Configuring Hair-pinning on a FortiGate

Hair-pinning, also known as NAT loopback, is the technique where a machine accesses another machine on the LAN via an external network. The way it works, is that a packet travel through an internal interface and out towards the Internet. The packet then “hair-pins” back on the same interface, connecting to its external IP. It is then forwarded by the FortiGate through a virtual IP to the intended destination. 

As a convenience, if a VIP is being used simultaneously with hair-pinning, the same address can be used whether you are on the inside or the outside of the firewall. A VIP, also known as port forwarding, is set up to allow external users to access an internal server. The VIP will take traffic sent to a public IP address and forward it to an internal IP address, such as the server’s private IP.  

The following hair-pinning scenario uses the situation where the VIP is associated to “any” interface.

Scenario:

  • A company has a server on its internal LAN at IP address 192.168.1.98/24.
  • The Fully Qualified Domain Name for the website is test1.fortidoc.info, which resolves to 172.20.121.41.
  • SSH is running on the server and it will be used for testing purposes. The server listens for SSH traffic on port 22 but because there are multiple servers using SSH and only a few external IP address; port forwarding will be set up from port 12345.
  • Seeing as words are easier to remember than numbers, most people bookmark this connection rather than try to remember it. To avoid confusion, the IT department has been asked to make sure the same bookmark works whether the user’s computer is connected to the internal LAN or anywhere on the Internet.
  • As a test, the packets will try and connect to the server from an IP on the same subnet, 172.20.121.41.

Follow the recipe below to configure hair-pinning on your FortiGate.

1. Create a VIP

Before creating a policy for the hair-pinning, ensure that there is a policy managing traffic from the external to internal through the VIP.

Go to Policy & Objects > Virtual IPs > Create New > Virtual IP. Enter a name for the VIP in the name box.

Set Interface to any.

Enter the External IP Address/Range and the Mapped IP Address/Range.

Enable Port Forwarding and specify the External Service Port and the Map to Port.

Verifying the situation

In order to propose a solution, there must first be a problem. Let’s verify if there is an issue:

Testing the connection externally

You can try to connect to the external server via the external IP and VIP from a computer on the external side of the firewall.

The connection is successful.

 

Testing the connection internally

You can try to connect to the internal server via the external IP and VIP from a computer on the internal side of the firewall.

The connection is unsuccessful.

2. Create a policy

When creating a policy for hair-pinning, it is important to use the internal interface as the Incoming Interface even though the traffic will be hitting the external interface of the VIP. In this case, the Incoming Interface and Outgoing Interface will be the same interface.

Go to Policy & Objects > IPv4 Policy > Create New. Enter a name for the policy in the name box.

Use the settings displayed in the graphic to create the policy.

Ensure that NAT is disabled.

In the CLI, enable the match-vip setting.

3. Results

Testing the connection internally:

Try to make an SSH connection to the internal server from the internal side of the FortiGate.
Here you can see that the hair-pinning technique was successful.