Solved

Configuring Fortigate 100D with 2 public ip and 2 internal servers (mail and web server)

Posted on 2016-09-21
11
33 Views
Last Modified: 2016-10-12
Hi everybody,
I would like your help in configuring Fortigate 100D.
 
My initial configuration was like this.
I put the one public ip address (I have more ip addresses) on my fortigate 100D wan1. Created VIPs with port forwarding.
 
Server-1: running Exchange server 2013 with virtual directories (HTTPS), so I will need ports 25 and 443 to be used on it. The email works so as OWA when accessed externally.
Server-2: will be running web server: so port 80 and port 443 also will be used.
But I tried to create VIP for 443 again it FAILED, it said you already created one, which is for the mail server.
 
So I thought since I have another wan port, wan2. I can use the other public ip for wan2. So my current configuration is like this:
 
Wan1 will be used only for incoming mail traffic (ports 24 and 443)
Wan2 will be used only for incoming web traffic (ports 80 and 443)
 
x.x.x.x - public ip
y.y.y.y - private ip
 
Wan1: x.x.x.84
Wan2: x.x.x.83
 
created 2 VIPs for mail and 2 VIPs for web
mail:
x.x.x.84 --> y.y.y.11  port: 25 (mail server)
x.x.x.84 --> y.y.y.11  port:443 (mail server)
 
web:
x.x.x.83 --> y.y.y.12  port: 80 (web server)
x.x.x.83 --> y.y.y.12  port:443 (web server)
 
I put these in 2 different VIPs groups: Mail traffic and web traffic
 
Created 2 policy:
Mail:
incoming interface : wan1
source address: all
outgoing interface: LAN
destination address: Mail traffic (VIP)
Schedule: always
services: Https, Smtp
Action: accept
NAT NOT ENABLED
 
Web:
incoming interface : wan2
source address: all
outgoing interface: LAN
destination address: web traffic (VIP)
Schedule: always
services: Https, http
Action: accept
NAT NOT ENABLED
 
There is another policy for internal users to surf the internet:
 
internet:
incoming interface : LAN
source address: all
outgoing interface: wan1
destination address: all
Schedule: always
services: all
Action: accept
NAT ENABLED: Use Outgoing Interface Address
 
And finally static route: 0.0.0.0/0.0.0.0, wan1, gateway x.x.x.x
 
My questions are:
 
1. Does this configuration work when someone surf to the company's website or sends mail to us? I mean using our website ti they get x.x.x.83 --> y.y.y.12 and the same goes for the mail x.x.x.84 --> y.y.y.11? Do i need to do something else?
 
2. I have read that the public ip used for the incoming mail must also be used for outbound mail: (The SMTP server, when initiating traffic towards the Internet , must use the same the same source IP address).
http://kb.fortinet.com/kb/viewContent.do?externalId=FD31240
 
Then what should I do? use policy routes or ip pool? How should I configure it?
 
3. For me doesn't matter if LAN users use wan1 or wan2 to surf the internet. but does it matter which port should be used?
 
I appreciate any help. Please advice. :)
 
Thank you.
0
Comment
Question by:Kadoian Arman
  • 7
  • 3
11 Comments
 
LVL 2

Expert Comment

by:Etienne Lau
ID: 41809721
You don't want to use multiple WAN interfaces for this. What is your current WAN1 config? For example is it set as 12.184.217.226/28 ? This would mean your WAN1 default gateway should be 12.184.217.225. With this config, you would create VIP1 as: 12.184.217.227----->192.168.1.10, VIP2: 12.184.217.228-----> 192.168.1.12

0.0.0.0/0 ----> 12.184.217.225
0
 

Author Comment

by:Kadoian Arman
ID: 41810185
Hello Etienne,

Thank you for helping me.

I want to use multiple wan, because with one wan I can not create 2 VIP with same port forwarding 443 to different internal services. I can use only one wan public ip on one interface. So my current config:

Mail
x.x.x.84 --> y.y.y.11  port: 25 (mail server)
x.x.x.84 --> y.y.y.11  port:443 (mail server)
 
web:
x.x.x.83 --> y.y.y.12  port: 80 (web server)
x.x.x.83 --> y.y.y.12  port:443 (web server)

Initially I wanted to like this:

Mail
x.x.x.84 --> y.y.y.11  port: 25 (mail server)
x.x.x.84 --> y.y.y.11  port:443 (mail server)
 
web:
x.x.x.84 --> y.y.y.12  port: 80 (web server)
x.x.x.84 --> y.y.y.12  port:443 (web server) but This entry is refused by fortigate.

because I think the fortigate doesn't know to which internal server should forward to since they are using the same port 443. The web server or the mail server.

