Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Ade_23
Staff
Staff

Created on ‎11-20-2024 11:17 AM Edited on ‎11-12-2025 07:30 AM By Moderator

Article Id 358737

Technical Tip: WAN interface in DHCP mode takes routing precedence over WAN interface with static configuration

Description This article describes why a WAN interface configured in DHCP mode will take precedence over a WAN link in static mode by default.
Scope All FortiGate OS versions and models.
Solution

By default, the FortiGate prefers WAN interfaces in DHCP mode to interfaces in static mode.

 

This means that if an existing WAN connection is in static mode and a second connection is added in DHCP mode, the DHCP connection will take precedence and immediately replace the static connection if all settings are kept as default.

 

In cases where no firewall policies are configured to allow internet access through the DHCP connection, internet access will be lost to users on the local network.

 

Take an example of a FortiGate with an existing static WAN connection on port1 and a DHCP WAN connection added on port3 interface.

 

Behavior before connecting the DHCP WAN interface Port3:

 

Below are the static route, interface, and routing table details of port1 and port3, before port3 is set up in DHCP mode. Note that the default administrative distance for a static route is 10.

 

show sys interface port1
config system interface
    edit "port1"
        set vdom "root"
        set ip 10.9.11.1 255.255.240.0
        set allowaccess ping https ssh http telnet fgfm
        set type physical
        set snmp-index 1
    next
end

 

show sys interface port3
config system interface
    edit "port3"
        set vdom "root"
        set type physical
        set snmp-index 3
    next
end

 

show full sys interface port3 | grep distance

 

get router info routing-table det
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
V - BGP VPNv4
* - candidate default

Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via 10.9.15.254, port1, [1/0]
C 10.9.0.0/20 is directly connected, port1
C 10.9.16.0/20 is directly connected, port2


show router static
config router static
    edit 1
        set gateway 10.9.15.254
        set device "port1"
    next
end

 

default distance.PNG

 

 Behavior after connecting the DHCP WAN interface Port3:

 

  • When 'DHCP' is selected as the addressing mode on the GUI, one of the first things that can be noticed is an administrative distance section, which is added with a value of '5' even before an IP address is retrieved. This remains the same after the IP is assigned.

Enable DHCP.PNG

IP Assigned.PNG

 

  • The result of this is that a default route is created for that interface with an administrative distance of '5', and this makes it preferred over the existing connection with an administrative distance of '10'.

 

Below are the static route, interface, and routing table details of port1 and port3 after port3 is set up in DHCP mode. Note that the default preferred route is now on port3, even though there is no custom static route for port3.

 

show router static
config router static
    edit 1
        set gateway 10.9.15.254
        set device "port1"
    next
end

 

show full router static | grep distance -f
config router static
    edit 1
        set status enable
        set dst 0.0.0.0 0.0.0.0
        set gateway 10.9.15.254
        set preferred-source 0.0.0.0
        set distance 10  <---
        set weight 0
        set priority 1
        set device "port1"
        set comment ''
        set blackhole disable
        set dynamic-gateway disable
        set dstaddr ''
        unset internet-service
        set internet-service-custom ''
        set link-monitor-exempt disable
        set tag 0
        set bfd disable
    next
end

 

get router info routing-table details
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
V - BGP VPNv4
* - candidate default

Routing table for VRF=0
S* 0.0.0.0/0 [5/0] via 10.9.47.254, port3, [1/0]
C 10.9.0.0/20 is directly connected, port1
C 10.9.16.0/20 is directly connected, port2
C 10.9.32.0/20 is directly connected, port3


get router info routing-table data
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
V - BGP VPNv4
> - selected route, * - FIB route, p - stale info

Routing table for VRF=0
S *> 0.0.0.0/0 [5/0] via 10.9.47.254, port3, [1/0]
S 0.0.0.0/0 [10/0] via 10.9.15.254, port1, [1/0]
C *> 10.9.0.0/20 is directly connected, port1
C *> 10.9.16.0/20 is directly connected, port2
C *> 10.9.32.0/20 is directly connected, port3

 

  • To avoid losing internet access due to this behavior, the administrative distance on the DHCP interface should be set to 10 (or an equal distance of the existing static route), and the priority value set to higher than the existing static WAN connection priority. This will make the new route equal to the existing one, and with a higher priority value, it will be set to secondary, preventing the new DHCP WAN connection from taking over the existing WAN connection.

  • Keeping the priority value the same for both routes will make some of the traffic go over wan1, and other traffic to go over wan2, and if there are no proper policies for wan2 in place, then it will cause traffic impact. So it is necessary to change the priority value to a higher value so the existing connection will be preferred, and the wan2 will only take over when the wan2 connection is removed and has all policies in place.

 

config system interface

    edit port3

        set distance 10

        set priority 5

end

 

get router info routing-table details
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
V - BGP VPNv4
* - candidate default

Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via 10.9.15.254, port1, [1/0]
             [10/0] via 10.9.47.254, port3, [5/0]
C 10.9.0.0/20 is directly connected, port1
C 10.9.16.0/20 is directly connected, port2
C 10.9.32.0/20 is directly connected, port3

 

Note: For the DHCP WAN interface, the priority value can only be changed from the CLI.

 

Related article :

Technical Tip: Configure ISP failover using default routes and link health monitor as traditional me...
1514
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.