Skip to main content
jasetcs
jasetcs
New Member
February 23, 2022
Solved

Some VPN users can't get internet access

  • February 23, 2022
  • 1 reply
  • 20723 views

I have a Fortigate 60E for our small network and created some VLANs to separate the VOIP, CCTV, Servers, Laptops, etc. The VLAN side works fine and as expected, even the routes from laptops to server DNS, DC, File Shares, etc is working. However since doing these changes, the VPN is playing up a bit.

 

Everyone can connect to the VPN and get an internal IP, some users work fine with internet access but others cant get internet access whilst on the VPN and only an internal IP.

 

It feels like a DNS issue to me. Initially we had the VPN give out our internal DNS server (which is on a separate vlan) but this didn't work. I have also set it to use the client's system DNS and it gives them their home router DNS but again internet doesn't work for those users.

 

Looking for pointers, is it some additional routing I need to setup for the VPN after setting up VLANs. Below are the relevant firewall policies we have in place (appreciate they not much help as just the names, just trying to show what we have setup).

 

  • SSL_VPN_Internet_Access

  • SSL_VPN_Internal_Access

  • Laptops_to_Internet

  • Laptops_to_Servers (restricted ports)

  • Servers_to_Internet (restricted ports)

To add I have read it requires Split Tunnel but we have a ipv4 policy setup for internet access so dont think this is required?

Best answer by jasetcs

Thanks Adrian, doing the nslookup using 8.8.8.8 DNS works and if I set the config in the Fortigate SSL-VPN settings to use that DNS server then internet access works. Still confused as to why the client ISP DNS doesn't work especially when they can use internet when not on vpn at home.

 

I guess now I need to get the VPN working with our internal DNS Server so they can access internal resources (file servers). Since we have VLANs do I need some ipv4 policy from SSL-VPN tunnel to Servers VLAN, so it would allow the DNS through?

 

I checked and all policies have NAT enabled 

1 reply

akristof
Staff
akristof
Staff
February 23, 2022

Hello,

 

Thank you for your question. If you have firewall policy to allow internet access to SSLVPN users, you should be fine without split-tunneling. I would test couple of things:

- Users having issues with internet access, ask them to ping some public IP (8.8.8.8 for example). If this is working, it can confirm that the problem might be with DNS.

- Try to do nslookup from PC with different DNS servers. If ping to 8.8.8.8 is working, try to use 8.8.8.8 for dns ("nslookup www.example.com 8.8.8.8")

- If it does not work, try to do debug flow and packet capture for the SSLVPN client IP address and port 53 and try to see if traffic is not blocked (allow DNS in policy, make sure NAT is also enabled) and mainly check if the windows is correctly sending DNS request via tunnel so FortiGate sees them.

 

jasetcs
jasetcsAuthorAnswer
New Member
February 23, 2022

Thanks Adrian, doing the nslookup using 8.8.8.8 DNS works and if I set the config in the Fortigate SSL-VPN settings to use that DNS server then internet access works. Still confused as to why the client ISP DNS doesn't work especially when they can use internet when not on vpn at home.

 

I guess now I need to get the VPN working with our internal DNS Server so they can access internal resources (file servers). Since we have VLANs do I need some ipv4 policy from SSL-VPN tunnel to Servers VLAN, so it would allow the DNS through?

 

I checked and all policies have NAT enabled 

akristof
Staff
akristof
Staff
February 23, 2022

Hello,

 

Thanks for feedback. I have experience that some ISPs might block access to their DNS servers outside their network (from peering for example) and allow only from concentrators.

For your internal DNS yes, you will need firewall policy from SSLVPN to your server vlan with DNS service allowed, in this case NAT does not need to be enabled most of the time.

Terms & ConditionsAccessibility statement