Hair-pinning (NAT loopback) is the technique where a machine accesses another machine on the LAN via an external network.
Traffic goes through LAN interface to the Internet,traffic then goes back to the same interface,connecting to it’s External IP. Traffic is then forwarded by Fortigate through virtual IP to local destination.
In this example, windows machine on LAN network hosts web server.From LAN machines, it can only be accessed by internal IP. If trying accessing Web server by public IP (from machines on local network, it will fail
Create Virtual IP which will map Public IP to local IP of Web Server
Policy & Objects-Create new-Virtual IP
External IP range:Public IP
Mapped address range:Web Server local IP
Enable port forwarding
External Service port:Port from which traffic will be mapped
Map to port:Port to which traffic will be mapped
In this case traffic from Public IP on port 80 will be forwarded to same port on internal address
Creating IPV4 policy
Incoming and outgoing Interface:LAN interface
Source:all
destination:Virtual IP created in previous step
NAT disabled
Now, from machines on LAN, web site should be accessible using Public IP
Hello,
If I am correct, you are missing “set match-vip enable” command in the HAIRPIN policy. This can be configured via CLI only.
LikeLike
Good spot Jaro, thank you !.
LikeLike
Hi, I have a webserver on a DMZ interface (with a different subnet, obviously) but this still doesn’t work. My setup is the same as yours, but in my policy, my outgoing interface is my DMZ VLAN port, since the server is not on my local lan. I still can’t hit said server… Any suggestions?
LikeLike
Hello RBotha,
Could you please post all related configuration in this thread? VIP object configuration + policy.
Thank you.
Jaro
LikeLike