Hi All,
We have a few hosted sites and services on our Academic network, that needs to be accessed via our guest/BYOD wifi/vlan. I've set up rules to the servers from the guest network, I have routed the DNS through to our DNS servers (this contains all host and reverse lookup records) on our Academic vlan. Windows devices work fine so I know the right things are in place, but anything Apple doesn't. We have tried flushing the DNS and cache on Apple devices, different browsers, still no luck. They can get to external websites fine, but just not internal.
Also most of our sites are externally facing, but the Apple products still can't get to them when connected to our BYOD network!
Any help appreciated!
Thanks,
Jenny
Have you added in the DNS suffixes to the DHCP scope at all for your network?
No - we have set up DHCP on the Fortigate for the guest network. Can the DNS suffixes be added to the Fortigate?
Jennyjcuk wrote:Yes, though it might only be doable via the CLI.Can the DNS suffixes be added to the Fortigate?
config system dhcp server
edit 2
set domain "mydomain.local"
Thank you this has worked a little... strangely now on my test iPhone I can get to one internal site but still not to all! Any other options that could be specified?
Jennyjcuk wrote:I've never been able to get my iPhone to show *any* domains in Settings --> Wifi --> (SSID) --> Configure DNS, though my phone does resolve names on my local network. Not sure if it's my phone is not showing search domains it knows about, or something else.Any other options that could be specified?
Apple devices!
I am thinking it may have something do with that it is a guest network with no firewall authentication, so the firewall doesn't know who the users or devices are, despite rules to allow everything through. We have another wireless network set up with RADIUS authentication which users can get to the internal sites. That also has DHCP set up on the Fortigate and DNS is routed to a server on the same subnet.
Guest network DNS is routed to the RADIUS subnet.
Jennyjcuk wrote:But there's a firewall policy somewhere allowing the traffic: is NAT enabled *on the policy* (as opposed to a VIP)?I am thinking it may have something do with that it is a guest network with no authentication, so the firewall doesn't know who they users or devices are, despite rules to allow everything through.
Yes there's a rule to the DNS server, allowing all sources using the DNS service. Then there's another rule to allow all sources again HTTPS and HTTP service to the specific servers hosting the sites. Windows devices are happy with this and get to everything.
NAT is enabled on all the policies. We only have VIPs set up to point the external DNS to the correct internal IP addresses.
Jennyjcuk wrote:Ok, so the NAT question was me being confused with a different question (duh), though you probably don't want NAT on most policies.Yes there's a rule to the DNS server, allowing all sources using the DNS service. Then there's another rule to allow all sources again HTTPS and HTTP service to the specific servers hosting the sites. Windows devices are happy with this and get to everything.
NAT is enabled on all the policies. We only have VIPs set up to point the external DNS to the correct internal IP addresses.
In any case, I recently simplified my network *dramatically* by letting my Fortigate serve up DNS on all the default gateways, and it would internally forward the requests to the real servers. I was able to remove essentially all of my firewall policies allowing DNS from one to another, a HUGE simplification.
This is worth considering.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.