must use the same ip address as incoming mail from outside and in this case it will be x.x.x.84.
So as I understand it I should use ip pool so that traffic generated from the internal mail server with private ip address y.y.y.11 and when it comes to the outside interface it should use x.x.x.84.

There is an old guide for that, but I'm not sure. i hope you or some one else can verify that configuration.
http://kb.fortinet.com/kb/documentLink.do?externalID=11969
0
 
LVL 3

Accepted Solution

by:
Etienne Lau earned 500 total points (awarded by participants)
ID: 41812288
Yes that KB article you found is the correct guide on how do what you want so that your email server comes out on x.x.x.84
1
 

Author Comment

by:Kadoian Arman
ID: 41812392
Dear Etienne,

Thank you for confirming the ip pool solution. I have one final Q, you said that "That will not work, ie using 2 WAN interfaces."

Why would 2 wan interface with 2 difference public ip addresses not work?
0
 
LVL 3

Expert Comment

by:Etienne Lau
ID: 41812411
Kadoian,

2 WAN interfaces in use is primarily used for WAN redundancy, ie you have 2 different ISP and therefore have to 2 different subnets being assigned to your WAN interfaces. Each interface would need its own default gateway(Next Hop).  For example:

WAN 1: 12.184.217.225/28 (ISP #1)
WAN 2: 55.28.225/28 (ISP #2)

This concept opens up the idea of WAN load balancing, WAN failover, etc......
1
 
LVL 3

Expert Comment

by:Etienne Lau
ID: 41812444
Take a look at t his: Using two ISP for Redundancy PDF

Dual WAN with Policy based Routing: Dual WAN Design

Dual WAN Static and Policy Routes: Dual WAN static route and policy routes
1
 
LVL 45

Expert Comment

by:Craig Beck
ID: 41812568
Check out port-forwarding in the cookbook...

http://cookbook.fortinet.com/port-forwarding/
0
 
LVL 3

Expert Comment

by:Etienne Lau
ID: 41839753
It does what requester wants
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
Read this checklist to learn more about the 15 things you should never include in an email signature.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question