 (With this config, you would create VIP1 as: 12.184.217.227----->192.168.1.10, VIP2: 12.184.217.228-----> 192.168.1.12)

This what I did as I wrote above, but I have to use 2 wan, one public ip on each fortigate interface(wan1 and wan2).
0
 
LVL 2

Expert Comment

by:Etienne Lau
ID: 41811872
That will not work, ie using 2 WAN interfaces. If you configure proper VIPs it will work just fine, the fact that you have 2 internal servers using same port 443 will not matter:

Mail:
x.x.x.84--->y.y.y.11 port:25 (mail server)
x.x.x.84--->y.y.y.11 port: 443 (mail server)

Web:
x.x.x.85---->y.y.y.12 port:80 (web server)
x.x.x.85---->y.y.y.12 port:443 (web server)

Note the .85 is being used for the Web Server and not .84, if you use .84 for both port 443 then yes, the entry is refused by fortigate.
0
 
LVL 2

Expert Comment

by:Etienne Lau
ID: 41811876
Quoting you: " I can use only one wan public ip on one interface." , what subnet mask are you using on y our WAN interface? Depending on your ISP, and what subnet they gave you, you can assign as many public ip addresses you want.

For example: 12.184.217.226/28 means you can have 14 device on the WAN side. 12.184.217.225 is your WAN 1 default gateway, 12.184.217.226 is your WAN1 ip address, 12.184.217.227 is your next device(mail server), 12.184.217.228 (web server).
0
 

Author Comment

by:Kadoian Arman
ID: 41812035
Hi Etienne,

We have /29 subnet, so we can use 6 addressees. From x.x.x.82-x.x.x.87, with x.x.x.81 as gateway.
The thing is I didn't know that I can add a secondary ip address  on the same interface in fortigate.
Now I added one then I created VIP accordingly.

But there is one issue that when the mail server initiates it must use the same ip address as incoming mail from outside and in this case it will be x.x.x.84.
So as I understand it I should use ip pool so that traffic generated from the internal mail server with private ip address y.y.y.11 and when it comes to the outside interface it should use x.x.x.84.

There is an old guide for that, but I'm not sure. i hope you or some one else can verify that configuration.
http://kb.fortinet.com/kb/documentLink.do?externalID=11969
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 2

Accepted Solution

by:
Etienne Lau earned 500 total points (awarded by participants)
ID: 41812288
Yes that KB article you found is the correct guide on how do what you want so that your email server comes out on x.x.x.84
1
 

Author Comment

by:Kadoian Arman
ID: 41812392
Dear Etienne,

Thank you for confirming the ip pool solution. I have one final Q, you said that "That will not work, ie using 2 WAN interfaces."

Why would 2 wan interface with 2 difference public ip addresses not work?
0
 
LVL 2

Expert Comment

by:Etienne Lau
ID: 41812411
Kadoian,

2 WAN interfaces in use is primarily used for WAN redundancy, ie you have 2 different ISP and therefore have to 2 different subnets being assigned to your WAN interfaces. Each interface would need its own default gateway(Next Hop).  For example:

WAN 1: 12.184.217.225/28 (ISP #1)
WAN 2: 55.28.225/28 (ISP #2)

This concept opens up the idea of WAN load balancing, WAN failover, etc......
1
 
LVL 2

Expert Comment

by:Etienne Lau
ID: 41812444
Take a look at t his: Using two ISP for Redundancy PDF

Dual WAN with Policy based Routing: Dual WAN Design

Dual WAN Static and Policy Routes: Dual WAN static route and policy routes
1
 
LVL 45

Expert Comment

by:Craig Beck
ID: 41812568
Check out port-forwarding in the cookbook...

http://cookbook.fortinet.com/port-forwarding/
0
 
LVL 2

Expert Comment

by:Etienne Lau
ID: 41839753
It does what requester wants
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now