Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
_oisyn
New Contributor

Created on ‎04-20-2020 02:20 AM

Override Forticlient with local route

Hi!

 

There is a network conflict between my local network and my employer's. I use 10.0.0.0/24 locally, but unfortunately they map the entire 10.0.0.0/8 range even though in practice my home network doesn't really conflict with any subrange in the 10.0.0.0/8 space they actually use. Naturally Forticlient wants to route all 10.0.0.0/8 traffic over the VPN. This means I can't access local resources such as my printer or NAS whenever I'm connected to the VPN. I've alreay spoken to IT and there's not much they can really do about that, and I can very much sympathize with their reluctance to experiment with it in current times :).

 

However, I figured I should be able to solve the problem locally by adjusting the routing tables. Unfortunately that doesn't really seem to help. As if Forticlient overrides Windows' routing tables. There should be a way around this, right?

 

So, here's my routing table before I connect to the VPN:

Active Routes:
Network Destination Netmask Gateway Interface Metric
          0.0.0.0 0.0.0.0 10.0.0.1 10.0.0.2 2
         10.0.0.0 255.255.255.0 On-link 10.0.0.2 257
         10.0.0.2 255.255.255.255 On-link 10.0.0.2 257
       10.0.0.255 255.255.255.255 On-link 10.0.0.2 257
        127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
        127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
  127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
     172.17.78.16 255.255.255.240 On-link 172.17.78.17 5256
     172.17.78.17 255.255.255.255 On-link 172.17.78.17 5256
     172.17.78.31 255.255.255.255 On-link 172.17.78.17 5256
        224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
        224.0.0.0 240.0.0.0 On-link 10.0.0.2 257
        224.0.0.0 240.0.0.0 On-link 172.17.78.17 5256
  255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
  255.255.255.255 255.255.255.255 On-link 10.0.0.2 257
  255.255.255.255 255.255.255.255 On-link 172.17.78.17 5256
===========================================================================
Persistent Routes:
  None

 

All pretty straight forward. The 172.x.y.z stuff is from a Hyper-V virtual NIC.

 

This is what I get when connecting to VPN.

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
          0.0.0.0 0.0.0.0 10.0.0.1 10.0.0.2 2
         10.0.0.0 255.0.0.0 192.168.8.51 192.168.8.50 1
         10.0.0.0 255.255.255.0 On-link 10.0.0.2 257
         10.0.0.2 255.255.255.255 On-link 10.0.0.2 257
       10.0.0.255 255.255.255.255 On-link 10.0.0.2 257
      10.65.248.0 255.255.252.0 192.168.8.51 192.168.8.50 1
        127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
        127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
  127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
   145.131.208.98 255.255.255.255 10.0.0.1 10.0.0.2 1
     172.17.78.16 255.255.255.240 On-link 172.17.78.17 271
     172.17.78.17 255.255.255.255 On-link 172.17.78.17 271
     172.17.78.31 255.255.255.255 On-link 172.17.78.17 271
      192.168.6.0 255.255.255.0 192.168.8.51 192.168.8.50 1
      192.168.8.0 255.255.255.0 On-link 192.168.8.50 257
      192.168.8.1 255.255.255.255 192.168.8.51 192.168.8.50 1
     192.168.8.50 255.255.255.255 On-link 192.168.8.50 257
    192.168.8.255 255.255.255.255 On-link 192.168.8.50 257
        224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
        224.0.0.0 240.0.0.0 On-link 192.168.8.50 257
        224.0.0.0 240.0.0.0 On-link 10.0.0.2 257
        224.0.0.0 240.0.0.0 On-link 172.17.78.17 271
  255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
  255.255.255.255 255.255.255.255 On-link 192.168.8.50 257
  255.255.255.255 255.255.255.255 On-link 10.0.0.2 257
  255.255.255.255 255.255.255.255 On-link 172.17.78.17 271
===========================================================================
Persistent Routes:
  None

 

So my local VPN ip is 192.168.8.50 and it uses 192.168.8.51 as the gateway. Furthermore, we can see that it has inserted (among other things) a 10.0.0.0/8 route with lowest metric to route over the VPN gateway. You can see there's also a rule in there for 10.65.248.0/10. This happens to be our local office (which is part of a bigger network) and the only part I'm interested in accessing. My work PC is in that range and if I'm able to connect to it using remote desktop I'll be a happy camper.

 

I've talked to IT about this extra rule that seems redundant, given that they already route the entire 10.0.0.0/8, but I guess it just makes my task a bit easier :). I just need to delete the 10.0.0.0/8 route and I should be good to go, right?

