Cable Modem, Firewall, Unmanaged Switch, Different Subnet

Hello EE,

I am probably going to mess this question up, but, I'm pulling my hair out trying to get this to work.  So, here goes!

Cable Modem (10.1.15.X)
- Subnet
- Gateway

Firewall (Fortinet 80C)
- Static Routes:
      -                GW:      WAN1
      -            GW:      WAN1
      -            GW:      Internal LAN

Routing Monitor
      - Static            GW:      WAN1
      - Connected            GW:            Internal LAN
      - Connected            GW:            WAN1

IP/Netmask (Address)
      - Internal Subnet            Any Interface
      - WAN1 Port              WAN1

Local Domain (10.1.17.X)
- Subnet
- Gateway

Here’s what I’m trying to accomplish:

I would like to have one PC work on both subnets.  For example, on the LAN I want to be able to access network resources (file servers, printers) but also, utilize a faster cable modem for internet access.

I’ve setup my NIC to utilize two IP addressing schemes.

Local Domain IP Addressing Scheme (static):
- IP
- Subnet
- GW
      Comcast IP Addressing Scheme (static):
- IP
- Subnet
- GW

Now, when I try and tracert a server on our domain (e.g. server61) the tracert goes out through the Comcast Modem (

When I try and tracert it does the same thing.

If I switch the order of the Gateways in TCP/IP settings of NIC card, server61 goes through the gateway, but then when I tracert, it also goes through that same gateway (  Since that gateway is designed to utilize an MPLS connect to an overseas centralized network, I can’t be sending internet traffic through this connection.

As it stands, I have four clocks that reside on the Comcast Modem and are communicating with a server at the vendor’s location just fine.  But that setup is going directly through the switch (Linksys SR2024 – Unmanaged) and out the cable modem.  I want to put those four clocks behind the firewall as well as the PC I mentioned earlier.

Part of my frustration has to do with the firewall needing both the LAN port and WAN port to be on two different subnets.  That’s why I went with 10.1.15.X for the Comcast LAN connection, and for the LAN port on the firewall.  Obviously I can’t utilize an IP address from our domain as these two subnets need to stay separated.

So, anyone have any ideas?  I’m sure I’ve missed something I could have added to this post, so any further questions will be answered ASAP!  I’ve attached a diagram…it shows how I created a VLAN to support the clocks running across our LAN.  The clocks have static IP addresses (10.1.15.X) and the Comcast Modem has DHCP turned off.

Thanks for taking the time to look at this and I hope to hear from you soon!


Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Todd GerbertIT ConsultantCommented:
Your system can have only one active default gateway - you need for you default gateway to be the firewall and to manually add routes for everything that's in the MPLS cloud.
BHTNAuthor Commented:
Hi tgerbert,

If that is the case, then why can you manually add as many default gateways as you want within the TCP/IP settings?  I mean what's the point of that option?  

Todd GerbertIT ConsultantCommented:
It's somewhat counter-intuitive, I know.  What happens is more than one gateway route is added to your systems routing table, but additional routes have a higher "metric" and only the available route with the lowest metric is used. If your current default gateway should become unavailable for some reason, your system would simply go up the list to the one with the next-highest metric.
I know that by default wired NIC's have a lower metric than wireless ones, but other than that I'm not sure how Windows decides which one should be used.
The gateway that you want your internet traffic to go through should be your default route, don't set a gateway on the other interface.
Then you need to add routes to direct MPLS-destined traffic through the appropriate router - you'd probably want to add those routes to the firewall, but you could add them to your system as well.
I'm not familiar with your firewall, but if you wanted to add the routes on your system you can use the "route" command - so, for example, if through are on the MPLS cloud, you could use the command (the -p option makes it permanent, otherwise it's only good until reboot)
route -p add mask

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Angular Fundamentals

Learn the fundamentals of Angular 2, a JavaScript framework for developing dynamic single page applications.

BHTNAuthor Commented:
Well tgerbert, here's what I did...

I statically assigned IP address info to each clock

I added a static route to my Comcast Firewall (Fortinet Firewall) that represented the domain gateway.

