Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
fabianovieira
New Contributor

Created on ‎12-20-2024 07:05 AM

DNS Unreachable without source-ip configured

Hello!

 

I've two ISP link configured on two separate SD WAN rules.

 

When my primary ISP link is activated, the DNS and FortiGuard works only with the "source-ip" configured:

 

Captura de tela 2024-12-20 115307.pngCaptura de tela 2024-12-20 115415.png

 

Everything OK!

 

My problem is when the secondary ISP is activate. The DNS and Fortiguard stop to work(dns unreachable)! In this case, i needed "unset" the "source-ip" to get it working again.

 

My question:

Is there any configuration so that DNS and Fortiguard continue to work on both links? Without having to make these "source-ip" settings manually.

 

Labels:
120
0 Kudos
5 REPLIES 5
AEK
SuperUser
SuperUser

Created on ‎12-20-2024 07:38 AM Edited on ‎12-20-2024 07:39 AM

Hi Fabia

I guess you have one public IP on the first WAN interface (PPPoE), and pne public IP + one private IP on the second WAN interface.

In that case I recommend one of the two solutions :

  1. Either configure your second WAN interface as PPPoE interface, and you will not use anymore the private IP
  2. Or configure your FG to use a local DNS server instead of using cloudflare & google DNS

In both cases you will unset the source-ip once for all.

AEK
AEK
103
0 Kudos
fabianovieira
New Contributor
In response to AEK

Created on ‎12-20-2024 08:08 AM

Hello!

 

My first link(WAN1) is used to access internet and L2L to access my servers on external datacenter.

 

My second link(WAN2) is used to backup link and used to supply internet to guest vlans.

 

I'll try to configure a local DNS Server, thanks!

83
0 Kudos
cjackson_ncl
New Contributor III

Created on ‎12-20-2024 07:41 AM

How do you have the interface select method configured? In cli;

 

config system dns

set interface-select-method sd-wan

 

By default this would be set to auto

NSE4
NSE4
100
0 Kudos
fabianovieira
New Contributor
In response to cjackson_ncl

Created on ‎12-20-2024 08:09 AM

Hello!

 

I've already tested this configuration "set interface-select-method sd-wan". Not works in my case!

 

81
0 Kudos
Theo4
New Contributor II

Created on ‎12-21-2024 08:53 PM

Have you tried investigating why you have to configure "source-ip" in the first place? It's better to find out what the problem is first before looking for the solution. you may have misconfigured routing or SD-WAN rules. 

 

Try removing "source-ip" configuration while the primary ISP is active, and run sniffer and debug flow commands on FGT to trace the local-out DNS traffic and share the output here

18
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.