 

I go 

route delete 10.0.0.0 mask 255.0.0.0

And I end up with this:

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
          0.0.0.0 0.0.0.0 10.0.0.1 10.0.0.2 2
         10.0.0.0 255.255.255.0 On-link 10.0.0.2 257
         10.0.0.2 255.255.255.255 On-link 10.0.0.2 257
       10.0.0.255 255.255.255.255 On-link 10.0.0.2 257
      10.65.248.0 255.255.252.0 192.168.8.51 192.168.8.50 1
        127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
        127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
  127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
   145.131.208.98 255.255.255.255 10.0.0.1 10.0.0.2 1
     172.17.78.16 255.255.255.240 On-link 172.17.78.17 5256
     172.17.78.17 255.255.255.255 On-link 172.17.78.17 5256
     172.17.78.31 255.255.255.255 On-link 172.17.78.17 5256
      192.168.6.0 255.255.255.0 192.168.8.51 192.168.8.50 1
      192.168.8.0 255.255.255.0 On-link 192.168.8.50 257
      192.168.8.1 255.255.255.255 192.168.8.51 192.168.8.50 1
     192.168.8.50 255.255.255.255 On-link 192.168.8.50 257
    192.168.8.255 255.255.255.255 On-link 192.168.8.50 257
        224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
        224.0.0.0 240.0.0.0 On-link 192.168.8.50 257
        224.0.0.0 240.0.0.0 On-link 10.0.0.2 257
        224.0.0.0 240.0.0.0 On-link 172.17.78.17 5256
  255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
  255.255.255.255 255.255.255.255 On-link 192.168.8.50 257
  255.255.255.255 255.255.255.255 On-link 10.0.0.2 257
  255.255.255.255 255.255.255.255 On-link 172.17.78.17 5256
===========================================================================
Persistent Routes:
  None

 

Perfect! 10.0.0.0/24 seems to be on-link, and 10.65.248.0/10 is still routed over VPN. But alas... Pinging my NAS at 10.0.0.14 still yields "Request timed out". Interestingly, a tracert gives nothing either:

Tracing route to 10.0.0.14 over a maximum of 30 hops
  1 * * * Request timed out.
  2 * * * Request timed out.
  3 * * * Request timed out.
  4 * * * Request timed out.

 

This struck me as a bit odd, I would expect at least a VPN hop in there, if it still routed it over the VPN. Restoring the routing table by disconnecting and reconnecting to the VPN, so the 10.0.0.0/8 rule exists, I tried it again.

Tracing route to 10.0.0.14 over a maximum of 4 hops
  1 * * * Request timed out.
  2 * * * Request timed out.
  3 * * * Request timed out.
  4 * * * Request timed out.

Still no VPN hop. Let's test 10.0.1.1:

Tracing route to 10.0.1.1 over a maximum of 30 hops
  1 * 4 ms 4 ms 192.168.8.1
  2 * * * Request timed out.
  3 * * * Request timed out.
  4 * * * Request timed out.

 

Ok this is just weird. It does route 10.0.1.1, but not 10.0.0.14. The routing table is apparently only just part of the story. Where on earth is 10.0.0.14 going then? Interestingly, where would 10.0.1.1 go if I delete the 10.0.0.0/8 route?

 

Tracing route to 10.0.1.1 over a maximum of 4 hops
  1 * * * Request timed out.
  2 * * * Request timed out.
  3 * * * Request timed out.
  4 * * * Request timed out.

Also nowhere. Forticlient seems to block all local traffic below the VPN layer (obviously above the VPN layer it still works as it needs to route its own traffic through my router)

 

How can I solve this issue?

12847
0 Kudos
1 Solution
Toshi_Esumi
SuperUser
SuperUser

Created on ‎04-20-2020 09:12 AM

I don't think a routing issue because your local subnet is /24. Shouldn't conflict with the /8.

I'm not sure what version of Forticlient you're using (6.0, 6.2, older. or full version, 6.2 VPN only) and if IPsec dialup or SSL VPN. Below might be needed to access LAN devices.

[link]https://forum.fortinet.com/tm.aspx?m=132103[/link]

View solution in original post

11266
0 Kudos
2 REPLIES 2
Toshi_Esumi
SuperUser
SuperUser

Created on ‎04-20-2020 09:12 AM

I don't think a routing issue because your local subnet is /24. Shouldn't conflict with the /8.

I'm not sure what version of Forticlient you're using (6.0, 6.2, older. or full version, 6.2 VPN only) and if IPsec dialup or SSL VPN. Below might be needed to access LAN devices.

[link]https://forum.fortinet.com/tm.aspx?m=132103[/link]

11267
0 Kudos
_oisyn
New Contributor
In response to Toshi_Esumi

Created on ‎04-20-2020 09:36 AM

Thanks Toshi, setting enable_local_lan to 1 in the config indeed did the trick!

11137
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.