Since adding that static route, the clocks started showing up in my IP scanner and after physically checking them to ensure they would accept card punches, they were good to go!  I can't ping them from any PC on the domain LAN, but with the PC that I have configured for both default gateways, I am able to ping the clocks, domain network resources and outside internet IP addresses all going through their appropriate Gateways.

I think I got it now.  Thanks for your help and I hope I can keep it all together!

BHTNAuthor Commented:
I was able to utilize some of the information provided by tgerbert and combine that with some trial and error on my part.  
BHTNAuthor Commented:
Dang it tgerbert,

Looks like I jumped the that I'm testing again, domain resources that I ran a tracert on are still going out the comcast modem vs. the MPLS.  You were right of course.  Is there any way for me to set both gateways so that if traffic hits the comcast modem and the hostname or IP address is not available it would fail over to the domain MPLS gateway?  We used to have it setup that way but that was a while ago.

Thanks again for your help and if you have any additional comments, please feel free :)

Todd GerbertIT ConsultantCommented:
Well, here's the thing...the device (whether it's your computer or the router) has no knowledge of connections destined for the Internet, vs. for your private network, vs. for your local lan; it just knows it needs to send a packet to address Then it consults the routing table - if 1.2.3.x is your local network there will be an entry in the routing table saying "traffic for 1.2.3.x goes out interface A" If you send a packet to, then there will be no matching route in the routing table - so the device will send it via the default gateway.
Your firewall has no way to distinguish MPLS-bound traffic from Internet-bound traffic, unless you tell it how. So, for your PC that exists on both subnets - it will have a default gateway of the Comcast firewall; then you must manually add a route on your PC for every IP subnet that exists in the MPLS cloud so that it will send domain-related traffic out That way any connection for the MPLS resources (so long as you've added their routes) will go out the MPLS router, but any other traffic (i.e. Internet) will go out the Comcast modem.
BHTNAuthor Commented:
Hey tgerbert,

Thanks for that explanation...makes more sense today since I had a chance to sleep :)
So as far as adding the domain-related traffic IP subnets to my PC...when that is complete, would the Comcast modem be like a "last resort" gateway in the event that traffic initially sent to the domain gateway was not destined for that network?

Finally, and I know I should know this, but, where might I add these static routes on the PC?

Appreciate your help tgerbert, BIG help!

Todd GerbertIT ConsultantCommented:
Comcast modem be like a "last resort" gateway in the event that traffic initially sent to the domain gateway was not destined for that network?
Hmm...kinda - it will be a gateway of last resort, however traffic that's NOT destined for the domain won't ever be sent to the domain gateway, because Comcast is the route of last resort (provided all the routes are in place).
Finally, and I know I should know this, but, where might I add these static routes on the PC?
You have to do it in a command prompt window using the route command (see route -? or http:#a32339561). Do you have all the network IP addresses and their netmasks?
BHTNAuthor Commented:
I do have them, yes.  Great!  I'll get started now.  I wish I could change the points and grade...sorry about that.  Thanks again tgerbert!

BHTNAuthor Commented:
Hi tgerbert,
I'm sorry I keep bothering you about this, but I am still not sure this is working.  I've attached some screen shots of my route table and TCP/IP settings.  Would you mind looking at them for me?  Just to recall, here's some additional information:

Gateway to MPLS:
Gateway to Comcast:
Mask for both:

Local PC IP Address for Domain:
Local PC IP Address for Comcast:
Mask for both:

DNS for Local PC IP Address for Domain:
DNS for Local PC IP Address for Comcast:

Comcast Modem IP Addressing Scheme:
Gateway IP Address:
DMZ IP Address: (Matches Fortinet Firewall WAN Port of attached to Comcast Modem)

I've attached the following screenshots:

Fortinet Firewall Routing Monitor
Fortinet Firewall Static Routes
Route -p information
TCP/IP settings (General and Advanced to include DNS)

I know this is going on longer than you would prefer, but I think once you see what I'm looking at, it might make some sense to you and then you can explain it to me! :)



It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.