Hello,
According to this document: http://kb.fortinet.com/kb/documentLink.do?externalID=FD36417
you cannot configure a (default) route using a next hop which is outside of any interfaces on a FGT.
On a Windows client it's simple, you only get a warning that the default gateway is not in the same network segment, but you can continue and traffic is flowing.
Isn't there any possible way to get this solved?
Let's say by configuring a static ARP on the Fortigate, or on the Switch/router?
Regards,
Gerrit
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Before I even attempt an answer for this, why would you want to do that?
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
The situation at the customer is as follows:
You have a public ISP router with i.e. the following config:
(I have changed the public IP's)
There are 2 IP packs being routed to this ISP router:
1.1.1.0/30
2.2.2.0/29
The secondary IP pack has no config on the ISP router.
Public IP ISP router: 1.1.1.1/30
Secondary IP pack that is being routed through: 1.1.1.1/30 = 2.2.2.0/29
The Fortigate WAN has a Public IP: 2.2.2.1/29
So it would need to use the 1.1.1.1, The ISP router as it's default gateway.
In the /30 subnet we cannot use an IP, one is in use for the ISP router, another one is for a MPLS router.
It's possible to do this setup with a regular windows client.
You can configure an IP on a NIC 2.2.2.1/29 and point it's default gateway to 1.1.1.1/30, it has access to Internet.
Hope this clarifies the config a bit.
Regards,
Gerrit
First of all, I haven't ever seen a Windows workstation route successfully to the Internet with an incorrect gateway. Yes, traffic will still flow to local resources on the same LAN, but after that, the workstation is dead in the water. The Fortigate will work the same way. All it needs to know is where the next hop is to send any traffic not local to itself. If you (could) specify a network off of it's attached interfaces, it will have no clue where to send the default traffic because those remote networks will be unknown to it. Traffic will just die. Grab a basic networking book and browse through it. The Internet is based on next hop, not two or three gateways away. If everyone knows who their peer is to send the unknown traffic, then Internet life is good.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
No way this way around.
The 1.1.1.1/30 is just too small to accomodate another router. You cannot have 3 devices in a 2-device address space. Full stop.
Assign 1.1.1.2 to the FGT wan port. Default route on the FGT is 1.1.1.1.
Assign any 2.2.2.x to the MPLS router and give it a default route to 1.1.1.2.
The way your ISP provides the public subnets are very common, which we do to our customers too. Technically the /30 subnet is just for the interface between your device (FG) and ISP's router (1.1.1.1 for ISP side, 1.1.1.2 for FG WAN IP). Then the ISP route is configured to deliver /29 subnet toward 1.1.1.2. So if the device that has 1.1.1.2 is a FW like FG, you can use the /29 as a routable subnet by assigning to inside interface of the FW (or you might want to split it to two /30s for two different interfaces) or you can break it up to 8 /32s and use each in VIPs.
Again, the FG WAN IP has to be 1.1.1.2.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1696 | |
1091 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.