4 Replies Latest reply on Feb 23, 2015 11:41 AM by Namster

    FWE Appliance on ESXi hosted server - Gateway not on any local subnet


      The FWE 8.3.2 appliance is hosted on an ESXi 5.5 server on a dedicated server in the cloud.


      The cloud service provider bridges connections to the esxi host.


      Assuming the esxi IP host is

      They say purchase an ip address and configure the mask to and set the gateway to


      The IP address that was purchased is not in the same subnet, but it works when tested on a windows guest 2012R2 in the ESXi host.


      So deployed the FWE Virtual appliance and got it up and running and tried to input the same gateway address and I got the error message "Gateway not on any local subnet", its true, it's not on any local subnet but it works.


      Any way around this? The objective is to use the dedicated server, hosted at the provider, configure the FWE with the public facing ip and route traffic to the other guests on the internal vswitch.

        • 1. Re: FWE Appliance on ESXi hosted server - Gateway not on any local subnet

          If the 2012R2 host is able to see (or be seen by) the Internet, can you check its IP address settings and see how they look?


          Any which way, the Firewall has to be configured with two interfaces and the internet-facing interface needs to have a default gateway address configured which is part of the same subnet range as the IP address assigned to the internet-facing interface.


          Maybe the hosting service has a clever way of routing traffic to/from the cloud host, without that cloud host having a configured default gateway. You can obviously configure a single-interface Windows or Unix/Linux host without specifying a default gateway address and it will be assumed by the host that there will be no need to communicate beyond its own subnet.



          • 2. Re: FWE Appliance on ESXi hosted server - Gateway not on any local subnet

            Phil, thanks for the response. The 2k12 server is configured with the gateway not in the range of the local subnet. i can just force it by acknowledging the logic error. I can't figure how to make the FWE do the same thing... Yet

            • 3. Re: FWE Appliance on ESXi hosted server - Gateway not on any local subnet

              I don't necessarily want this statement to come across as the absolute word (there may be others with better educated opinions), but I suspect the reason why you can effectively override the gateway setting under Windows (or you can leave it completely blank, if you wish) is because its primary role isn't to route traffic.


              Given the Firewall needs to have a minimum of two configured interfaces, and one of those provides the route to the "outside world" (even if it isn't actually connected to an Internet circuit), the presence of a default gateway and the fact that the value has to be valid is key to its operation.


              I haven't worked exclusively with MFE over the years, so I know this basic premise is the same for all the other Firewalls I've come into contact with. Without a valid default gateway it potentially can't do its job, so I'm assuming that McAfee have insisted on verifying this value at installation to minimize the chances of an Admin being left tearing his/her hair out when it doesn't pass any traffic.


              I can only suggest that you discuss this with the people providing this cloud service. It almost seems that they aren't expecting customers to install dedicated Firewall solutions - which would then allow you to use NAT and host a number of virtual machines on the trusted side.


              Can the service provider deliver this IP address using DHCP? If so, then configure the external interface of the Firewall accordingly and trust that they deliver the IP address you have been told.


              Bottom line, your MFE installation needs to have a default gateway configured and it needs to sit in the same subnet as the assigned IP address.



              • 4. Re: FWE Appliance on ESXi hosted server - Gateway not on any local subnet

                Support helped me with the issue. They suggested that I add an alias to the interface with an ip address that matched the network with a /30 to keep the subnet small. Now things work.


                Thanks for the input, the DHCP idea was clever, but I couldn't get a dhcp server to issue an address with a mask of