Skip to content

Difficulties configuring home router/firewall to allow Forticlient connections to the vpn server #137

New issue
New issue
Open
Open
Difficulties configuring home router/firewall to allow Forticlient connections to the vpn server#137
@lpvm

Description

@lpvm
lpvm
opened on Sep 17, 2025

Description

Hi,

I've a corporate laptop that uses Forticlient to establish a VPN
connection to corporate resources.

When working at home, when this corporate laptop is connected through the ISP
router, there's no problem connecting to the VPN server.

Now, I'm setting up my own NetBSD stable 10.1 amd64 router/firewall.

Using simple NAT rules, other systems can connect fine to the Internet, also the corporate
laptop can connect fine for everything except the VPN resources.
When I try to connect the VPN, Forticlient 2.7.8.1140 returns:
"a network error prevented updates from being downloaded".

I asked in the community Fortinet forum about this and was told by a power user that:

_No special rule needed, except need to open the outgoing connection to the remote SSL VPN server IP:port (usually TCP 443 or 10443).

NAT is fully supported._

Here's my router/firewall configuration:

# npfctl show
# filtering:	active
# config:	loaded

table <int-block> type lpm

procedure "log"

map re0 dynamic any -> ifaddrs(re0) pass family inet4 from 192.168.1.0/24 # id="1" 

group "external" on re0 { # id="1" 
	pass stateful out final all # id="2" 
	pass stateful in final family inet4 proto tcp flags S/FSRA to ifaddrs(re0) port 22 # id="3" 
	pass stateful in final proto tcp flags S/FSRA to ifaddrs(re0) port { 80, 443, 25, 53, 6000, 9022 } # id="4" 
	pass stateful in final proto udp to ifaddrs(re0) port { 53, 123, 6000 } # id="5" 
	pass stateful in final proto { tcp, udp } flags S/FSRA to ifaddrs(re0) port 22222 # id="6" 
	block all apply "log" # id="7" 
}

group "internal" on wm0 { # id="8" 
	pass in final family inet4 from 192.168.1.0/24 # id="9" 
	pass out final all # id="a" 
}

group default { # id="b" 
	pass final on lo0 all # id="c" 
}

# sysctl net.inet.ip.forwarding
net.inet.ip.forwarding = 1

# uname -a
NetBSD fut.home.lan 10.1_STABLE NetBSD 10.1_STABLE (GENERIC) #0: Sat Sep  6 09:34:11 UTC 2025  mkrepro@mkrepro.NetBSD.org:/usr/src/sys/arch/amd64/compile/GENERIC amd64

Can you please tell me what am I missing or doing wrong?

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions