Hi,I'm working as a consultant for a customer who uses Forticlient VPN Free (7.0.7.0245) to access their system remotely. I'm using my own MacBook Pro to do so. Everything works fine except for the fact that once the VPN is up, 2 things happen:I can't access anymore the other network segments in my home (I've a layered network at home, with multiple NAT levels given by my outer modem, a Zyxel firewall connected to it and finally an AsusWRT router connected to the Zyxel). I can just go out to the internet, so if for any reason I need to access my other network elements at home (that are not in my own inner network segment), I have to disconnect the VPN.Every DNS request I do goes by the Forticlient tunnel. I don't like the idea that my customer knows every single step I do on internet, I'm not its full time employee and I also have other customers I use my time and resources for.Since I have multiple NICs on my Macbook (a couple via USB, plus WiFi). Is any way to bind the Forticlient VPN tunnel on a given NIC that I would demote as a secondary NIC in MacOS so that any major network traffic goes via another NIC except when I need to access my customer's system?

New Member

Question

MacOS: bind Forticlient VPN Free to a specific NIC and let general DNS queries go via the other one

Forum|Forum|2 years ago
August 9, 2023
5 replies
5074 views

Hi,

I'm working as a consultant for a customer who uses Forticlient VPN Free (7.0.7.0245) to access their system remotely. I'm using my own MacBook Pro to do so. Everything works fine except for the fact that once the VPN is up, 2 things happen:

I can't access anymore the other network segments in my home (I've a layered network at home, with multiple NAT levels given by my outer modem, a Zyxel firewall connected to it and finally an AsusWRT router connected to the Zyxel). I can just go out to the internet, so if for any reason I need to access my other network elements at home (that are not in my own inner network segment), I have to disconnect the VPN.
Every DNS request I do goes by the Forticlient tunnel. I don't like the idea that my customer knows every single step I do on internet, I'm not its full time employee and I also have other customers I use my time and resources for.

Since I have multiple NICs on my Macbook (a couple via USB, plus WiFi). Is any way to bind the Forticlient VPN tunnel on a given NIC that I would demote as a secondary NIC in MacOS so that any major network traffic goes via another NIC except when I need to access my customer's system?

FortiClient

AlexC-FTNT

Staff

Split tunneling is the way. But this should be configured on the firewall, not on the user machine.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Split-DNS-support-for-SSL-VPN/ta-p/194766

totaboAuthor

New Member

Thanks Alex,

as I was waiting for a clue I was also reading about it and got to the same argument, split tunnelling. Yet, I'm just a consultant, I won't get far trying to make them change their policy, nor I even want to make noise for the sake of good relationship. I'd just like to overcome the problem on my own if possible.

I'm trying to understand if I can override the routing table imposed by the Forticlient on macOS Big Sur after the VPN has been established. Yet I've still to figure out the real possibilities and proper ways. Any hint?

AlexC-FTNT

Staff

One way to do it is to move the end-of-tunnel to another device.

For example, assign a local FortiGate to create the dial-up tunnel to the company, and route the traffic in this FortiGate as you want (traffic to local subnets to the VPN, traffic to internet to the local wan interface - no tunnel).

totaboAuthor

New Member

Thanks Alex. If I correctly understand you're suggesting to purchase a FortiGate to be installed in my house so to make a P2P (client-to-site or site-to-site) towards my customer's network, am I right? I know this would be effective and give maximum flexibility, and indeed I already do it with another older customer of mine through my ZyXEL USG that I purchased on purpose before. Yet, as you can understand, it'd be impractical and expensive in my case to purchase and configure also a FortiGate for the same purpose. Or did I understand it wrong?

AlexC-FTNT

Staff

Yes, but it doesn't have to be a FortiGate. Any dedicated device that can establish a VPN tunnel with the FortiGate will do. Also, a FortiGate device is not that expensive if purchased without any services, and that suffices for this purpose.

sw2090

SuperUser

yes sounds like do not have split tunneling & mod config enabled.

without split tunneling the vpn will overwrite your default route so ALL traffic will go to the vpn (execpit from traffic destinated within your native lan).

mode config enables you to supply some dns server(s) AND a domain (and an IP range for clients). With that set (and dns mode set to manual on fgt cli) these will be handed to the client but will only be used for DNS requests matching that domain.

totaboAuthor

New Member

Thanks @sw2090 , these configs are to be set on the FortiGate or can I do it locally on my Mac someway ? I've explored the vpn.plist and fctsysconf.plist config files but couldn't spot anything useful. So far the only way I've found to overcome the problem is by manually tamper with my Mac's routing table after the VPN has connected. But I've yet to explore whether the Forticlient will override my manual interventions periodically during the day.

sw2090

SuperUser

yes mode_config and split tunneling have to be configured on the FortiGate.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded