Skip to main content
m0j0
m0j0
New Member
April 12, 2019
Question

Interface Route - Next Hop Unknown

  • April 12, 2019
  • 2 replies
  • 8127 views

I'm setting up a FGT for our company to take on a "work retreat" where we'll plug the firewall into the hosts network and all our clients will sit behind the firewall.  The firewall will get its WAN IP from DHCP and I'm configuring a tunnel from this to our head office, then tunneling all traffic from this remote site, routing everything out to the Internet via this tunnel.  This is a requirement to ensure all of these clients are hitting other resources with a known, trusted public IP address.

I've tested all of this in a lab environment with KVM FGT devices and all seems to work fine.  However, in my lab, all addresses were statically configured and to get the tunnel to function correctly, I had to add a more specific route on the "remote" firewall to the "head office" firewall outside IP address otherwise, once the tunnel interface was up it would then send traffic to this destination which would break the tunnel.  So my static routes are like this:

 

0.0.0.0/0 via tunnel-interface

head.office.fw.ip/32 via wan1 next-hop locally.connected.next.hop

 

So far, so good.  But...

 

The difference with the actual network will be that with the WAN IP and default gateway being assigned via DHCP, I don't know what the next-hop is going to be.  I figured I could add an interface route for this destination address and not define the next-hop and it would work it out from the DHCP assigned gateway on the same interface.  If I leave the next-hop blank in the GUI, it says invalid next-hop address.  If I use 0.0.0.0 as the next-hop, the gui accepts this but it doesn't work - the routing table shows this as a directly connected route which is obviously not correct.

 

I gather I can't do an interface route without a defined next-hop on the WAN interface because it's not a point-to-point interface like the tunnel interface is.  I'm all out of ideas.  Is it possible to do what I want or is it going to come down to having to know what the next-hop is and then configuring a static route at that point?  I've also tried a policy route but couldn't get that to work either.

 

Any ideas? 

 

 

    2 replies

    m0j0
    m0j0Author
    New Member
    April 12, 2019

    I think I've worked it out.  This seems to work in the lab anyway and doesn't require any information about the WAN DHCP.

     

    Instead of using a low cost default static route to send everything down the tunnel, I use a policy route so that only traffic the ingresses the internal interface is routed down the tunnel whereas everything sourced from the firewall itself will just use the gateway assigned by DHCP.

     

    Edit:  Cancel that.  I hadn't removed my static route that I'd previously configured.  As soon as I removed that I could see that no traffic was being sent down the tunnel.  Back to the drawing board...

     

    m0j0
    m0j0Author
    New Member
    April 12, 2019

    It seems policy route was the right idea but I hadn't executed it correctly.  This is the KB article that pointed me in the right direction - https://kb.fortinet.com/kb/viewContent.do?externalId=FD38790&sliceId=1

     

    My issue was highlighted in the first sentence of the solution - "Although a static route with a destination interface of a VPN tunnel does not require a gateway IP address, a policy route does."

     

    I was trying to configure a policy route without defining a next hop and just sending it down the tunnel interface as that's how you do static tunnel routes.  However, even though it didn't complain it just didn't work.  Assigned an IP and remote IP to the tunnel interface and it just started working.

     

    So, in summary, no static route on the on the tunnel, local and remote IP on the tunnel interface, policy route for 0.0.0.0/0 via tunnel interface with remote IP as next hop.  This will tunnel all traffic from the local network down the tunnel to head office without affecting the route from the FGT itself to the head office firewall which will allow the tunnel to stay up.

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    April 12, 2019

    I think what you need is:

     

    config sys wan1 (or wan port you're using)

        set mode dhcp

        set defaultgw diable

    end

     

    config router static

    edit 0

        set dst PEER-PUBLIC-IP 255.255.255.255

        set device wan1

        set dynamic-gateway enable

    next

    edit 0

        set device IPSEC-NAME    <--- implicit 0.0.0.0/0

    next

     

     

    sw2090
    SuperUser
    sw2090
    SuperUser
    April 12, 2019

    hm do you really want to blow away your head office's internet connection with all the internet traffic from your sites?

    If you just want to hit services in head office you could do that either with static routing + policy to enable clients forme the subnet on site to reach services/hosts at head office or (if you tunnel is IPSEC) by specifying this via pase2 selectors. Then you would route the internet traffic trhorugh the sites internet connection and only traffic to/from services /hosts at head office via the tunnel.

    Terms & ConditionsAccessibility statement