Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Max2
New Contributor II

Lost internet connection when using forticlient

Hello, this is the first time I use Forticlient.

When I establish a VPN connection, I can reach the server but I can't navigate internet from my PC.

Is there a way to solve this issue without make changes on the Forticlient server side?

 

I'm using Windows 10.

Please, give me puntual instructions as I am not expert in configuring net and firewalls.

Thank you

2 Solutions
sw2090
Honored Contributor

Open a cmd window with administrator privilleges. You need them to add/delete routes later on.

before you connect the vpn execute a "route print" in there and look for the Traget "0.0.0.0" - this is your default route. Note down the ip in the column "gateway" there.

Connect the vpn and then execute "route print" in the cmd again. You should notice that the gateway (and interface) for the default route has changed. Als note down that gateway ip.

Then do a "route delete 0.0.0.0" (I think "route delete default" might do aswell but not sure).

Then do a "route add 0.0.0.0 MASK 0.0.0.0 <gateway ip you noted down before connecting vpn>"

At this point you should regain internet connectivity again.

To still be able to reach to your compan servers you might have to analoguely add a static route to the company subnet with corret subnetmask and the gateway you noted after connecting the vpn.

You don't need to enter interface or metric here.

 


-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

View solution in original post

sw2090
Honored Contributor

that depends on your company :)

As said you should note down the default gateway before AND after connecting the vpn so you have the ip.

Then it would be "route add <yourcompanysubnet> MASK <subnetmask> <gateway ip after connecting the vpn>"


-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

View solution in original post

10 REPLIES 10
nalexiou
Staff
Staff

Hello Max,

 

I suspect that this is happening because all the traffic is send to your internal network.

In this case split tunnel is a solution.

You can configure split tunnel by following the below doc:

https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/307303/ssl-vpn-split-tunnel-for-remote-u...

 

An other solution in case you wan to sent this traffic to the firewall is to configure a firewall policy to allow traffic from the ssl vpn to your internet facing interface.

 

sw2090
Honored Contributor

this usually happens when yo don't use split tunneling on your VPN. Without split tunneling all Traffic will be routed through the vpn because establishing the vpn in this case overwrites your default route.  

This means that ALL traffic that does not match any outher route on your client will use the new default route and hit the opposite end of your vpn. If then there is no policy that allows vpn clients to reach the internet you will no longer have internet connectivity on your pc.

 

So either create such a policy or enable split tunneling. 


-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

Max2
New Contributor II

Thank you both for replying.

For what I understood, I should have access to Fortigate configuration. Is this correct?

I can't do it as the VPN is managed by the company I'm working for.

 

Is there any setting I can do on my own pc to solve this issue?

sw2090
Honored Contributor

hm if your company admins will not configure split tunneling or an internet policy you can only temporarily work around that by resetting your routing manually. This has to be done everytme once vpn is established. 

You would then have to delete the default route and set a new one (which gateway cab be looked up in routing table when the vpn is not established). Then additionally set a route to your company subnet over the vpn.

 

Deleting the default route (and setting a new one) in windows 10 might however require administrator privileges though.

 


-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

Max2
New Contributor II

I have admin privileges on my pc, hence I could do what you suggested. But I don't know how ..

May you tell me the steps to do it on Windows 10 or give me a link to examples/documentation?

As I wrote before, I've got no knowledge of configuring firewalls and net routes.

tio3udes
New Contributor III

Here's a link to show you how to manage windows routing table:

 

https://www.howtogeek.com/howto/windows/adding-a-tcpip-route-to-the-windows-routing-table/

ti03udes
sw2090
Honored Contributor

Open a cmd window with administrator privilleges. You need them to add/delete routes later on.

before you connect the vpn execute a "route print" in there and look for the Traget "0.0.0.0" - this is your default route. Note down the ip in the column "gateway" there.

Connect the vpn and then execute "route print" in the cmd again. You should notice that the gateway (and interface) for the default route has changed. Als note down that gateway ip.

Then do a "route delete 0.0.0.0" (I think "route delete default" might do aswell but not sure).

Then do a "route add 0.0.0.0 MASK 0.0.0.0 <gateway ip you noted down before connecting vpn>"

At this point you should regain internet connectivity again.

To still be able to reach to your compan servers you might have to analoguely add a static route to the company subnet with corret subnetmask and the gateway you noted after connecting the vpn.

You don't need to enter interface or metric here.

 


-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

Max2
New Contributor II

I have done everything and I added the static route in this way: "route add 0.0.0.0 MASK 0.0.0.0 10.200.102.120"

But this part, I didn't understand:

"To still be able to reach to your compan servers you might have to analoguely add a static route to the company subnet with corret subnetmask and the gateway you noted after connecting the vpn.

You don't need to enter interface or metric here."

 

Which command I have to enter? May you kindly show me?

 

 

sw2090
Honored Contributor

that depends on your company :)

As said you should note down the default gateway before AND after connecting the vpn so you have the ip.

Then it would be "route add <yourcompanysubnet> MASK <subnetmask> <gateway ip after connecting the vpn>"


-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams