BlackHole Static Route

ontracks · March 12, 2025, 11:26pm

Hello Forti Team,

Am I able to create a static (blackhole) route to the SSLVPN subnet in order to advertised that subnet into BGP (by redistributing static into BGP) to the rest of the network?

I thought I was, however, when I created the blackhole static route, I lost connectivity to the firewall from SSLVPN, that got me thinking that as the name says, maybe the blackhole discard all traffic destined to whatever subnet I define there? Is that correct? if so, how could I possible advertised my SSLVPN subnet into BGP?

If not, then why I lost access to the firewall after creating that blackhole static route?

Thanks

code0 · March 12, 2025, 11:26pm

You can add a static route for any SSL VPN address pools you have and use ssl.VDOM_NAME as your interface - ie:

config router static
 edit 0
  set dst 10.212.134.0 255.255.255.0
  set device "ssl.root"
 next
end

IIRC, the Blackhole method is what you’d use for an IPSec dial-up VPN (been a while since I’ve used IPSec for a remote access VPN).

Best-Yogurtcloset-77 · March 12, 2025, 11:26pm

Static routes takes priority over BGP. Check your distance.

Anonymous · March 12, 2025, 11:26pm

I use static blackhole routes for all RFC1918 subnets in all my routers but i give them 254 for the distance. If IPSec is up, blackhole route is not used, if IPSec is down, then blackhole route is next. Otherwise traffic will go to 0.0.0.0/0 and will not come back since that route will probably not be down.

ontracks · March 12, 2025, 11:26pm

Ohhhh, I see, thank you so much, this is really good info.

Any idea what I loose access from the silvan when I created the blackhole route?

THANKS A LOT !!

ontracks · March 12, 2025, 11:26pm

Ahhh I got your point, yes, you basically make sure all the RFC1918 gets routed to the inside of your network if the actual route goes down, thank you for your answer. one quick question you are talking about actual routers or FortiGate FW?

code0 · March 12, 2025, 11:26pm

On my home firewall, my SSL VPN address range is 10.212.134.200 - 10.212.134.210. Based on that, FortiOS sets the below kernel (FIB) routes (diag ip route list):

tab=254 vf=0 scope=0 type=1 proto=17 prio=10 0.0.0.0/0.0.0.0/0->10.212.134.200/29 pref=0.0.0.0 gwy=0.0.0.0 dev=21(ssl.root)
tab=254 vf=0 scope=0 type=1 proto=17 prio=10 0.0.0.0/0.0.0.0/0->10.212.134.208/31 pref=0.0.0.0 gwy=0.0.0.0 dev=21(ssl.root)
tab=254 vf=0 scope=0 type=1 proto=17 prio=10 0.0.0.0/0.0.0.0/0->10.212.134.210/32 pref=0.0.0.0 gwy=0.0.0.0 dev=21(ssl.root)

Note the priority (lower is more preferred). Also, these prefixes are kernel routes (so can be used for forwarding), but don’t appear in the routing table (RIB).

Add a blackhole for 10.212.134.200/29 and it looks like:

tab=254 vf=0 scope=0 type=6 proto=11 prio=1 0.0.0.0/0.0.0.0/0->10.212.134.200/29 pref=0.0.0.0 gwy=0.0.0.0 dev=0
tab=254 vf=0 scope=0 type=1 proto=17 prio=10 0.0.0.0/0.0.0.0/0->10.212.134.200/29 pref=0.0.0.0 gwy=0.0.0.0 dev=21(ssl.root)
tab=254 vf=0 scope=0 type=1 proto=17 prio=10 0.0.0.0/0.0.0.0/0->10.212.134.208/31 pref=0.0.0.0 gwy=0.0.0.0 dev=21(ssl.root)
tab=254 vf=0 scope=0 type=1 proto=17 prio=10 0.0.0.0/0.0.0.0/0->10.212.134.210/32 pref=0.0.0.0 gwy=0.0.0.0 dev=21(ssl.root)

Note that the blackhole /29 (listed first) has a lower priority (more preferred than the SSLVPN-inserted prefix) and becomes more preferred - effectively blackholing your traffic. Playing around with it a bit, changing the distance on the prefix on the blackhole doesn’t adjust the priority in the kernel (FIB) table.

Add a static route with the next hop of your ssl.VDOM_NAME interface and it looks like above, but your “more preferred route” (that is now both in the RIB and FIB) still points to the SSLVPN interface.

Hopefully that helps explain it a bit better.

HappyVlane · March 12, 2025, 11:26pm

Your FortiGate routes the return traffic into a blackhole, because you told it to.

LearnDifferenceBot · March 12, 2025, 11:26pm

I loose access

*lose

Learn the difference here.

^(Greetings, I am a language corrector bot. To make me ignore further mistakes from you in the future, reply !optout to this comment.)

Anonymous · March 12, 2025, 11:26pm

I am doing that in my FortiGates

since 254 is maximum distance you can give, these are the last routes possible for those subnets before the default gateway 0.0.0.0/0

this is my config for the static route

config router static

edit 2

set distance 254

set comment “Blackhole Routes to RFC1918 subnets”

set blackhole enable

set dstaddr “GRSUB_Blackhole_Subnets”

these are the address objects that are in the address group “GRSUB_Blackhole_Subnets”

edit “SUB_Blackhole_10.0.0.0/8”

set comment “Blackhole Route to RFC1918 subnets”

set allow-routing enable

set subnet 10.0.0.0 255.0.0.0

set comment “Blackhole Route to RFC1918 subnets”

set allow-routing enable

set subnet 172.16.0.0 255.240.0.0

set comment “Blackhole Route to RFC1918 subnets”

set allow-routing enable

set subnet 192.168.0.0 255.255.0.0

26Jack26 · March 12, 2025, 11:26pm

Very well detailed, thanks a a lot!!

ontracks · March 12, 2025, 11:26pm

That’s what I thought, I had never done this before on fortigate, I guess I tried to do the same thing I did with a Palo null route(which does not work that way), without properly understand the feature.

Much appreciated your help too u/HappyVlane !!!

gghggg · March 12, 2025, 11:26pm

Great bot.

“Words are hard”

“This is the internet I don’t care about my spelling”

Words from the great unwise