Allowing DirectAccess to other internal Subnets or VLANs in your Network

If you’ve got DirectAccess running in your environment for remote access you’ll know how great and seamless it is for your end users. For businesses with large segmented internal networks we need to make sure that your external users can access all of the internal resources they need.

For this to happen we need to add static routes to our DirectAccess servers so that remote users can access these other networks.  Your DirectAccess server should have two NICs with one being the external and the other for your LAN, we add these static routes onto the LAN (as the Gateway has been defined on the External NIC only). We can issue the following PowerShell command to add a static route to an interface.

New-NetRoute -InterfaceAlias -DestinationPrefix -NextHop
an example is as follows
New-NetRoute -InterfaceAlias LAN -DestinationPrefix 10.1.10.0/24 -NextHop 10.1.1.1

This would allow any of our DirectAccess clients to access the 10.1.10.0/24 network even though our default internal network would be 10.1.1.0/24.

If need be you can use Remove-NetRoute to remove these static routes in future.

How to spoof or mimic a hardware or MAC Address of another device on an interface on a FortiGate

I was recently out at a client and they were in the process of getting another link installed, which happened to be Cable internet which they were using for redundancy.  We put their cable modem in Bridge mode but the connection wasn’t coming up after connecting everything up.  Most cable providers authenticate with certificates and the hardware address of the router so this made me thinking that we needed to make their provider think the FortiGate was their original modem.  So firing up an SSH session I logged in and issued the following commands;

FGT40C # config system interface
FGT40C (interface) # edit wan2
FGT40C (wan2) # set macaddr xx:xx:xx:xx:xx:xx
FGT40C (interface) # end

Now you will want to replace the interface, in this case wan2 with your interface and the mac address with the hardware address you want to spoof or mimic.

I gave the cable modem a power cycle for good measure and the connection came up.