FortiClient VPN issues with GL-MT6000 (Flint2) router

Routers VPN, DNS, Leaks
1

My organization switched to FortiClient VPN recently, and it does not function correctly through my home GL-MT6000 router.

FortiClient injects a primary DNS on my work laptop in the 100.64.0.0 IP subnet, and all DNS traffic from the laptop fails.

The FortiClient VPN works correctly via a mobile hotspot. I have had no trouble with other VPNs traversing the router.

These are some of the troublshooting steps I have attempted:

  • set firewall rules to allow all traffic to and from this device at the top of the rule list.
  • installed MiniUPnP and set it to allow UPnP requests only from this device.
  • started with Admin Panel version 4.7.7, then upgraded to 4.8.2.

None of these have had any impact on the FortiClient DNS issue.

3

Hi

Could you please provide us with some more details so we can further check?

  1. Does FortiClient connect successfully or not?
  2. After connecting, please run the following commands on your Windows(?) laptop and share the results:
ipconfig
route print
  1. Please also ensure no other VPN or proxy software is running at the same time, including Tailscale or ZeroTier.
4

  1. FortiClient connects successfully. The console shows traffic. However DNS fails.

    I cannot ping the default gateway nor the primary DNS server for the FortiClient interface, but I can ping internet IPs (1.1.1.1).

    I’ve set the router to provides 1.1.1.1 the DNS server via DHCP. When FortiClient connects, it pushes 1.1.1.1 to secondary and replaces primary with their 100.64.x.x subnet DNS server for the duration of the FortiClient connection.

    My browsers and office software are configured such that both require connected FortiClient VPN to function.

  2. Connected via GL-MT6000 - no FortiClient

    ipconfig /all (connected interfaces)

    Ethernet adapter Ethernet 2:

   Connection-specific DNS Suffix  . : lan
   Description . . . . . . . . . . . : Realtek USB GbE Family Controller
   Physical Address. . . . . . . . . : redacted
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.1.173(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Monday, September 8, 2025 10:15:25 PM
   Lease Expires . . . . . . . . . . : Tuesday, September 9, 2025 8:48:55 PM
   Default Gateway . . . . . . . . . : 192.168.1.1
   DHCP Server . . . . . . . . . . . : 192.168.1.1
   DNS Servers . . . . . . . . . . . : 1.1.1.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

    route print

    ===========================================================================
Interface List
 13...redacted          ......Intel(R) Ethernet Connection (13) I219-LM
 12...redacted          ......Fortinet SSL VPN Virtual Ethernet Adapter
 19...redacted          ......Realtek USB GbE Family Controller
 20...redacted          ......Fortinet Virtual Ethernet Adapter (NDIS 6.30)
 18...redacted          ......Microsoft Wi-Fi Direct Virtual Adapter
  2...redacted          ......Microsoft Wi-Fi Direct Virtual Adapter #2
 23...redacted          ......Intel(R) Wi-Fi 6 AX201 160MHz
  1...........................Software Loopback Interface 1
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1    192.168.1.173     25
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    331
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    331
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    331
      192.168.1.0    255.255.255.0         On-link     192.168.1.173    281
    192.168.1.173  255.255.255.255         On-link     192.168.1.173    281
    192.168.1.255  255.255.255.255         On-link     192.168.1.173    281
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    331
        224.0.0.0        240.0.0.0         On-link     192.168.1.173    281
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    331
  255.255.255.255  255.255.255.255         On-link     192.168.1.173    281
===========================================================================
Persistent Routes:
  None

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  1    331 ::1/128                  On-link
  1    331 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None

    Connected via GL-MT6000 - FortiClient connected

    ipconfig /all (connected interfaces)

    Ethernet adapter Ethernet 2:

   Connection-specific DNS Suffix  . : lan
   Description . . . . . . . . . . . : Realtek USB GbE Family Controller
   Physical Address. . . . . . . . . : redacted
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.1.173(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Monday, September 8, 2025 10:15:25 PM
   Lease Expires . . . . . . . . . . : Tuesday, September 9, 2025 8:48:54 PM
   Default Gateway . . . . . . . . . : 192.168.1.1
   DHCP Server . . . . . . . . . . . : 192.168.1.1
   DNS Servers . . . . . . . . . . . : 100.81.0.1
                                       1.1.1.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Ethernet 4:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Fortinet Virtual Ethernet Adapter (NDIS 6.30)
   Physical Address. . . . . . . . . : redacted
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 10.247.144.142(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
   Lease Obtained. . . . . . . . . . : Tuesday, September 9, 2025 8:49:43 AM
   Lease Expires . . . . . . . . . . : Friday, October 16, 2161 3:18:04 PM
   Default Gateway . . . . . . . . . : 10.247.144.143
   DHCP Server . . . . . . . . . . . : 10.247.144.143
   DNS Servers . . . . . . . . . . . : 100.81.0.1
                                       0.0.0.0
   NetBIOS over Tcpip. . . . . . . . : Enabled

    route print

    ===========================================================================
Interface List
 13...redacted          ......Intel(R) Ethernet Connection (13) I219-LM
 12...redacted          ......Fortinet SSL VPN Virtual Ethernet Adapter
 19...redacted          ......Realtek USB GbE Family Controller
 20...redacted          ......Fortinet Virtual Ethernet Adapter (NDIS 6.30)
 18...redacted          ......Microsoft Wi-Fi Direct Virtual Adapter
  2...redacted          ......Microsoft Wi-Fi Direct Virtual Adapter #2
 23...redacted          ......Intel(R) Wi-Fi 6 AX201 160MHz
  1...........................Software Loopback Interface 1
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1    192.168.1.173     25
          0.0.0.0          0.0.0.0   10.247.144.143   10.247.144.142     26
   10.247.144.142  255.255.255.255         On-link    10.247.144.142    281
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    331
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    331
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    331
      192.168.1.0    255.255.255.0         On-link     192.168.1.173    281
    192.168.1.173  255.255.255.255         On-link     192.168.1.173    281
    192.168.1.255  255.255.255.255         On-link     192.168.1.173    281
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    331
        224.0.0.0        240.0.0.0         On-link    10.247.144.142    281
        224.0.0.0        240.0.0.0         On-link     192.168.1.173    281
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    331
  255.255.255.255  255.255.255.255         On-link    10.247.144.142    281
  255.255.255.255  255.255.255.255         On-link     192.168.1.173    281
===========================================================================
Persistent Routes:
  None

