# FortiGate Configuration Changes FortiGate URL: https://10.48.200.1:9443 Login: admin / (your password) **REVIEW BEFORE APPLYING. FusionPBX rules are NOT touched.** --- ## Step 1 — Create Virtual IPs (VIPs) Go to: **Policy & Objects → Virtual IPs → Create New → Virtual IP** ### VIP 1: NPM (Web Traffic) | Field | Value | |-------|-------| | Name | `VIP-NPM-HTTP` | | Interface | WAN interface (the one with 97.176.15.26) | | External IP | `97.176.15.26` | | Mapped IP | `10.48.200.80` | | Port Forwarding | Enabled | | Protocol | TCP | | External Port | `80` | | Mapped Port | `80` | ### VIP 2: NPM (HTTPS) | Field | Value | |-------|-------| | Name | `VIP-NPM-HTTPS` | | Interface | WAN interface | | External IP | `97.176.15.26` | | Mapped IP | `10.48.200.80` | | Port Forwarding | Enabled | | Protocol | TCP | | External Port | `443` | | Mapped Port | `443` | ### VIP 3: Mailcow SMTP (Port 25) | Field | Value | |-------|-------| | Name | `VIP-MAIL-SMTP` | | Interface | WAN interface | | External IP | `97.176.15.26` | | Mapped IP | `10.48.200.82` | | Port Forwarding | Enabled | | Protocol | TCP | | External Port | `25` | | Mapped Port | `25` | ### VIP 4: Mailcow SMTPS (Port 465) | Field | Value | |-------|-------| | Name | `VIP-MAIL-SMTPS` | | Interface | WAN interface | | External IP | `97.176.15.26` | | Mapped IP | `10.48.200.82` | | Port Forwarding | Enabled | | Protocol | TCP | | External Port | `465` | | Mapped Port | `465` | ### VIP 5: Mailcow Submission (Port 587) | Field | Value | |-------|-------| | Name | `VIP-MAIL-SUBMISSION` | | Interface | WAN interface | | External IP | `97.176.15.26` | | Mapped IP | `10.48.200.82` | | Port Forwarding | Enabled | | Protocol | TCP | | External Port | `587` | | Mapped Port | `587` | ### VIP 6: Mailcow IMAP (Port 143) | Field | Value | |-------|-------| | Name | `VIP-MAIL-IMAP` | | Interface | WAN interface | | External IP | `97.176.15.26` | | Mapped IP | `10.48.200.82` | | Port Forwarding | Enabled | | Protocol | TCP | | External Port | `143` | | Mapped Port | `143` | ### VIP 7: Mailcow IMAPS (Port 993) | Field | Value | |-------|-------| | Name | `VIP-MAIL-IMAPS` | | Interface | WAN interface | | External IP | `97.176.15.26` | | Mapped IP | `10.48.200.82` | | Port Forwarding | Enabled | | Protocol | TCP | | External Port | `993` | | Mapped Port | `993` | ### VIP 8: Mailcow POP3 (Port 110) — Optional | Field | Value | |-------|-------| | Name | `VIP-MAIL-POP3` | | Interface | WAN interface | | External IP | `97.176.15.26` | | Mapped IP | `10.48.200.82` | | Port Forwarding | Enabled | | Protocol | TCP | | External Port | `110` | | Mapped Port | `110` | ### VIP 9: Mailcow POP3S (Port 995) — Optional | Field | Value | |-------|-------| | Name | `VIP-MAIL-POP3S` | | Interface | WAN interface | | External IP | `97.176.15.26` | | Mapped IP | `10.48.200.82` | | Port Forwarding | Enabled | | Protocol | TCP | | External Port | `995` | | Mapped Port | `995` | --- ## Step 2 — Create Firewall Policies Go to: **Policy & Objects → Firewall Policy → Create New** ### Policy 1: Allow Web Traffic to NPM | Field | Value | |-------|-------| | Name | `WAN-to-NPM-Web` | | Incoming Interface | WAN | | Outgoing Interface | LAN (internal) | | Source | `all` | | Destination | `VIP-NPM-HTTP`, `VIP-NPM-HTTPS` | | Schedule | `always` | | Service | `HTTP`, `HTTPS` | | Action | `ACCEPT` | | NAT | Enabled | | Log | Enabled (recommended) | ### Policy 2: Allow Mail Traffic to Mailcow | Field | Value | |-------|-------| | Name | `WAN-to-Mailcow-Mail` | | Incoming Interface | WAN | | Outgoing Interface | LAN (internal) | | Source | `all` | | Destination | `VIP-MAIL-SMTP`, `VIP-MAIL-SMTPS`, `VIP-MAIL-SUBMISSION`, `VIP-MAIL-IMAP`, `VIP-MAIL-IMAPS` | | Schedule | `always` | | Service | Custom (ports 25, 465, 587, 143, 993) | | Action | `ACCEPT` | | NAT | Enabled | | Log | Enabled | > **NOTE:** If you also want POP3, add `VIP-MAIL-POP3` and `VIP-MAIL-POP3S` to Policy 2. --- ## Step 3 — Verify FusionPBX Rules Are Intact After applying the above, confirm your existing SIP/RTP rules still exist: - Port `5060` UDP/TCP → FusionPBX host - Port `5061` UDP/TCP → FusionPBX host - Ports `10000-20000` UDP → FusionPBX host (RTP) Do NOT remove or modify these. --- ## Step 4 — (Optional) Block SMTP relay abuse Add a firewall policy to prevent internal hosts from sending SMTP directly (forces use of Mailcow): - Outgoing port 25 from LAN → blocked (except from 10.48.200.82) --- ## Verification After applying: ```bash # Test from external network or use mxtoolbox.com: # https://mxtoolbox.com/SuperTool.aspx # Test SMTP telnet 97.176.15.26 25 # Test IMAP telnet 97.176.15.26 143 # Test web curl -I http://97.176.15.26 curl -Ik https://97.176.15.26 ```