Virtual IPs
Virtual IP (VIP) can be used to implement Destination Network Address Translation (DNAT), which is used to map an external IP address to an IP address. This address does not have to be an individual host, it can also be an address range. This mapping can include all TCP/UDP ports or, if Port Forwarding is enabled, it only refers to the configured ports. Because, the Central NAT table is disabled by default, the term Virtual IP address or VIP is predominantly used.
You can configure VIPs from FortiExtender Cloud profiles under Interface Settings (see Create profiles).
FortiExtender only supports static NAT, and does not support mapping of an address range or port range. |
The external or public IP addresses must be configured on FortiExtender because FortiExtender does not support the ARP-Reply function which responds to ARP requests for the external address that is not actually configured on FortiExtender.
Configuring DNAT for all protocols and ports on one IP
In the following configuration example, all packets arriving on the FortiExtender with a destination of 10.1.1.1 and port 8081 will depart from the device with a destination of 192.168.200.100 and port 7071.
- From the navigation bar, click Profile and select the profile associated with the FortiExtender you want to configure DNAT for.
- Under Interface Settings, set the Mode to static.
-
In the IP field, enter 10.1.1.1.
When you enter an IP address, all interfaces using this profile will receive the same IP. If you select a network plan instead, interfaces will recieve planned IPs that are different for each device. For example, if you set LAN interface IP to 10.1.1.1, every device on the LAN interface will receive an IP of 10.1.1.1. If you select a network plan, each device’s LAN interface will receive a different IP assigned by the network plan.
-
Go to the Interface Settings of the interface you want to expose and click + Virtual IP Settings to create a VIP.
-
Populate the Virtual IP Settings fields with the following example information:
IP Mapping
192.168.200.100
Protocol
tcp
Port Forward
On
Port
8081
Port Mapping
7071
- When you are finished, click Save.
Configuring DNAT for a single port
In the following example, all TCP packets arriving on the FortiExtender with a destination of 10.1.1.1:8080 will depart from the device with a destination of 192.168.200.100:80.
You will need a VPN plan before you begin (see Add VPN plans). FortiExtender Cloud automatically creates a tunnel interface when you add a VPN setting to a Profile. The tunnel interface name created by FortiExtender Cloud follow the following template: <VPN_name>.phase1. |
- From the navigation bar, click Profile and select the profile associated with the FortiExtender you want to configure DNAT for.
- Under Interface Settings, set the Mode to static.
- In the IP field, enter 10.1.1.1.
-
Go to the Interface Settings of the interface you want to expose and click + Virtual IP Settings to create a VIP.
-
Populate the Virtual IP Settings field with the following example information:
IP Mapping
192.168.200.100
Protocol
tcp
Port Forward
On
Port
8080
Port Mapping
80
- Go to VPN Settings and click + Add VPN.
-
Populate the VPN Settings fields with the following example information:
VPN Enter a VPN plan ("Example_VPN") Outgoing Interface lte1 Source Interface Select the automatically created tunnel interface ("Example_VPN.phase1") - Go to Firewall Settings, and click + Add Policy.
-
Populate the Firewall Settings field with the following example information:
Name Enter a name for the Firewall policy Services Use the default value Source Interface Select the tunnel interface from before ("Example_VPN.phase1") Action
Accept
Destination Interface
lan
Status
Enable
Source Addresses Enter the IP of the client that is trying to connect to machines behind FortiExtender, for example, 172.30.241.10/24 Nat Disable Dnat
Enable
- When you are finished, click Save.