1. Home
  2. Networking Firewalls
  3. DNS Lookups Fail once connected to PPTP VPN

DNS Lookups Fail once connected to PPTP VPN

Hello,

I am the administrator of a Fortinet Fortigate 60 firewall device

formatting link
which supports PPTP VPN (among other protocols). I have setup PPTP VPN and can connect remotely and access internal network resources behind the firewall without any issues (file transfers, web servers, etc work fine). However, once I become connected, I lose all DNS resolution on my local machine. I am connecting from behind my own NAT device (a basic SOHO Netgear router) and therefore have a my own internal IP address (in my case, 192.168.10.3). The IP address I'm getting for my VPN connection is 172.18.0.100 and the IPs of the internal network behind the firewall are 192.168.1.0/24. As noted above, once I connect and get my VPN IP address, I can ping & access internal IPs, such as

192.168.1.5, etc.

The VPN connection is not providing any DNS servers. I am using the default gateway provided by the VPN connection. I have tried manually setting the DNS server for my VPN connection to the internal IP of the firewall (which is the DNS server for internal LAN clients), my local Netgear IP (for DNS forwarding), and even regular outside DNS IP addresses -- nothing works.

I can connect to the VPN through both Windows XP SP2 and Mac OSX with the same behavior -- no DNS resolution once I'm connected. As soon as I disconnect the VPN session, things are back to normal.

Is this a normal experience with PPTP VPN or is it something that's easy to fix? I don't tend to think it's a Windows issue since the problem happens on a Mac OSX box as well.

Any help would be greatly appreciated!

-Travis

Reply to
travis
Loading thread data ...

All of our firewalls use the IP of the DNS server inside the LAN for their WAN DNS, this means that people that VPN into the firewall (not the server as we don't allow that) get the DNS of the local server and they can resolve DNS properly.

As with any good firewall you have to setup rules for your account in the firewall. If you VPN into the firewall as DSMITH, then you need to setup rules that permit DSMITH firewall account to use DNS ports, to have external WEB access, etc...

Also, with most PPTP connections, once you connect you can't access your local network unless you uncheck the Use Default Gateway on Remote Network, but then you know better than doing that since you don't want to run the risk of using your network or your public internet connection while VPN'd into the office.

Reply to
Leythos

Thank you for your prompt reply.

The Fortigate 60 does have excellent firewall policy control, but it's not based on each user. The users are just there for authentication to the VPN. One or more firewall policies are then put into place between the VPN IP addresses and the IP addresses of the target resources -- such as the internal LAN. Right now, per the Fortigate VPN guide, I have a rule permitting traffic between the VPN addresses and the internal LAN, which seems to work fine.

Once I'm connected, if I do an nslookup using either the internal Firewall IP (192.168.1.99) or my local Netgear router IP (192.168.10.1), the resolution works. So it just seems that the connection doesn't know to use that.

Any ideas?

Thanks, Travis

Reply to
travis

Both devices know nothing about the internal addresses, they are simply a cachin oly DNS server to resolve public addresses. Run internal DNS on one or two machine, configure the first server to be DNS primary for your internal zone and and if you like set up the 2nd service to act as DNS secondary. Make them chaching only for the rest of the world and use the internal servers.

Wolfgang

Reply to
Wolfgang Kueter

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.