Hi, everyone. As described, Virtual IP uses ARP-proxy to let hosts know the MAC address they should send frames to. Also there are a lot of examples about how to make DNAT with Virtual IP for web server in DMZ but we have another task. We have a lot of Windows clients  that configured like shown below:

ip = 192.168.1.x

default gateway = 10.17.208.254 (ISP)

DNS = 10.17.208.254 (ISP)

Because default gateway is from other subnet than IP, there is another IP from 10.0.0.0 subnet configured on the same interface. ISP's network and local network are in the one collision domain.

If we set up fortigate we break internet connection for not yet configured clients so we would like use ARP proxy on temporary bases until all clients will not be configured properly.

We have below configuration:

LAN network  (192.168.1.x ) -> (LAN1 = 192.168.1.99) - fortigate FD 60e (WAN1=10.17.208.7)-> (10.17.208.254) ISP 

So, is that possible to configure Fortigate in the way it servers simulatensly the clients:

- who have old configuration with ISPs 10.17.208.254 default gateway

- what would have new configuration with default gateway = 192.168.1.99

We accomplished second without any problem but for first we are missing something. We configured virtual IP and we see that Fortigate return MAC of LAN1 interface to clients who asks 10.17.208.254 properly but then traffic is not routed.

I assume we didn't configure Firewall policy properly but we would like to know is that possible at all.

Any advice please?