I'm using a Fortinet 311B firewall and having an issue understanding why this traffic is being blocked.
There is an access rule and matching NAT statement for an external IP address pointing to an internal web server. External users (via the Internet) can access this website with no problem.
Internal users are using internal DNS, which resolves the same hostname to a private IP address, providing direct access to the website, and this works normally.
Wireless users, connected via FortiAP and coming into the Fortinet on a separate "wireless" interface, have a completely separate subnet and are not allowed any LAN access; Internet only. When they attempt to connect to the website host address, it fails. Since they are Internet only, they are using external DNS and resolving the outside IP address. This outside IP address of the web server is a virtual IP on the Fortinet attached to the External interface, with a 1-to-1 NAT to the internal web server.
I've tried creating ACL entries to allow traffic from the wireless interface to the External interface, and even a "NAT 0" rule for this traffic, but I'm wondering if there is some other security feature at work here, as I know firewalls don't necessarily like this sort of "hairpin" traffic. I've checked the logs and I'm not seeing any of my interesting traffic show up.
Anyone have any ideas?
Best Answer
This is a pretty common problem on a lot of stateful firewalls (SRXs and ScreenOS will do this as well).
The issue is that traffic from your wireless interface/zone will be routed out the Internet Zone/Interface, but not to the NAT.
On the SRX at least, you need to configure the NAT so that it is available on the wireless interface (as if it was another Internet-facing interface) and then the inbound traffic from your wireless interface will be destination NATted before the routing decision is made and then routed to the "LAN" interface.
I would be very surprised if Fortinet didn't require something similar.