We help IT Professionals succeed at work.

Fortinet FG110C Multiple Default Gateways Issue

We've configured an FG110C in Interface Mode (not Switch Mode). We had to do this because we have 4 internet providers - one is a T1, 3 are DSL that we want to load balance with.

The T1 and the DSL's are used for completely different things. We use the T1 for inbound email/webmail and also for specific clients. The DSL's are used for generic web surfing.

Up until this point we have had to use 2 Juniper SSG5's to make this work.

The problem is that we have a flat network - - and each of the SSG's had an internal IP of and  So, for the systems that needed to be on the T1 we set them with a GW address of and the rest of the company their GW is

When I try to mimic this config on the FG110C, I cannot assign two interfaces on the same subnet.  

So, I have 2 questions:

1) Is it possible using the CLI to do this using commands that can't be done from the web interface?

2) When I converted from Switch Mode to Interface Mode, it gave me 8 independent ports (plus the WAN1 & WAN2).  Is there a way to create two sets of interface ports, say Port1-4 and Port5-8?

Watch Question

To force some users out of a different ISP link I use the Policy Routes (Dynamic Routes) - the second tab on the Routes page.
You can set the Source IP (or range) of the LAN computers and route them out of a Specific gateway.
Leave the Protocol and other settings as default, setup the Source Range IPs and the gateway settings.  The order of the entries on that Policy Routes page makes a difference, so adjust the rule order if needed.

I don't think your Fortigate will be able to handle 4 WAN internet links, that model is too small.  You may be able to use a DMZ port port though, I have not tried that but it may work.

Something like this
WAN1 - T1  (make this your default static route)
WAN2 - ADSL  -  make a new subnet for the ADSL line or use the PPPoE setting so that it gets a public IP
DMZ - SSG5 with the other 2 ADSL connected to it - put this on another subnet


Maybe this will help

Fortigate LAN/Internal
WAN1 - T1 IP
WAN2 - PPPoE (public IP from ADSL)
DMZ -   SSG5 LAN interface   and then the 2 ADSL lines connected to the SSG5

To route out via DMZ in the Policy route, select the DMZ interface and Gateway IP

Make required Firewall Policy rules for outbound traffic.

netbonesDude, Cyber


The problem is that we actually have 3 DSL lines that we are load balancing on, and that is used by general web browsing group.  That means I have 3 separate ports going to 3 different ISP connections, and on top of that another separate T1 ISP.  

Policy routing won't work because we are not differentiating traffic, we are specifically targeting certain users for the T1 for all their traffic.

I would think there would be a way for me to have two internal interfaces be on the same subnet, it simplifies how you deal with multiple default gateways.
netbonesDude, Cyber


Sorry the graphic didn't upload correctly. From PORT1/ it is going into the same switch as PORT2/, for some reason the line doesn't show.
Is that drawing a concept or actual working config?
You can't have the interfaces (2 of them) on the same network, unless there is some trick, but I don't know of any.

Page 94 states that the IP's on the interfaces have to be on different subnets


In my configs where I have 1 LAN network, I set all computers to have Gateway of
Then I do the routing inside of the Fortigate.  You could use multi-wan with Load balancing but that will distribute traffic over both WAN links (WAN1 and WAN2), you can setup weights to distribute unevenly.

If you want to isolate WAN1 (the T1 line for example) for some computers and WAN2 (ADSL lines) then I would use the Policy Routes.  You if you leave the default value for the protocols and other info, and just set the source and destination gateway then it will route ALL traffic out to your desired gateway.  It will not differentiate the traffic if you leave the settings at the default, it will allow you to target Users (by their IP) to use a specific gateway.

I would try something like this.  I have not tried that, normally I leave the fortigates in Switch mode.

WAN1 -- T1 line
WAN2 -- ADSL-1 line
Port 1 -- ADSL-2 line   (different subnet)
Port 2 -- ADSL-3 line   (different subnet)

then use a combination of the Static routes (with weights to load balance the ADSL lines, look at  the ECMP section in the manual link above) and Policy routes to target computers to force them out the WAN1 gateway

get rid of the 2nd internal interface on the same subnet (unless you need the physical bandwidth)
put 2 ip's on the same interface.

config system interface
edit port1
set ip
set secondary-IP enable
config secondaryip
edit 0 #edit 0 always creates a new entry in the table
set ip
set allowaccess https ssh ping

this will set your port 1 interface to and with both ip's being of a /16 network

because you are using a fortigate 110C, you cannot trunk your lines. If you ABSOLUTELY NEED! 2 ports for the bandwidth (because they are both 10/100 ports) you can put them both on the same subnet, but be CAREFUL doing this, you are messing with your management interfaces, so if you bork it you need local access to the device to reset what is borked.

>config system settings
>set allow-subnet-overlap enable

you can always merge 2 ports into a zone, and use that zone in your firewall policies, but your ports have to be pretty much undefined and not referenced in anything (firewall policies, dhcp servers, interface) in order to add them to a zone. but once you do this, the zone is treated like an interface of its own.