FortiWAN NAT

NAT

FortiWAN is an edge server that is usually placed on the boundary between WAN and LAN. When a connection is established from a private IP address (in LAN or DMZ) to the internet (WAN), it is necessary to translate the private IP address into one of the public IP addresses assigned to the FortiWAN’s WAN link. This process is called NAT (Network Address Translation). FortiWAN provides the typical NAT (called S-NAT also) for sessions established from internal area. Once the private source IP address of outgoing packet of a session is translated to a public IP address, the mapping is kept in translation table and therefore the inbound traffic (from public area) of the session can be accepted and forwarded to the internal host who established the session.

With the typical NAT, two-way data transmission between an internal host and an external host is achieved, only if the internal host starts the sessions. An external host is unable to starts a session with an internal host via the typical NAT. FortiWAN’s 1-to-1 NAT gives the availability of two-way transmission between an internal host and an external host not only for sessions starting from the internal host but also for sessions starting from the external host.

FortiWAN provides log mechanism to the NAT service, see “Log”.

Default Rules

FortiWAN’s NAT Default Rules are the NAT rules (and IPv6 NAT rules) generated automatically by system according to the Network Setting of WAN links. Once a WAN link is sat up (See “Configuring your WAN”), the default rules are generated at the same time so that FortiWAN performs NAT automatically to packets coming from anywhere (except subnets in WAN or/and DMZ and static routing subnets of the WAN link) and going to be transferred via the WAN link. NAT default rules are varies according to how the WAN link is deployed. For example,

WAN link 1: Routing mode with a basic subnet (125.227.251.0/255.255.255.0) in WAN and DMZ, and the IP(s) on localhost are 128.227.251.80 and 128.227.251.81. System adds the default rules to WAN link 1 as following:

When = All-Time, Source = 125.227.251.0/255.255.255.0, Destination = Any Address, Service = Any, Translated = No NAT

When = All-Time, Source = Any Address, Destination = Any Address, Service = Any, Translated = 128.227.251.80

WAN link 2: Bridge mode: One Static IP, the IP on localhost is 125.227.250.10. System adds the default rules to WAN link 2 as following:

When = All-Time, Source = 125.227.250.10, Destination = Any Address, Service = Any, Translated = No NAT

When = All-Time, Source = Any Address, Destination = Any Address, Service = Any, Translated = 128.227.250.10

WAN link 3: Bridge mode: Multiple Static IP, 125.227.252.100-125.227.252.101 are deployed on localhost, 125.227.252.102-125.227.252.103 are deployed in WAN, 125.227.252.104-125.227.252.105 are deployed in DMZ. System adds the default rules to WAN link 3 as following:

When = All-Time, Source = 125.227.252.100-125.227.252.101, Destination = Any Address, Service = Any, Translated = No NAT

When = All-Time, Source = 125.227.252.104-125.227.252.105, Destination = Any Address, Service = Any, Translated = No NAT

When = All-Time, Source = Any Address, Destination = Any Address, Service = Any, Translated = 128.227.252.100

WAN link 4: Bridge mode: PPPoE, system adds the default rule to WAN link 4 as following:

When = All-Time, Source = Any Address, Destination = Any Address, Service =

Any, Translated = DynamicIP(DHCP/PPPoE)

The last rule translates source IP address of all packets into an IP address (localhost) of the WAN link. The second (or third) rule from the bottom ignores NAT to packets coming from subnets of the WAN link. Those default rules are added as the bottom rules to the top-down rule table. They are unable to be deleted and edited, unless the correspondent deployment of the WAN link changes. The default rules will translate source IP address of a matched packet into the first of the IP addresses that are assigned to localhost of the WAN link, which normally is a public IPv4 address or global IPv6 address. Therefore, packets with private source address (IPv4) or Link-Local source address (IPv6) are acceptable to Internet after the NAT process. However, even a packet comes with public source address (IPv4) or Global source address (IPv6), NAT is also performed if it matches the last rule. NAT default rules are based on deployment of a WAN link, deployment of LAN is regardless. Set NAT rules manually for advanced applications.

Similarly, system generates default rules for IPv6/IPv4 dual stack WAN links. Take the WAN link 1 above as example, if a IPv6 basic subnet 2001::/64 is deployed on WAN link 1 and the localhost is 2001::1, system adds the IPv6 default rules to WAN link 1 as following:

When = All-Time, Source = 2001::/64, Destination = Any Address, Service = Any, Translated = No NAT

When = All-Time, Source = Any Address, Destination = Any Address, Service = Any, Translated = 2001::1

Note that for FortiWAN V4.0.x, system does note generate IPv6 default rules for IPv6/IPv4 dual stack WAN link. It is necessary to add IPv6 default rules manually, or the IPv6 transmission might fail if its source IP address is a Link-Local address. Please refer to the examples above for this.

Non-NAT

Non-NAT is used for Private Network and MPLS Network where the host in WAN can directly access the host in DMZ, and where FortiWAN is used to balance VPN load and backup lines.

FortiWAN’s inbound and outbound load balancing (Auto Routing and Multihoming) distribute session over multiple WAN links. It’s necessary to make sure the correct NAT rules are applied to every enabled WAN link.

Enable NAT : Enable the function, and NAT will translate any private IP to a fixed public IP assigned to a given WAN link. Disable the function; FortiWAN will act as a general router for the host in WAN to directly access the host in DMZ.
WAN : Enabled WAN links are listed in the menu. Select the WAN link to set and apply NAT rules to.
This entry was posted in Administration Guides, FortiWAN on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.