Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
torenhof
New Contributor

Default route outside of interfaces configured on Fortigate

Hello,

 

According to this document: http://kb.fortinet.com/kb/documentLink.do?externalID=FD36417

you cannot configure a (default) route using a next hop which is outside of any interfaces on a FGT.

On a Windows client it's simple, you only get a warning that the default gateway is not in the same network segment, but you can continue and traffic is flowing.

 

Isn't there any possible way to get this solved?

Let's say by configuring a static ARP on the Fortigate, or on the Switch/router?

 

Regards,

Gerrit

5 REPLIES 5
rwpatterson
Valued Contributor III

Before I even attempt an answer for this, why would you want to do that?

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

torenhof

The situation at the customer is as follows:

 

You have a public ISP router with i.e. the following config:

(I have changed the public IP's)

There are 2 IP packs being routed to this ISP router:

1.1.1.0/30

2.2.2.0/29

 

The secondary IP pack has no config on the ISP router.

 

Public IP ISP router: 1.1.1.1/30

Secondary IP pack that is being routed through: 1.1.1.1/30 = 2.2.2.0/29

The Fortigate WAN has a Public IP: 2.2.2.1/29

So it would need to use the 1.1.1.1, The ISP router as it's default gateway.

 

In the /30 subnet we cannot use an IP, one is in use for the ISP router, another one is for a MPLS router.

It's possible to do this setup with a regular windows client.

You can configure an IP on a NIC 2.2.2.1/29 and point it's default gateway to 1.1.1.1/30, it has access to Internet.

 

Hope this clarifies the config a bit.

 

Regards,

Gerrit

 

rwpatterson
Valued Contributor III

First of all, I haven't ever seen a Windows workstation route successfully to the Internet with an incorrect gateway. Yes, traffic will still flow to local resources on the same LAN, but after that, the workstation is dead in the water. The Fortigate will work the same way. All it needs to know is where the next hop is to send any traffic not local to itself. If you (could) specify a network off of it's attached interfaces, it will have no clue where to send the default traffic because those remote networks will be unknown to it. Traffic will just die. Grab a basic networking book and browse through it. The Internet is based on next hop, not two or three gateways away. If everyone knows who their peer is to send the unknown traffic, then Internet life is good.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

ede_pfau
Esteemed Contributor III

No way this way around.

The 1.1.1.1/30 is just too small to accomodate another router. You cannot have 3 devices in a 2-device address space. Full stop.

 

Assign 1.1.1.2 to the FGT wan port. Default route on the FGT is 1.1.1.1.

Assign any 2.2.2.x to the MPLS router and give it a default route to 1.1.1.2.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Toshi_Esumi
Esteemed Contributor II

The way your ISP provides the public subnets are very common, which we do to our customers too. Technically the /30 subnet is just for the interface between your device (FG) and ISP's router (1.1.1.1 for ISP side, 1.1.1.2 for FG WAN IP). Then the ISP route is configured to deliver /29 subnet toward 1.1.1.2. So if the device that has 1.1.1.2 is a FW like FG, you can use the /29 as a routable subnet by assigning to inside interface of the FW (or you might want to split it to two /30s for two different interfaces) or you can break it up to 8 /32s and use each in VIPs.

Again, the FG WAN IP has to be 1.1.1.2.