Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor III

Interface Route - Next Hop Unknown

I'm setting up a FGT for our company to take on a "work retreat" where we'll plug the firewall into the hosts network and all our clients will sit behind the firewall.  The firewall will get its WAN IP from DHCP and I'm configuring a tunnel from this to our head office, then tunneling all traffic from this remote site, routing everything out to the Internet via this tunnel.  This is a requirement to ensure all of these clients are hitting other resources with a known, trusted public IP address.

I've tested all of this in a lab environment with KVM FGT devices and all seems to work fine.  However, in my lab, all addresses were statically configured and to get the tunnel to function correctly, I had to add a more specific route on the "remote" firewall to the "head office" firewall outside IP address otherwise, once the tunnel interface was up it would then send traffic to this destination which would break the tunnel.  So my static routes are like this: via tunnel-interface via wan1 next-hop


So far, so good.  But...


The difference with the actual network will be that with the WAN IP and default gateway being assigned via DHCP, I don't know what the next-hop is going to be.  I figured I could add an interface route for this destination address and not define the next-hop and it would work it out from the DHCP assigned gateway on the same interface.  If I leave the next-hop blank in the GUI, it says invalid next-hop address.  If I use as the next-hop, the gui accepts this but it doesn't work - the routing table shows this as a directly connected route which is obviously not correct.


I gather I can't do an interface route without a defined next-hop on the WAN interface because it's not a point-to-point interface like the tunnel interface is.  I'm all out of ideas.  Is it possible to do what I want or is it going to come down to having to know what the next-hop is and then configuring a static route at that point?  I've also tried a policy route but couldn't get that to work either.


Any ideas? 



New Contributor III

I think I've worked it out.  This seems to work in the lab anyway and doesn't require any information about the WAN DHCP.


Instead of using a low cost default static route to send everything down the tunnel, I use a policy route so that only traffic the ingresses the internal interface is routed down the tunnel whereas everything sourced from the firewall itself will just use the gateway assigned by DHCP.


Edit:  Cancel that.  I hadn't removed my static route that I'd previously configured.  As soon as I removed that I could see that no traffic was being sent down the tunnel.  Back to the drawing board...


New Contributor III

It seems policy route was the right idea but I hadn't executed it correctly.  This is the KB article that pointed me in the right direction -


My issue was highlighted in the first sentence of the solution - "Although a static route with a destination interface of a VPN tunnel does not require a gateway IP address, a policy route does."


I was trying to configure a policy route without defining a next hop and just sending it down the tunnel interface as that's how you do static tunnel routes.  However, even though it didn't complain it just didn't work.  Assigned an IP and remote IP to the tunnel interface and it just started working.


So, in summary, no static route on the on the tunnel, local and remote IP on the tunnel interface, policy route for via tunnel interface with remote IP as next hop.  This will tunnel all traffic from the local network down the tunnel to head office without affecting the route from the FGT itself to the head office firewall which will allow the tunnel to stay up.


I think what you need is:


config sys wan1 (or wan port you're using)

    set mode dhcp

    set defaultgw diable



config router static

edit 0

    set dst PEER-PUBLIC-IP

    set device wan1

    set dynamic-gateway enable


edit 0

    set device IPSEC-NAME    <--- implicit





hm do you really want to blow away your head office's internet connection with all the internet traffic from your sites?

If you just want to hit services in head office you could do that either with static routing + policy to enable clients forme the subnet on site to reach services/hosts at head office or (if you tunnel is IPSEC) by specifying this via pase2 selectors. Then you would route the internet traffic trhorugh the sites internet connection and only traffic to/from services /hosts at head office via the tunnel.


"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors