Hi!
There is a network conflict between my local network and my employer's. I use 10.0.0.0/24 locally, but unfortunately they map the entire 10.0.0.0/8 range even though in practice my home network doesn't really conflict with any subrange in the 10.0.0.0/8 space they actually use. Naturally Forticlient wants to route all 10.0.0.0/8 traffic over the VPN. This means I can't access local resources such as my printer or NAS whenever I'm connected to the VPN. I've alreay spoken to IT and there's not much they can really do about that, and I can very much sympathize with their reluctance to experiment with it in current times :).
However, I figured I should be able to solve the problem locally by adjusting the routing tables. Unfortunately that doesn't really seem to help. As if Forticlient overrides Windows' routing tables. There should be a way around this, right?
So, here's my routing table before I connect to the VPN:
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.0.0.1 10.0.0.2 2
10.0.0.0 255.255.255.0 On-link 10.0.0.2 257
10.0.0.2 255.255.255.255 On-link 10.0.0.2 257
10.0.0.255 255.255.255.255 On-link 10.0.0.2 257
127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
172.17.78.16 255.255.255.240 On-link 172.17.78.17 5256
172.17.78.17 255.255.255.255 On-link 172.17.78.17 5256
172.17.78.31 255.255.255.255 On-link 172.17.78.17 5256
224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
224.0.0.0 240.0.0.0 On-link 10.0.0.2 257
224.0.0.0 240.0.0.0 On-link 172.17.78.17 5256
255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
255.255.255.255 255.255.255.255 On-link 10.0.0.2 257
255.255.255.255 255.255.255.255 On-link 172.17.78.17 5256
===========================================================================
Persistent Routes:
None
All pretty straight forward. The 172.x.y.z stuff is from a Hyper-V virtual NIC.
This is what I get when connecting to VPN.
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.0.0.1 10.0.0.2 2
10.0.0.0 255.0.0.0 192.168.8.51 192.168.8.50 1
10.0.0.0 255.255.255.0 On-link 10.0.0.2 257
10.0.0.2 255.255.255.255 On-link 10.0.0.2 257
10.0.0.255 255.255.255.255 On-link 10.0.0.2 257
10.65.248.0 255.255.252.0 192.168.8.51 192.168.8.50 1
127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
145.131.208.98 255.255.255.255 10.0.0.1 10.0.0.2 1
172.17.78.16 255.255.255.240 On-link 172.17.78.17 271
172.17.78.17 255.255.255.255 On-link 172.17.78.17 271
172.17.78.31 255.255.255.255 On-link 172.17.78.17 271
192.168.6.0 255.255.255.0 192.168.8.51 192.168.8.50 1
192.168.8.0 255.255.255.0 On-link 192.168.8.50 257
192.168.8.1 255.255.255.255 192.168.8.51 192.168.8.50 1
192.168.8.50 255.255.255.255 On-link 192.168.8.50 257
192.168.8.255 255.255.255.255 On-link 192.168.8.50 257
224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
224.0.0.0 240.0.0.0 On-link 192.168.8.50 257
224.0.0.0 240.0.0.0 On-link 10.0.0.2 257
224.0.0.0 240.0.0.0 On-link 172.17.78.17 271
255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
255.255.255.255 255.255.255.255 On-link 192.168.8.50 257
255.255.255.255 255.255.255.255 On-link 10.0.0.2 257
255.255.255.255 255.255.255.255 On-link 172.17.78.17 271
===========================================================================
Persistent Routes:
None
So my local VPN ip is 192.168.8.50 and it uses 192.168.8.51 as the gateway. Furthermore, we can see that it has inserted (among other things) a 10.0.0.0/8 route with lowest metric to route over the VPN gateway. You can see there's also a rule in there for 10.65.248.0/10. This happens to be our local office (which is part of a bigger network) and the only part I'm interested in accessing. My work PC is in that range and if I'm able to connect to it using remote desktop I'll be a happy camper.
I've talked to IT about this extra rule that seems redundant, given that they already route the entire 10.0.0.0/8, but I guess it just makes my task a bit easier :). I just need to delete the 10.0.0.0/8 route and I should be good to go, right?
