Hey all, hoping someone will be able to help with this one as I am stuck and spent ages looking around online for help and not getting anywhere.
So we have a small remote office with a single FortiGate 60F and a single 231F AP, its running with all its ports in a VLAN software switch and internal port 1 goes through a POE injector to the AP, simple as it gets.
The internal LAN is set as VLAN 0 and we run a Enterprise SSID with Radius etc which is all working fine (Bridge mode), now we wanted to add a Guest SSID so first of all created a Guest VLAN with VLAN ID 25 as below, its set to run a DHCP server and just use 1.1.1.1 and 8.8.8.8 for its DNS (Not using the system DNS)
New Guest SSID created (also bridge mode), VLAN 25 is specified in its config and a Firewall rule created to allow it out from Source 'Guest-VLAN' to Destination 'All'
Now when someone connects to this guest SSID we can see its dishing out an IP address and can see some traffic activity from users phone but users get the error "The Wi-Fi network “Guest” does not appear to be connected to the internet”.
Looking at the logs we keep seeing the below about DNS but no end of searching brings back anything relevant, cant see anything obvious I am missing, asking a user to check the phone we can see all correct IP info is coming from DHCP and setting the DNS on phone as 1.1.1.1 and 8.8.8.8 but they cant resolve anything... Help!
Hello @InfraSec0 ,
Can you check DTLS settings in the Network-> DNS settings menu? If TLS is enabled on that menu. Can you try to disable that and enable DNS/53?
Thanks for the reply @ozkanaltas we are using custom internal DNS as below:
Created on 05-24-2024 08:58 AM Edited on 05-24-2024 09:19 AM
Hello @InfraSec0 ,
Do you apply any security policy for that traffic?
Also, can you run these commands and share the output with us? While running these commands you need to try to access the internet from the problematic client.
Also, can you check your client? Have they got the correct DNS settings from DHCP?
diagnose debug disable
diagnose debug flow trace stop
diagnose debug flow filter clear
diagnose debug reset
diagnose debug flow filter saddr <YOUR_CLIENT_IP_HERE>
diagnose debug flow trace start 100
diagnose debug enable
Can you post the firewall-rule?
Does it contain DNS as service?
From the Wifi-Client; can you ping the Interface-IP Address of VLAN 25 (Ping must be enabled on the Interface as administrative access)?
Can you ping 1.1.1.1?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1041 | |
862 | |
512 | |
441 | |
146 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.