DNS Lookups Fail once connected to PPTP VPN - Firewalls

This is a discussion on DNS Lookups Fail once connected to PPTP VPN - Firewalls ; Hello, I am the administrator of a Fortinet Fortigate 60 firewall device ( http://www.fortinet.com/products/telesoho.html ) which supports PPTP VPN (among other protocols). I have setup PPTP VPN and can connect remotely and access internal network resources behind the firewall without ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: DNS Lookups Fail once connected to PPTP VPN

  1. DNS Lookups Fail once connected to PPTP VPN

    Hello,

    I am the administrator of a Fortinet Fortigate 60 firewall device
    (http://www.fortinet.com/products/telesoho.html) which supports PPTP
    VPN (among other protocols). I have setup PPTP VPN and can connect
    remotely and access internal network resources behind the firewall
    without any issues (file transfers, web servers, etc work fine).
    However, once I become connected, I lose all DNS resolution on my
    local machine. I am connecting from behind my own NAT device (a basic
    SOHO Netgear router) and therefore have a my own internal IP address
    (in my case, 192.168.10.3). The IP address I'm getting for my VPN
    connection is 172.18.0.100 and the IPs of the internal network behind
    the firewall are 192.168.1.0/24. As noted above, once I connect and
    get my VPN IP address, I can ping & access internal IPs, such as
    192.168.1.5, etc.

    The VPN connection is not providing any DNS servers. I am using the
    default gateway provided by the VPN connection. I have tried manually
    setting the DNS server for my VPN connection to the internal IP of the
    firewall (which is the DNS server for internal LAN clients), my local
    Netgear IP (for DNS forwarding), and even regular outside DNS IP
    addresses -- nothing works.

    I can connect to the VPN through both Windows XP SP2 and Mac OSX with
    the same behavior -- no DNS resolution once I'm connected. As soon as
    I disconnect the VPN session, things are back to normal.

    Is this a normal experience with PPTP VPN or is it something that's
    easy to fix? I don't tend to think it's a Windows issue since the
    problem happens on a Mac OSX box as well.

    Any help would be greatly appreciated!

    -Travis


  2. Re: DNS Lookups Fail once connected to PPTP VPN

    On Thu, 29 Mar 2007 11:33:00 -0700, travis wrote:
    >
    > Is this a normal experience with PPTP VPN or is it something that's easy
    > to fix? I don't tend to think it's a Windows issue since the problem
    > happens on a Mac OSX box as well.


    All of our firewalls use the IP of the DNS server inside the LAN for their
    WAN DNS, this means that people that VPN into the firewall (not the server
    as we don't allow that) get the DNS of the local server and they can
    resolve DNS properly.

    As with any good firewall you have to setup rules for your account in the
    firewall. If you VPN into the firewall as DSMITH, then you need to setup
    rules that permit DSMITH firewall account to use DNS ports, to have
    external WEB access, etc...

    Also, with most PPTP connections, once you connect you can't access your
    local network unless you uncheck the Use Default Gateway on Remote
    Network, but then you know better than doing that since you don't want to
    run the risk of using your network or your public internet connection
    while VPN'd into the office.


    --
    Leythos
    spam999free@rrohio.com (remove 999 for proper email address)

  3. Re: DNS Lookups Fail once connected to PPTP VPN

    On Mar 29, 11:40 am, Leythos wrote:
    > On Thu, 29 Mar 2007 11:33:00 -0700, travis wrote:
    >
    > > Is this a normal experience with PPTP VPN or is it something that's easy
    > > to fix? I don't tend to think it's a Windows issue since the problem
    > > happens on a Mac OSX box as well.

    >
    > All of our firewalls use the IP of the DNS server inside the LAN for their
    > WAN DNS, this means that people that VPN into the firewall (not the server
    > as we don't allow that) get the DNS of the local server and they can
    > resolve DNS properly.
    >
    > As with any good firewall you have to setup rules for your account in the
    > firewall. If you VPN into the firewall as DSMITH, then you need to setup
    > rules that permit DSMITH firewall account to use DNS ports, to have
    > external WEB access, etc...
    >
    > Also, with most PPTP connections, once you connect you can't access your
    > local network unless you uncheck the Use Default Gateway on Remote
    > Network, but then you know better than doing that since you don't want to
    > run the risk of using your network or your public internet connection
    > while VPN'd into the office.
    >
    > --
    > Leythos
    > spam999f...@rrohio.com (remove 999 for proper email address)


    On Mar 29, 11:40 am, Leythos wrote:
    > On Thu, 29 Mar 2007 11:33:00 -0700, travis wrote:
    >
    > > Is this a normal experience with PPTP VPN or is it something that's easy
    > > to fix? I don't tend to think it's a Windows issue since the problem
    > > happens on a Mac OSX box as well.

    >
    > All of our firewalls use the IP of the DNS server inside the LAN for their
    > WAN DNS, this means that people that VPN into the firewall (not the server
    > as we don't allow that) get the DNS of the local server and they can
    > resolve DNS properly.
    >
    > As with any good firewall you have to setup rules for your account in the
    > firewall. If you VPN into the firewall as DSMITH, then you need to setup
    > rules that permit DSMITH firewall account to use DNS ports, to have
    > external WEB access, etc...
    >
    > Also, with most PPTP connections, once you connect you can't access your
    > local network unless you uncheck the Use Default Gateway on Remote
    > Network, but then you know better than doing that since you don't want to
    > run the risk of using your network or your public internet connection
    > while VPN'd into the office.
    >
    > --
    > Leythos
    > spam999f...@rrohio.com (remove 999 for proper email address)


    Thank you for your prompt reply.

    The Fortigate 60 does have excellent firewall policy control, but it's
    not based on each user. The users are just there for authentication to
    the VPN. One or more firewall policies are then put into place between
    the VPN IP addresses and the IP addresses of the target resources --
    such as the internal LAN. Right now, per the Fortigate VPN guide, I
    have a rule permitting traffic between the VPN addresses and the
    internal LAN, which seems to work fine.

    Once I'm connected, if I do an nslookup using either the internal
    Firewall IP (192.168.1.99) or my local Netgear router IP
    (192.168.10.1), the resolution works. So it just seems that the
    connection doesn't know to use that.

    Any ideas?

    Thanks,
    Travis



  4. Re: DNS Lookups Fail once connected to PPTP VPN

    travis@safaricomputers.com wrote:


    > Once I'm connected, if I do an nslookup using either the internal
    > Firewall IP (192.168.1.99) or my local Netgear router IP
    > (192.168.10.1), the resolution works. So it just seems that the
    > connection doesn't know to use that.


    Both devices know nothing about the internal addresses, they are simply a
    cachin oly DNS server to resolve public addresses. Run internal DNS on one
    or two machine, configure the first server to be DNS primary for your
    internal zone and and if you like set up the 2nd service to act as DNS
    secondary. Make them chaching only for the rest of the world and use the
    internal servers.

    Wolfgang



+ Reply to Thread