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  1    331 ::1/128                  On-link
  1    331 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None

    Connected via hotspot - FortiClient connected

    ipconfig /all (connected interfaces)

    Ethernet adapter Ethernet 4:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Fortinet Virtual Ethernet Adapter (NDIS 6.30)
   Physical Address. . . . . . . . . : redacted
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 10.247.112.129(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
   Lease Obtained. . . . . . . . . . : Tuesday, September 9, 2025 8:03:15 AM
   Lease Expires . . . . . . . . . . : Friday, October 16, 2161 3:07:20 PM
   Default Gateway . . . . . . . . . : 10.247.112.130
   DHCP Server . . . . . . . . . . . : 10.247.112.130
   DNS Servers . . . . . . . . . . . : 100.81.0.1
                                       0.0.0.0
   NetBIOS over Tcpip. . . . . . . . : Enabled

Wireless LAN adapter Wi-Fi:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) Wi-Fi 6 AX201 160MHz
   Physical Address. . . . . . . . . : redacted
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : redacted
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Tuesday, September 9, 2025 8:02:17 AM
   Lease Expires . . . . . . . . . . : Tuesday, September 9, 2025 9:32:14 AM
   Default Gateway . . . . . . . . . : redacted
   DHCP Server . . . . . . . . . . . : redacted
   DNS Servers . . . . . . . . . . . : 100.81.0.1
                                       redacted
   NetBIOS over Tcpip. . . . . . . . : Enabled

    route print

    ===========================================================================
Interface List
 13...redacted          ......Intel(R) Ethernet Connection (13) I219-LM
 19...redacted          ......Realtek USB GbE Family Controller
 12...redacted          ......Fortinet SSL VPN Virtual Ethernet Adapter
 20...redacted          ......Fortinet Virtual Ethernet Adapter (NDIS 6.30)
 18...redacted          ......Microsoft Wi-Fi Direct Virtual Adapter
  2...redacted          ......Microsoft Wi-Fi Direct Virtual Adapter #2
 23...redacted          ......Intel(R) Wi-Fi 6 AX201 160MHz
  1...........................Software Loopback Interface 1
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0   redacted (hotspot)    redacted (hotspot)     35
          0.0.0.0          0.0.0.0   10.247.112.130   10.247.112.129     26
   10.247.112.129  255.255.255.255         On-link    10.247.112.129    281
     44.232.12.97  255.255.255.255   redacted (hotspot)    redacted (hotspot)    134
   54.190.240.168  255.255.255.255   redacted (hotspot)    redacted (hotspot)    134
   54.200.120.146  255.255.255.255   redacted (hotspot)    redacted (hotspot)    134
   54.200.215.134  255.255.255.255   redacted (hotspot)    redacted (hotspot)    134
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    331
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    331
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    331
   168.250.53.214  255.255.255.255   redacted (hotspot)    redacted (hotspot)    134
     redacted (hotspot)    255.255.255.0         On-link     redacted (hotspot)    291
    redacted (hotspot)  255.255.255.255         On-link     redacted (hotspot)    291
   redacted (hotspot)  255.255.255.255         On-link     redacted (hotspot)    291
   209.40.109.186  255.255.255.255   redacted (hotspot)    redacted (hotspot)     35
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    331
        224.0.0.0        240.0.0.0         On-link    10.247.112.129    281
        224.0.0.0        240.0.0.0         On-link     redacted (hotspot)    291
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    331
  255.255.255.255  255.255.255.255         On-link    10.247.112.129    281
  255.255.255.255  255.255.255.255         On-link     redacted (hotspot)    291
===========================================================================
Persistent Routes:
  None

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  1    331 ::1/128                  On-link
  1    331 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None

  3. There are no other VPNs on this laptop nor any at the router level.

5

Please disregard. I connected the laptop directly to the modem and the issue persists. This is an ISP issue.

Thank you for swift response and your attention to this matter!

1 Like
6

This appears to be caused by Windows/FortiClient not correctly setting the routing metric.

# GL-MT6000 - FortiClient connected
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1    192.168.1.173     25
          0.0.0.0          0.0.0.0   10.247.144.143   10.247.144.142     26
# hotspot - FortiClient connected
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0   redacted (hotspot)    redacted (hotspot)     35
          0.0.0.0          0.0.0.0   10.247.112.130   10.247.112.129     26

Please try manually increasing the metric for Ethernet adapter Ethernet 2 by:
https://www.tenforums.com/tutorials/92180-change-network-adapter-connection-priorities-windows-10-a.html

1 Like
7

@will.qiu You were absolutely correct. Thank you so much!

We decreased the metric for the 10.x.x.x gateway (Interface index 20 on my laptop) with the following PowerShell command run as administrator:

```powershell

Set-NetIPInterface -InterfaceIndex 20 -AutomaticMetric Disabled -InterfaceMetric 2
```

Now DNS and everything else routes properly. No router issue, no ISP issue, simple configuration of the VPN interface.