原本有一台伺服器直接連到中華電信,因為安全性問題,打算將這台伺服器接到防火牆後。可是,當更改伺服器的IP地址後,這台伺服器就無法連接到網路了。伺服器只能ping到防火牆就出不去了。可是如果拿一台筆電,將筆電的IP更改和伺服器相同的網段,並且連接到防火牆設定要接伺服器的連接埠,筆電是可以連上網的。
基本的架構如下:
防火牆的相關設定如下:
config firewall ippool
edit "60.a.b.c"
set startip 60.a.b.c
set endip 60.a.b.c
next
end
config firewall vip
edit "WEB"
set uuid xxxxxxx
set extip 60.a.b.c
set mappedip "10.1.1.100"
set extintf "any"
next
end
config firewall policy
edit 2
set name "Lan to SD-WAN"
set uuid xxxxxxx
set srcintf "lan"
set dstintf "virtual-wan-link"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set logtraffic all
set nat enable
next
edit 5
set name "DMZ to Hinet"
set uuid xxxxxxx
set srcintf "port5"
set dstintf "virtual-wan-link"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set logtraffic all
set nat enable
set ippool enable
set poolname "60.a.b.c"
next
edit 8
set name "Hinet to DMZ"
set uuid xxxxxxx
set srcintf "virtual-wan-link"
set dstintf "port5"
set action accept
set srcaddr "all"
set dstaddr "WEB"
set schedule "always"
set service "HTTP" "HTTPS"
set logtraffic all
next
end
config system interface
edit "port5"
set vdom "root"
set ip 10.1.1.1 255.255.255.0
set allowaccess ping
set type physical
set alias "DMZ"
set role dmz
set snmp-index 7
next
edit "a"
set vdom "root"
set ip 60.a.b.d 255.255.255.0
set allowaccess ping
set type physical
set alias "Hinet"
set snmp-index 9
next
edit "b"
set vdom "root"
set mode dhcp
set type physical
set alias "Homeplus"
set snmp-index 10
next
end
config router static
edit 1
set gateway 60.a.b.254
set distance 1
set device "a"
next
edit 2
set distance 100
set device "b"
set dynamic-gateway enable
next
end
config system sdwan
set status enable
set load-balance-mode weight-based
config zone
edit "virtual-wan-link"
next
end
config members
edit 1
set interface "a"
set gateway 60.a.b.254
set weight 255
next
edit 2
set interface "b"
set priority 10
next
end
會是哪邊的設定有問題呢?該如何解決?
已邀請的邦友 {{ invite_list.length }}/5
1.檢查一下伺服器的網路設定,預設閘道是不是有跳成空白(自己經驗,改完IP按確定關閉之後,預設閘道又自己跳掉,必須再設一次)
2.輸入以下指令
netsh winsock reset,然後按 Enter。
netsh int ip reset,然後按 Enter。
ipconfig /release,然後按 Enter。
ipconfig /renew,然後按 Enter。
ipconfig /flushdns,然後按 Enter。
重置伺服器端的TCP/IP設定,然後重開機
3.將伺服器網路線拔掉,用筆電改成和伺服器一樣的IP,測試看能不能連外網
10.1.1.100 的 WINDOWS FIREWALL 要先關了
另確定下GATEWAY要設定成10.1.1.1
指令試試:
config firewall ippool
edit "60.a.b.c"
set startip 60.a.b.c
set endip 60.a.b.c
set associated-interface "a"
next
end
config firewall policy
edit 8
set name "Hinet to DMZ"
set uuid xxxxxxx
set srcintf "virtual-wan-link"
set dstintf "port5"
set action accept
set srcaddr "all"
set dstaddr "WEB"
set schedule "always"
set service "HTTP" "HTTPS"
set nat enable
set logtraffic all
next
end
config system interface
edit "a"
set vdom "root"
set ip 60.a.b.d 255.255.255.0
set allowaccess ping
set type physical
set alias "Hinet"
set snmp-index 9
set secondary-IP enable
config secondaryip
edit 1
set ip 60.a.b.c 255.255.255.255
set allowaccess ping
next
end
next
end
如果能通了再討論 -.-
這台FG-91G可是所謂的專案機種呀
也就是說這台設備有專屬的SI負責
怎麼能搞成這個樣子呢
看設定就知道工程師觀念一蹋糊塗
有本事搞SD-WAN,又用IP pool
然後FortiLink又拆出a,b port
真的是很想問問哪位高人可以搞成這樣?
沒見過這麼有本事的
如果樓主看不懂在下說的
請先考考SI問問知不知道
然後直接跟SI說
沒有搞好設定能讓公司正常使用
驗收不過,直接退貨退款
iThome鐵人賽
看影片追技術