Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jasetcs
New Contributor III

Created on ‎02-23-2022 04:17 AM

Some VPN users can't get internet access

I have a Fortigate 60E for our small network and created some VLANs to separate the VOIP, CCTV, Servers, Laptops, etc. The VLAN side works fine and as expected, even the routes from laptops to server DNS, DC, File Shares, etc is working. However since doing these changes, the VPN is playing up a bit.

 

Everyone can connect to the VPN and get an internal IP, some users work fine with internet access but others cant get internet access whilst on the VPN and only an internal IP.

 

It feels like a DNS issue to me. Initially we had the VPN give out our internal DNS server (which is on a separate vlan) but this didn't work. I have also set it to use the client's system DNS and it gives them their home router DNS but again internet doesn't work for those users.

 

Looking for pointers, is it some additional routing I need to setup for the VPN after setting up VLANs. Below are the relevant firewall policies we have in place (appreciate they not much help as just the names, just trying to show what we have setup).

 

  • SSL_VPN_Internet_Access

  • SSL_VPN_Internal_Access

  • Laptops_to_Internet

  • Laptops_to_Servers (restricted ports)

  • Servers_to_Internet (restricted ports)

To add I have read it requires Split Tunnel but we have a ipv4 policy setup for internet access so dont think this is required?

Labels:
17533
0 Kudos
1 Solution
jasetcs
New Contributor III
In response to akristof

Created on ‎02-23-2022 05:55 AM

Thanks Adrian, doing the nslookup using 8.8.8.8 DNS works and if I set the config in the Fortigate SSL-VPN settings to use that DNS server then internet access works. Still confused as to why the client ISP DNS doesn't work especially when they can use internet when not on vpn at home.

 

I guess now I need to get the VPN working with our internal DNS Server so they can access internal resources (file servers). Since we have VLANs do I need some ipv4 policy from SSL-VPN tunnel to Servers VLAN, so it would allow the DNS through?

 

I checked and all policies have NAT enabled 

View solution in original post

17522
0 Kudos
5 REPLIES 5
akristof
Staff
Staff

Created on ‎02-23-2022 04:35 AM

Hello,

 

Thank you for your question. If you have firewall policy to allow internet access to SSLVPN users, you should be fine without split-tunneling. I would test couple of things:

- Users having issues with internet access, ask them to ping some public IP (8.8.8.8 for example). If this is working, it can confirm that the problem might be with DNS.

- Try to do nslookup from PC with different DNS servers. If ping to 8.8.8.8 is working, try to use 8.8.8.8 for dns ("nslookup www.example.com 8.8.8.8")

- If it does not work, try to do debug flow and packet capture for the SSLVPN client IP address and port 53 and try to see if traffic is not blocked (allow DNS in policy, make sure NAT is also enabled) and mainly check if the windows is correctly sending DNS request via tunnel so FortiGate sees them.

 

Adrian
17486
0 Kudos
jasetcs
New Contributor III
In response to akristof

Created on ‎02-23-2022 05:55 AM

Thanks Adrian, doing the nslookup using 8.8.8.8 DNS works and if I set the config in the Fortigate SSL-VPN settings to use that DNS server then internet access works. Still confused as to why the client ISP DNS doesn't work especially when they can use internet when not on vpn at home.

 

I guess now I need to get the VPN working with our internal DNS Server so they can access internal resources (file servers). Since we have VLANs do I need some ipv4 policy from SSL-VPN tunnel to Servers VLAN, so it would allow the DNS through?

 

I checked and all policies have NAT enabled 

17523
0 Kudos
akristof
Staff
Staff
In response to jasetcs

Created on ‎02-23-2022 06:04 AM

Hello,

 

Thanks for feedback. I have experience that some ISPs might block access to their DNS servers outside their network (from peering for example) and allow only from concentrators.

For your internal DNS yes, you will need firewall policy from SSLVPN to your server vlan with DNS service allowed, in this case NAT does not need to be enabled most of the time.

Adrian
17478
0 Kudos
jasetcs
New Contributor III
In response to akristof

Created on ‎02-23-2022 07:41 AM

thanks its working again using our internal DNS. I created a policy to allow SSL to the orange VLAN and users can use the internet on the vpn using our DNS. 

 

Appreciate the help

17471
0 Kudos
manojkanjookaran
New Contributor
In response to jasetcs

Created on ‎02-08-2023 08:56 AM Edited on ‎02-08-2023 10:15 PM By Community Manager

Hi Jasetcs,

 

This is Manoj . I am facing the same issue with my network . I had to recently configure VLANS for my network.  So I created SVI on my Arista switch and did an OSPF routing with Fortigate firewall. After that my SSL VPN users cant access iternet when they are connected through VPN. Can you please help how did you solve this .  I already have a policy to access the SSL ROOT -> internal network full access policy. Do we need to ask another policy for DNS specifically..?/ Any help would be much appreciated.

 

Regards

 

Manoj Joseph

13096
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.