I go
route delete 10.0.0.0 mask 255.0.0.0
And I end up with this:
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.0.0.1 10.0.0.2 2
10.0.0.0 255.255.255.0 On-link 10.0.0.2 257
10.0.0.2 255.255.255.255 On-link 10.0.0.2 257
10.0.0.255 255.255.255.255 On-link 10.0.0.2 257
10.65.248.0 255.255.252.0 192.168.8.51 192.168.8.50 1
127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
145.131.208.98 255.255.255.255 10.0.0.1 10.0.0.2 1
172.17.78.16 255.255.255.240 On-link 172.17.78.17 5256
172.17.78.17 255.255.255.255 On-link 172.17.78.17 5256
172.17.78.31 255.255.255.255 On-link 172.17.78.17 5256
192.168.6.0 255.255.255.0 192.168.8.51 192.168.8.50 1
192.168.8.0 255.255.255.0 On-link 192.168.8.50 257
192.168.8.1 255.255.255.255 192.168.8.51 192.168.8.50 1
192.168.8.50 255.255.255.255 On-link 192.168.8.50 257
192.168.8.255 255.255.255.255 On-link 192.168.8.50 257
224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
224.0.0.0 240.0.0.0 On-link 192.168.8.50 257
224.0.0.0 240.0.0.0 On-link 10.0.0.2 257
224.0.0.0 240.0.0.0 On-link 172.17.78.17 5256
255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
255.255.255.255 255.255.255.255 On-link 192.168.8.50 257
255.255.255.255 255.255.255.255 On-link 10.0.0.2 257
255.255.255.255 255.255.255.255 On-link 172.17.78.17 5256
===========================================================================
Persistent Routes:
None
Perfect! 10.0.0.0/24 seems to be on-link, and 10.65.248.0/10 is still routed over VPN. But alas... Pinging my NAS at 10.0.0.14 still yields "Request timed out". Interestingly, a tracert gives nothing either:
Tracing route to 10.0.0.14 over a maximum of 30 hops
1 * * * Request timed out.
2 * * * Request timed out.
3 * * * Request timed out.
4 * * * Request timed out.
This struck me as a bit odd, I would expect at least a VPN hop in there, if it still routed it over the VPN. Restoring the routing table by disconnecting and reconnecting to the VPN, so the 10.0.0.0/8 rule exists, I tried it again.
Tracing route to 10.0.0.14 over a maximum of 4 hops
1 * * * Request timed out.
2 * * * Request timed out.
3 * * * Request timed out.
4 * * * Request timed out.
Still no VPN hop. Let's test 10.0.1.1:
Tracing route to 10.0.1.1 over a maximum of 30 hops
1 * 4 ms 4 ms 192.168.8.1
2 * * * Request timed out.
3 * * * Request timed out.
4 * * * Request timed out.
Ok this is just weird. It does route 10.0.1.1, but not 10.0.0.14. The routing table is apparently only just part of the story. Where on earth is 10.0.0.14 going then? Interestingly, where would 10.0.1.1 go if I delete the 10.0.0.0/8 route?
Tracing route to 10.0.1.1 over a maximum of 4 hops
1 * * * Request timed out.
2 * * * Request timed out.
3 * * * Request timed out.
4 * * * Request timed out.
Also nowhere. Forticlient seems to block all local traffic below the VPN layer (obviously above the VPN layer it still works as it needs to route its own traffic through my router)
How can I solve this issue?
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I don't think a routing issue because your local subnet is /24. Shouldn't conflict with the /8.
I'm not sure what version of Forticlient you're using (6.0, 6.2, older. or full version, 6.2 VPN only) and if IPsec dialup or SSL VPN. Below might be needed to access LAN devices.
[link]https://forum.fortinet.com/tm.aspx?m=132103[/link]
I don't think a routing issue because your local subnet is /24. Shouldn't conflict with the /8.
I'm not sure what version of Forticlient you're using (6.0, 6.2, older. or full version, 6.2 VPN only) and if IPsec dialup or SSL VPN. Below might be needed to access LAN devices.
[link]https://forum.fortinet.com/tm.aspx?m=132103[/link]
Thanks Toshi, setting enable_local_lan to 1 in the config indeed did the trick!
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1105 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.