Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
CookBookLT
New Contributor

split tunnelin osx forticlient

I Actived Split Tunnel mode and I have issue only on my 11.6.7 OSX - Big Sur MacBook Pro.

I wish to know how split tunnel works on OSX forticlient, specially how dns resolution works: to solve fqdn which are routed to vpn and fqdn which are routed tomy home gateway, is there Split dns  ?

 

9 REPLIES 9
alif
Staff
Staff

Hi @CookBookLT 

 

Please share the snippet of your VPN configuration.

Are you facing this problem on MacBook only? Are you able to access the internal servers from Windows/Linux machines?

Regards,
SFA
CookBookLT

snippet about FortiClient vpn configuration?

Yes, I have issue only on my MBP while the others works fine by OSX, Windows and Linux in splitting tunnel mode.

I'm able to access to internal servers which are inside vpn tunnel with my company while I cannot reach external sites e.g. www.oracle.com.

I checked /etc/resolv.conf: when vpn is disconnected there is only my home router as dns  while when I connected to vpn there is only my company internal dns.

When I connect to vpn,  I tried to append my "home router" to /etc/resolv.conf but external continue to be unreachable.

alif

I was referring to SSL VPN configuration on Fortigate.

Which FortiClient version are you running on Windows and macOS?

Regards,
SFA
CookBookLT

In my MacOS (11.6.7, Big Sur) I'm using Forticlient 7.0.5

SSL VPN configuration is working in split tunnel mode rightly with all machines (OSX + Windows) the unique machine which has issues (I'm able only to reach internal vpn machines) is my client.

 

 

 

CookBookLT

I find out issue is about name resolving, because addresses are rightly routed.

How can Forticlient resolve fqdn according to 2 dns (internal DNS over vpn, external DNS which is my home router). How Can Forticlient distinguish a dns request? That is if It must be routed to internal dns or to external dns?

alif

DNS servers are checked from top to bottom which means that all your DNS queries will go to the DNS server which is defined under SSL VPN configuration. If the first DNS server is unable to resolve, the request goes to the next DNS server.

Regards,
SFA
CookBookLT


@alif wrote:

If the first DNS server is unable to resolve, the request goes to the next DNS server.


I thought 2nd DNS answered only if first one is unreachable.

Are you sure If first DNS is not able to resolve a query but It's reachable, system makes request next DNS server ?

About DNS queries, are DNS server polled sequentially (if each dns server cannot resolve fqdn but it's reachable) ?

alif

Apologies, I didn't put it into correct words. You are right, the second DNS server will be queried only if first DNS server is unreachable.

Regards,
SFA
CookBookLT


@alif wrote:

Apologies, I didn't put it into correct words. You are right, the second DNS server will be queried only if first DNS server is unreachable.


 

I don't understand... the first DNS, which is the DNS of VPN,  resolves ONLY  ip addresses of LAN fqdn. If I make query about external name, e.g www.google.it, my 1st DNS will not able to resolve it, and query will not be forwarded to 2nd dns (because 1st is reachable)

2nd DNS is the home router which is able to resolve external domain.