Virtual IP and Outbound NAT

This article describes how the virtual IP affects outbound traffic.

The virtual IP(VIP) is config to allow incoming traffic. If not config properly, it will cause outbound traffic failure.

If port1 is the primary external interface, and VIP on port2 is on top of VIP on port1, the outbound connection will fail.

Consider the below scenario:

There are two external interfaces:

port1: 10.9.10.188/20
port2: 10.0.0.1/24

Two VIPs are config:

config firewall vip
edit "VIP-Port2"
set uuid 72b1a3ea-55f2-51ef-01d3-240d9bfdfb4b
set extip 10.0.0.3 <- Port2 subnet.
set mappedip "192.168.86.3"
set extintf "any"
next
edit "VIP-port1"
set uuid 98c2d612-55f2-51ef-08ef-a52a641f52e1
set extip 10.9.10.189 <- port1 subnet
set mappedip "192.168.86.3"
set extintf "any"
next
end

The port1 is the primary external interface:

FGVM01TM23000541 # get router info routing-table all
Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via 10.9.15.254, port1, [1/0]
[10/0] via 10.0.0.2, port2, [10/0]

Lan is behind port3. The test PC IP is 192.168.86.3.

The outbound traffic will NAT to the port2 IP and traffic will be sent out to port1, and then the connection fails.

FGVM01TM23000541 # di sniffer packet any 'host 9.9.9.9 and icmp' 4
Using Original Sniffing Mode
interfaces=[any]
filters=[host 9.9.9.9 and icmp]
12.895468 port3 in 192.168.86.3 -> 9.9.9.9: icmp: echo request
12.895565 port1 out 10.0.0.3 -> 9.9.9.9: icmp: echo request

Flow trace:

FGVM01TM23000541 # id=65308 trace_id=25 func=print_pkt_detail line=5894 msg="vd-root:0 received a packet(proto=1, 192.168.86.3:1->9.9.9.9:2048) tun_id=0.0.0.0 from port3. type=8, code=0, id=1, seq=45."
id=65308 trace_id=25 func=init_ip_session_common line=6080 msg="allocate a new session-05a2b478, tun_id=0.0.0.0"
id=65308 trace_id=25 func=__vf_ip_route_input_rcu line=1990 msg="find a route: flag=00000000 gw-10.9.15.254 via port1"
id=65308 trace_id=25 func=__iprope_tree_check line=524 msg="gnum-100004, use int hash, slot=43, len=2"
id=65308 trace_id=25 func=get_new_addr line=1213 msg="find SNAT: IP-10.9.10.188(from IPPOOL), port-60418"
id=65308 trace_id=25 func=get_new_addr line=1213 msg="find DNAT: IP-10.0.0.3, port-0(fixed port)"
id=65308 trace_id=25 func=fw_forward_handler line=989 msg="Allowed by Policy-1: SNAT"

Policy-1 allows traffic from port3 to port1. The source NAT in policy-1 is ‘Use Outgoing Interface Address’ which is 10.9.10.188.

FortiGate searches in the VIP list from top to bottom and matches the first VIP that mapping to the server 192.168.86.3. In this scenario, it matches the VIP on port2, then overrides the source NAT to port2 IP 10.0.0.3, and sends traffic to port1. The ISP of port1 drops the traffic.

Table of Contents

Scope
Solution
Solution 1: Change the interface of VIP on port2 from any to port2. Keep the VIP on port1 as it is, or change its interface to port1.
Solution 2: Move the VIP on port1 to be on top of the VIP on port2 when the port1 is the primary external interface.

Scope

FortiOS v7.2 and above.

Solution

There are two solutions for this scenario:

Solution 1: Change the interface of VIP on port2 from any to port2. Keep the VIP on port1 as it is, or change its interface to port1.

config firewall vip
edit "VIP-Port2"
set uuid 72b1a3ea-55f2-51ef-01d3-240d9bfdfb4b
set extip 10.0.0.3
set mappedip "192.168.86.3"
set extintf "port2"
next
edit "VIP-port1"
set uuid 98c2d612-55f2-51ef-08ef-a52a641f52e1
set extip 10.9.10.189
set mappedip "192.168.86.3"
set extintf "any"
next
end

Solution 2: Move the VIP on port1 to be on top of the VIP on port2 when the port1 is the primary external interface.

config firewall vip
edit "VIP-port1"
set uuid 98c2d612-55f2-51ef-08ef-a52a641f52e1
set extip 10.9.10.189
set mappedip "192.168.86.3"
set extintf "any"
next
edit "VIP-Port2"
set uuid 72b1a3ea-55f2-51ef-01d3-240d9bfdfb4b
set extip 10.0.0.3
set mappedip "192.168.86.3"
set extintf "any"
next
end