Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rmreddy
Staff
Staff

Created on ‎08-26-2024 12:27 AM Edited on ‎03-12-2025 06:57 AM By Community Manager

Article Id 336290

Technical Tip: Why two defaults are not active, if two ISPs or configured where one of the ISP using mode either DHCP or PPPOE

Description This article describes why two default routes are not active at the same time if two ISPs are configured and one of the ISPs is using DHCP/PPPOE mode while the other is using Manual (Static IP).
Scope FortiGate and all supported versions of FortiOS - NAT or transparent mode.
Solution

On the FortiGate, when two ISPs are configured only one default will show active if one of the ISPs is configured with either DHCP or PPOE mode.


The reason is when the 'Addressing mode' is set to DHCP or PPPOE, the FortiGate retrieves default gateway information from the DHCP server and creates a default route with administrative distance set to 5 by default as shown below.

 

DHCP gateway.PNG

 

On the other hand, when 'Addressing mode' is set to Manual, a default route must be created manually under Network -> Static Routes, and the Administrative Distance is set to 10 by default as shown below.

 

default ad.PNG

 

As a result, the default route with an administrative distance of 5 will show as active and the other route will show as inactive because it has a higher administrative distance (10).

 

FortiGate # get router info routing-table database
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       > - selected route, * - FIB route, p - stale info

 

Routing table for VRF=0
S    *> 0.0.0.0/0 [5/0] via 192.168.x.x, port4, [1/0]
S       0.0.0.0/0 [10/0] via x.x.x.x, port1, [1/0]

 

In this case, it is impossible to access the FortiGate with the public IP address of port1 where the route is not active.

To make both routes active, either change the Distance to 10 under Network -> Interfaces -> Port4 or change the Administrative Distance to 5 under Network -> Static Routes.


Where both routes will show active and it is possible to access the FortiGate using both public IPs and the user's internet traffic will be routed to both ISPs. When SD-WAN is configured and if the routes are created with the individual interface instead of the virtual interface, the same will be applicable as above.

 

Note:

  1. When the interface mode is configured as either DHCP or PPPOE, there is no need to create a static route for the interface as by default, the kernel will create the route in the backend.
  2. When both routes are active in the routing table without SD-WAN, and if no policy route is configured, then the kernel will decide to which interface/ ISP the traffic should be forwarded.
DHCP.PNG
Preview file
23 KB
271
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.