I Actived Split Tunnel mode and I have issue only on my 11.6.7 OSX - Big Sur MacBook Pro.
I wish to know how split tunnel works on OSX forticlient, specially how dns resolution works: to solve fqdn which are routed to vpn and fqdn which are routed tomy home gateway, is there Split dns ?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi @CookBookLT
Please share the snippet of your VPN configuration.
Are you facing this problem on MacBook only? Are you able to access the internal servers from Windows/Linux machines?
snippet about FortiClient vpn configuration?
Yes, I have issue only on my MBP while the others works fine by OSX, Windows and Linux in splitting tunnel mode.
I'm able to access to internal servers which are inside vpn tunnel with my company while I cannot reach external sites e.g. www.oracle.com.
I checked /etc/resolv.conf: when vpn is disconnected there is only my home router as dns while when I connected to vpn there is only my company internal dns.
When I connect to vpn, I tried to append my "home router" to /etc/resolv.conf but external continue to be unreachable.
I was referring to SSL VPN configuration on Fortigate.
Which FortiClient version are you running on Windows and macOS?
In my MacOS (11.6.7, Big Sur) I'm using Forticlient 7.0.5
SSL VPN configuration is working in split tunnel mode rightly with all machines (OSX + Windows) the unique machine which has issues (I'm able only to reach internal vpn machines) is my client.
I find out issue is about name resolving, because addresses are rightly routed.
How can Forticlient resolve fqdn according to 2 dns (internal DNS over vpn, external DNS which is my home router). How Can Forticlient distinguish a dns request? That is if It must be routed to internal dns or to external dns?
DNS servers are checked from top to bottom which means that all your DNS queries will go to the DNS server which is defined under SSL VPN configuration. If the first DNS server is unable to resolve, the request goes to the next DNS server.
@alif wrote:If the first DNS server is unable to resolve, the request goes to the next DNS server.
I thought 2nd DNS answered only if first one is unreachable.
Are you sure If first DNS is not able to resolve a query but It's reachable, system makes request next DNS server ?
About DNS queries, are DNS server polled sequentially (if each dns server cannot resolve fqdn but it's reachable) ?
Apologies, I didn't put it into correct words. You are right, the second DNS server will be queried only if first DNS server is unreachable.
@alif wrote:Apologies, I didn't put it into correct words. You are right, the second DNS server will be queried only if first DNS server is unreachable.
I don't understand... the first DNS, which is the DNS of VPN, resolves ONLY ip addresses of LAN fqdn. If I make query about external name, e.g www.google.it, my 1st DNS will not able to resolve it, and query will not be forwarded to 2nd dns (because 1st is reachable)
2nd DNS is the home router which is able to resolve external domain.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1688 | |
1087 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.