Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
patrickwilson82
New Contributor

Guest SSID DNS not working

I have a FortiAP connected to my Fortigate that has two SSID's, an internal SSID and a Guest SSID. They were both set with my primary DNS server as their DNS server. Both the internal SSID and the internal LAN are working with no issues. Out of no where my DNS stopped working on the Guest SSID. The rep at Fortinet Support suggested I just use Google DNS for the DNS server on my SSID. Is this really an acceptable alternative? Is there anything I need to check for to try to get it working with my primary DNS? Nothing out of the ordinary is in event viewer under DNS. Thanks.

9 REPLIES 9
wanglei_FTNT
Staff
Staff

You should be able to use your primary DNS server for both your internal and guest network

 

Can you give little bit more info on this?

 

1) can client connected with guest SSID get right DNS server?  Most likely yes but please do double-check

2) can client ping DNS server? If not, Is there any particular firewall rule etc to disallow this?

3) If client can ping but couldn't resolve domain name, you can check on FGT to see whether DNS traffic has hit FGT and been routed correctly

 

 

patrickwilson82
New Contributor

When I do an ipconfig /all it does show that it's getting my DNS server. Client cannot ping the DNS server, and there is no rule set up to block this.

wanglei_FTNT

There are too many possibilities and I think our support should be able to help you narrow down. Even you don't have a rule to block it, you might need rule to allow the access from your guest network to DNS server network depending on your config.   If it worked before and you haven't done any config/code change, it might not be configuration related. 

rwpatterson
Valued Contributor III

Perhaps a reboot is in order. It's a simple thing to do. It may do nothing, but you'll find out in two minutes as opposed to banging your head against the wall. Sometimes if the unit has been up for a really long time (<200 days or so), this may do some good. An upgrade at the same time may not be a bad idea while you're at it.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
patrickwilson82

Are you talking a reboot of the Fortigate, or the AP? I've already done the AP.

patrickwilson82

I may try contacting support again next week. Hopefully I will find someone who will have a better answer than to use Google DNS. Thank you!

 

patrickwilson82

For anyone who is still following this, I found someone at Support who could help me. I needed to create a policy for my Guest SSID to LAN with my DNS server as the destination address. This allows me to use my DNS server on the Guest network while locking down my internal resources.

wanglei_FTNT

Thanks for the message and glad that it's working for you. 

Ashik_Sheik

Hi,

 

This policy is mandatory to allow guest ssid subnet to reach your DNS behind LAN interface .My question is guest vlan is totally isolated from lan services so recommended to use external DNS if they do not access any of your  internal services .

Ashu 

 

Ashu
Labels
Top Kudoed Authors