DNS Lookups Fail once connected to PPTP VPN

DNS Lookups Fail once connected to PPTP VPN

am 29.03.2007 20:33:00 von Travis

Hello,

I am the administrator of a Fortinet Fortigate 60 firewall device
(http://www.fortinet.com/products/telesoho.html) which supports PPTP
VPN (among other protocols). I have setup PPTP VPN and can connect
remotely and access internal network resources behind the firewall
without any issues (file transfers, web servers, etc work fine).
However, once I become connected, I lose all DNS resolution on my
local machine. I am connecting from behind my own NAT device (a basic
SOHO Netgear router) and therefore have a my own internal IP address
(in my case, 192.168.10.3). The IP address I'm getting for my VPN
connection is 172.18.0.100 and the IPs of the internal network behind
the firewall are 192.168.1.0/24. As noted above, once I connect and
get my VPN IP address, I can ping & access internal IPs, such as
192.168.1.5, etc.

The VPN connection is not providing any DNS servers. I am using the
default gateway provided by the VPN connection. I have tried manually
setting the DNS server for my VPN connection to the internal IP of the
firewall (which is the DNS server for internal LAN clients), my local
Netgear IP (for DNS forwarding), and even regular outside DNS IP
addresses -- nothing works.

I can connect to the VPN through both Windows XP SP2 and Mac OSX with
the same behavior -- no DNS resolution once I'm connected. As soon as
I disconnect the VPN session, things are back to normal.

Is this a normal experience with PPTP VPN or is it something that's
easy to fix? I don't tend to think it's a Windows issue since the
problem happens on a Mac OSX box as well.

Any help would be greatly appreciated!

-Travis

Re: DNS Lookups Fail once connected to PPTP VPN

am 29.03.2007 20:40:58 von Leythos

On Thu, 29 Mar 2007 11:33:00 -0700, travis wrote:
>
> Is this a normal experience with PPTP VPN or is it something that's easy
> to fix? I don't tend to think it's a Windows issue since the problem
> happens on a Mac OSX box as well.

All of our firewalls use the IP of the DNS server inside the LAN for their
WAN DNS, this means that people that VPN into the firewall (not the server
as we don't allow that) get the DNS of the local server and they can
resolve DNS properly.

As with any good firewall you have to setup rules for your account in the
firewall. If you VPN into the firewall as DSMITH, then you need to setup
rules that permit DSMITH firewall account to use DNS ports, to have
external WEB access, etc...

Also, with most PPTP connections, once you connect you can't access your
local network unless you uncheck the Use Default Gateway on Remote
Network, but then you know better than doing that since you don't want to
run the risk of using your network or your public internet connection
while VPN'd into the office.


--
Leythos
spam999free@rrohio.com (remove 999 for proper email address)

Re: DNS Lookups Fail once connected to PPTP VPN

am 29.03.2007 20:55:16 von Travis

On Mar 29, 11:40 am, Leythos wrote:
> On Thu, 29 Mar 2007 11:33:00 -0700, travis wrote:
>
> > Is this a normal experience with PPTP VPN or is it something that's easy
> > to fix? I don't tend to think it's a Windows issue since the problem
> > happens on a Mac OSX box as well.
>
> All of our firewalls use the IP of the DNS server inside the LAN for their
> WAN DNS, this means that people that VPN into the firewall (not the server
> as we don't allow that) get the DNS of the local server and they can
> resolve DNS properly.
>
> As with any good firewall you have to setup rules for your account in the
> firewall. If you VPN into the firewall as DSMITH, then you need to setup
> rules that permit DSMITH firewall account to use DNS ports, to have
> external WEB access, etc...
>
> Also, with most PPTP connections, once you connect you can't access your
> local network unless you uncheck the Use Default Gateway on Remote
> Network, but then you know better than doing that since you don't want to
> run the risk of using your network or your public internet connection
> while VPN'd into the office.
>
> --
> Leythos
> spam999f...@rrohio.com (remove 999 for proper email address)

On Mar 29, 11:40 am, Leythos wrote:
> On Thu, 29 Mar 2007 11:33:00 -0700, travis wrote:
>
> > Is this a normal experience with PPTP VPN or is it something that's easy
> > to fix? I don't tend to think it's a Windows issue since the problem
> > happens on a Mac OSX box as well.
>
> All of our firewalls use the IP of the DNS server inside the LAN for their
> WAN DNS, this means that people that VPN into the firewall (not the server
> as we don't allow that) get the DNS of the local server and they can
> resolve DNS properly.
>
> As with any good firewall you have to setup rules for your account in the
> firewall. If you VPN into the firewall as DSMITH, then you need to setup
> rules that permit DSMITH firewall account to use DNS ports, to have
> external WEB access, etc...
>
> Also, with most PPTP connections, once you connect you can't access your
> local network unless you uncheck the Use Default Gateway on Remote
> Network, but then you know better than doing that since you don't want to
> run the risk of using your network or your public internet connection
> while VPN'd into the office.
>
> --
> Leythos
> spam999f...@rrohio.com (remove 999 for proper email address)

Thank you for your prompt reply.

The Fortigate 60 does have excellent firewall policy control, but it's
not based on each user. The users are just there for authentication to
the VPN. One or more firewall policies are then put into place between
the VPN IP addresses and the IP addresses of the target resources --
such as the internal LAN. Right now, per the Fortigate VPN guide, I
have a rule permitting traffic between the VPN addresses and the
internal LAN, which seems to work fine.

Once I'm connected, if I do an nslookup using either the internal
Firewall IP (192.168.1.99) or my local Netgear router IP
(192.168.10.1), the resolution works. So it just seems that the
connection doesn't know to use that.

Any ideas?

Thanks,
Travis

Re: DNS Lookups Fail once connected to PPTP VPN

am 29.03.2007 22:31:57 von Wolfgang Kueter

travis@safaricomputers.com wrote:


> Once I'm connected, if I do an nslookup using either the internal
> Firewall IP (192.168.1.99) or my local Netgear router IP
> (192.168.10.1), the resolution works. So it just seems that the
> connection doesn't know to use that.

Both devices know nothing about the internal addresses, they are simply a
cachin oly DNS server to resolve public addresses. Run internal DNS on one
or two machine, configure the first server to be DNS primary for your
internal zone and and if you like set up the 2nd service to act as DNS
secondary. Make them chaching only for the rest of the world and use the
internal servers.

Wolfgang