|
'srcintf-filter' and 'extintf' definitions in the VIP settings often bring confusion.
'extintf' is intended to be used as a WebGUI improvement tool.
Defining an interface as a value of extintf parameter will make sure that the FortiGate will do the DNAT translation based on the configured VIP object for traffic coming from the selected interface.
Example:
config firewall VIP
edit "VIP"
set extip 85.132.52.234
set extintf "wan1"
set mappedip "10.185.3.199"
next
With this configuration, on WebGUI, that VIP will be available for selection only if wan1 is configured as a source interface.
extintf will not bind the VIP to the specific interface. That means that the VIP shown as an example above will accept connections from each and every interface.
srcintf-filter on the other hand, will map the VIP to a specific wan interface, making sure that the VIP will accept connections coming from the port(s) that is defined as a value of srcintf-filter parameter. This is helpful when wanting to only want DNAT translation on a subset of interfaces since on the web GUI, the interface binding only allows to choose either 'any' interface or one particular interface to apply the VIP object:
config firewall VIP
edit "VIP"
set extip 85.132.52.234
set srcintf-filter wan1 [<interface-1> <interface-2> ... <interface-n>]
set mappedip "10.185.3.199"
next
srcintf-filter is helpful in the setup of failover IPSec tunnel with overlapping subnets to prevent creating separate IP pools and VIP objects for each IPsec tunnel.
|
