Technical Tip: WAN interface in DHCP mode takes routing precedence over WAN interface with static configuration

By default, the FortiGate prefers WAN interfaces in DHCP mode to interfaces in static mode.

This means that if an existing WAN connection is in static mode and a second connection is added in DHCP mode, the DHCP connection will take precedence and immediately replace the static connection if all settings are kept as default.

In cases where no firewall policies are configured to allow internet access through the DHCP connection, internet access will be lost to users on the local network.

Take an example of a FortiGate with an existing WAN connection on port1 and a DHCP connection which will be added on port 3.

Behavior before connecting Port3:

Below are the static route, interface and routing table details of port1 and port3 before port3 is set up in DHCP mode. Note that the default administrative distance for a static route is 10.

sh sys int port1
config system interface
    edit "port1"
        set vdom "root"
        set ip 10.9.11.1 255.255.240.0
        set allowaccess ping https ssh http telnet fgfm
        set type physical
        set snmp-index 1
    next
end

sh sys int port3
config system interface
    edit "port3"
        set vdom "root"
        set type physical
        set snmp-index 3
    next
end

sh full sys int port3 | grep distance

get router info routing-table det
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
V - BGP VPNv4
* - candidate default

Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via 10.9.15.254, port1, [1/0]
C 10.9.0.0/20 is directly connected, port1
C 10.9.16.0/20 is directly connected, port2

sh router static
config router static
    edit 1
        set gateway 10.9.15.254
        set device "port1"
    next
end

 Behavior after connecting Port3:

• When 'DHCP' is selected as the addressing mode on the GUI, one of the first things that can be noticed is an administrative distance section which is added with a value of '5' even before an IP is retrieved. This remains the same after the IP is assigned.

• The result of this is that a default route is created for that interface with an administrative distance of '5' and this makes it preferred over the existing connection with an administrative distance of '10'.

 Below are the static route, interface and routing table details of port1 and port3 after port3 is setup in DHCP mode. Note that the default preferred route is now on port3 even though there is no custom static route for port3.

sh router static
config router static
    edit 1
        set gateway 10.9.15.254
        set device "port1"
    next
end

sh full router static | grep distance -f
config router static
    edit 1
        set status enable
        set dst 0.0.0.0 0.0.0.0
        set gateway 10.9.15.254
        set preferred-source 0.0.0.0
        set distance 10<---
        set weight 0
        set priority 1
        set device "port1"
        set comment ''
        set blackhole disable
        set dynamic-gateway disable
        set dstaddr ''
        unset internet-service
        set internet-service-custom ''
        set link-monitor-exempt disable
        set tag 0
        set bfd disable
    next
end

get router info routing-table det
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
V - BGP VPNv4
* - candidate default

Routing table for VRF=0
S* 0.0.0.0/0 [5/0] via 10.9.47.254, port3, [1/0]
C 10.9.0.0/20 is directly connected, port1
C 10.9.16.0/20 is directly connected, port2
C 10.9.32.0/20 is directly connected, port3

get router info routing-table data
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
V - BGP VPNv4
> - selected route, * - FIB route, p - stale info

Routing table for VRF=0
S *> 0.0.0.0/0 [5/0] via 10.9.47.254, port3, [1/0]
S 0.0.0.0/0 [10/0] via 10.9.15.254, port1, [1/0]
C *> 10.9.0.0/20 is directly connected, port1
C *> 10.9.16.0/20 is directly connected, port2
C *> 10.9.32.0/20 is directly connected, port3

• To avoid losing internet access due to this behavior, the administrative distance on the DHCP interface should be set to 10 (or the distance of the existing static route) when DHCP mode is enabled. This will make the new route equal to the existing one and prevent the new connection from taking over.

config sys int

    edit port3

        set distance 10

    end

get router info routing-table det
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
V - BGP VPNv4
* - candidate default

Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via 10.9.15.254, port1, [1/0]
                    [10/0] via 10.9.47.254, port3, [1/0]
C 10.9.0.0/20 is directly connected, port1
C 10.9.16.0/20 is directly connected, port2
C 10.9.32.0/20 is directly connected, port3