Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
InfraSec0
New Contributor II

Created on ‎05-24-2024 08:14 AM

Help with WiFi SSID DNS issue "DNS-no-resp"

Hey all, hoping someone will be able to help with this one as I am stuck and spent ages looking around online for help and not getting anywhere.


So we have a small remote office with a single FortiGate 60F and a single 231F AP, its running with all its ports in a VLAN software switch and internal port 1 goes through a POE injector to the AP, simple as it gets.


The internal LAN is set as VLAN 0 and we run a Enterprise SSID with Radius etc which is all working fine (Bridge mode), now we wanted to add a Guest SSID so first of all created a Guest VLAN with VLAN ID 25 as below, its set to run a DHCP server and just use 1.1.1.1 and 8.8.8.8 for its DNS (Not using the system DNS)

 

F1.jpg


New Guest SSID created (also bridge mode), VLAN 25 is specified in its config and a Firewall rule created to allow it out from Source 'Guest-VLAN' to Destination 'All'
Now when someone connects to this guest SSID we can see its dishing out an IP address and can see some traffic activity from users phone but users get the error "The Wi-Fi network “Guest” does not appear to be connected to the internet”.

 

Looking at the logs we keep seeing the below about DNS but no end of searching brings back anything relevant, cant see anything obvious I am missing, asking a user to check the phone we can see all correct IP info is coming from DHCP and setting the DNS on phone as 1.1.1.1 and 8.8.8.8 but they cant resolve anything... Help!

 

F2.jpg

Labels:
394
0 Kudos
4 REPLIES 4
ozkanaltas
Valued Contributor II

Created on ‎05-24-2024 08:40 AM Edited on ‎05-24-2024 08:42 AM

Hello @InfraSec0 ,

 

Can you check DTLS settings in the Network-> DNS settings menu? If TLS is enabled on that menu. Can you try to disable that and enable DNS/53?

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-DNS-stops-working-when-using-custom-DNS/ta...

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
379
0 Kudos
InfraSec0
New Contributor II
In response to ozkanaltas

Created on ‎05-24-2024 08:54 AM

Thanks for the reply @ozkanaltas we are using custom internal DNS as below:

F3.jpg

374
0 Kudos
ozkanaltas
Valued Contributor II
In response to InfraSec0

Created on ‎05-24-2024 08:58 AM Edited on ‎05-24-2024 09:19 AM

Hello @InfraSec0 ,

 

Do you apply any security policy for that traffic? 

 

Also, can you run these commands and share the output with us? While running these commands you need to try to access the internet from the problematic client. 

 

Also, can you check your client? Have they got the correct DNS settings from DHCP?

 

 

diagnose debug disable
diagnose debug flow trace stop
diagnose debug flow filter clear
diagnose debug reset
diagnose debug flow filter saddr <YOUR_CLIENT_IP_HERE>
diagnose debug flow trace start 100
diagnose debug enable

 

 

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
371
0 Kudos
Brunn3r
New Contributor III

Created on ‎05-27-2024 06:15 AM

Can you post the firewall-rule?
Does it contain DNS as service?

From the Wifi-Client; can you ping the Interface-IP Address of VLAN 25 (Ping must be enabled on the Interface as administrative access)?
Can you ping 1.1.1.1?

224
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.