Hi all,
I'm testing a FWF30D on a customer network and noticed something a little weird, was hoping someone would know a workaround.
The company DHCP was giving out a default gateway that belonged on a different subnet to the IP address that clients receive.
For example, connecting the WAN port of the FWF30D to their network (configured to retrieve IP via DHCP) would give the following:
IP: 10.1.0.1
Subnet: 255.255.255.0
Default gateway: 10.2.0.1
Unfortunately the default route never gets populated in the 30D routing table, so I can't ping it from the 30D.
The Fortinet KB article here says that the only way a route will be populated in the routing table for a DHCP interface is if the default gateway is in the same subnet.
I'm wondering if there's a work around for this restriction that anyone's aware of?
Side note: When I connect my laptop to the network I get the same IP addresses but am able to ping the default gateway (even though it's not on my interfaces subnet). Upon further inspection I can see that the ARP entry for the default gateway gets pushed out to my laptop (I believe the customer is using using proxy ARP for this).
This ARP entry for the default gateway doesn't get populated on the 30D. Even after I add the MAC manually, it still doesn't populate routing table.
edit:
Just tested configuring the WAN as a static IP and manually entering the default gateway. It still doesn't show up in the routing table, but I can see it as inactive in the routing database.
S 0.0.0.0/0 [1/0] via 10.2.0.1 wan inactive
You can look at proxy-arp but why would you publish a default route on another subnet? That makes no sense.
ken
PCNSE
NSE
StrongSwan
I agree. The whole point of routing is to connect broadcast domains at the edge to each other. Tricks with fake ARP replies is unnecessary and of course a security risk. The FGT does the right thing to refuse to take that DGW into the Routing Table.
You could make it work by widening the network mask to 255.128.0.0...wrong network design in the first place.
Yes proxy arp injection would leads to MiTM or hijacked gateways. Just because other OSes allows this, does not means you should allow this on a security-gateway.
just my 2 cts
PCNSE
NSE
StrongSwan
I totally agree! Unfortunately the local network admin at this customer has no say in their design. They're a global company where all the network design/config is done overseas. He didn't even realize they were on diff subnets until I pointed it out.
He wants to demo it on his network but I'm just going to put it in transparent mode to test out (less hassle). Thanks anyways guys!
User | Count |
---|---|
2674 | |
1410 | |
810 | |
702 | |
455 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.