Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
AlexandreCardoso
New Contributor

Forticlient adding a route to the end device

Hi Guys,

 

I'm facing this issue with the current implementation that we have.

We use the network 10.0.0.0/16 on our internal infra structure, if a client uses the forticlient on a guest wifi that uses the same subnet and connects to the forticlient the route will match to the internal guest wifi and not to the default route pointing to the fortigate.

 

My idea was to when the client connects to the ssl-vpn with the default route a route for 10.0.0.0/16 pointing to the tunnel should appear.

 

Do anyone had this same issue?

Also thought if is possible to do this on EMS and the "On Connect Script"

 

Our previous infra structure, cisco anyconnect that was possible. 

4 REPLIES 4
B1B3tt3r
New Contributor II

There are few clarifications required to start to answer your question.
Typically, if you are using 10.0.0.0/16 internally you would introduce NAT at your edge to protect your self from routing issues, as the one you describe.

Toshi_Esumi
Esteemed Contributor II

Why do you have to use the same 10.0.0.0/16 for Guest WiFi network at the first place? It's for guests so wouldn't matter what IP range they get, would it? You're supposed to separate guest networks from corp/internal network for security reasons. Assigning a different subnet like 10.255.0.0/16 makes traffic/security management and troubleshooting much easier and avoid headaches.

AlexandreCardoso
New Contributor

So basically this issue happened when a user of ours that is a road warrior and he went to a company that used the 10.0.0.0/16 has guest wifi.

That is my issue.

B1B3tt3r
New Contributor II

Some devices will cache the last know IP.
In most cases this is a function of the Operating System.
For Windows you can test this by running a ipconfig to see the current value,  ipconfig /release to force a stack reset, followed by ipconfig /renew, to force a DHCP discovery.