Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Dynamic gateway on Policy-based routing?

Hi all,


I have a broadband(PPPoE) installed for the Guest VLAN.

And I would like to set a policy-based routing for the Guest VLAN default gateway.

But I found that I can't set the gateway as a dynamic gateway(from PPPoE).

Is there any solution to do the same thing?



I don't understand what you are saying. The PPPoE is on WAN side, and the Guest VLAN is on LAN side. Why does the VLAN clients' GW needs to be dynamic?


I have two WAN connections(1 Fixed IP connection and 1 PPPoE connection) for Staff and guests.


Staff network(Default van no tag) Guest network(Guest VLAN tag 100 -


So I have to set 2 default routes in the Fortigate.

The gateway of the fixed IP connection will be the first priority default route(smallest Administrative Distance). For the second default route, if I set this via static route, I can simply select "Dynamic gateway" to let Fortigate get the gateway IP via PPPoE.

But it makes the second WAN become a redundant WAN but not a WAN for the guest VLAN.


Then, I tried to set a policy-based route as per below:


It makes all guests have internet access via the Guest wan(PPPoE).

But the problem is that the gateway may be changed.


Therefore, I am looking for a solution to set the gateway address to be a dynamic address(from PPPoE).



There are two issues you need to address.

1. you need to have two default routes on the routing table to have two groups of users to use separate wan interfaces/default routes.  For that, you can't use different admin distances/costs for the wan interfaces/default routes. You need to use "priority" on static default routes. A smaller number has a higher priority.

To do this, you need to disable default route injection on the PPPoE interface. You might need to use CLI.

   set defaultgw diable

2. you now can use a policy-route to direct Guest users toward the secondary wan while all others use the primary wan.


Or better yet, put them in SD-WAN and you can control which one to use based on rules more granularly.

Top Kudoed Authors