• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 559
  • Last Modified:

DNS configuration for Fortigate 90D with WAN Link Load Balancing

I have 2 Internet connections each with a router. The routers are both connected as WAN connections to the Fortigate 90D. The connections are from different providers.
I have configured a "Weighted Round Robin" WAN Link Load Balancing Interface and created Policies using this interface.
I use a Ping "Probe Type" for the "Health Check" for each WAN interface.
I specify Primary and Secondary DNS addresses under System -> Network -> DNS
This configuration works "most of the time" but some devices complain of a DNS error and after some hours (8?) many devices on the internal network start to report Internet connection issues. Some devices show this behavior more quickly.
Dropping either WAN link immediately resolves the problem.

A DHCP server is configured on the Internal Interface and the "DNS  Server" option is set to "Same as System DNS"

Firmware is: v5.2.9 build 736
My question is: How should DNS be configured for this set-up if the above is not correct. If the above is correct where else should I look to resolve the problem?
Note: Looking at System -> Fortiview -> “All Sessions”  shows a good mix of both WAN links being used.
  • 5
  • 3
  • 2
1 Solution
Jackie ManCommented:
A DHCP server is configured on the Internal Interface and the "DNS  Server" option is set to "Same as System DNS".

Can you upload your network diagram?

Austrian_DesAuthor Commented:
I'm not sure what information you need as I don't understand why you just copied my text into your answer. However, a simple diagram is attached. If you can ask specific questions I can try to give a more detailed answer.

The firewall is a Fortigate 90D

Jackie ManCommented:
Are your dual wan aiming at providing failover to secondary WAN of LTE when the primary WAN is down?

In practice, it is rare to use a firewall as a DHCP and DNS server for a dual wan setup.

You need another network device on the LAN / internal network to act as the default gateway which acts as DHCP and DNS servers.
Become a Leader in Data Analytics

Gain the power to turn raw data into better business decisions and outcomes in your industry. Transform your career future by earning your MS in Data Analytics. WGU’s MSDA program curriculum features IT certifications from Oracle and SAS.  

Jackie ManCommented:
Actually, I do not have your firewall but we have requested our ISP to make a dual wan setup from two different carriers for high availability and my previous comment is based on our current dual wan setup.

Anyway, maybe the document in the link below can give you some insight.

Austrian_DesAuthor Commented:
The dual WAN config is to increase network performance due to low bandwidth availability at my location.

The document you linked to was the one of the ones I used to create my config.

I have no plans to purchase extra network equipment to provide DHCP / DNS when I have equipment designed for the purpose, unless of course you can provide a more comprehensive reason than "In practice, it is rare to use ..."

While I'm grateful for your input it doesn't seem that you are doing anything to answer my question.

Perhaps there is an expert here who understands FortiOS / WAN / DNS configuration ...

My time is valuable to me which is why I pay for this service and don't just trawl through forums relying on the goodwill of others. Hope you don't mind me saying it straight ...
Austrian_DesAuthor Commented:
I solved this problem myself, but for those who may come here in the future with a similar issue here is the solution:

Diagnostics applied:
1.      From System -> Network -> Interfaces: Right click Wan1 and select “Administrative Down
2.      From a command prompt: nslookup www.google.com. The result showed a successful resolution of the domain name to an IP address. Further, the DNS server and IP of the DNS server were seen. This showed that Wan2 was able to complete a DNS Lookup.
3.      From System -> Network -> Interfaces: Right click Wan1 and select “Administrative Up
4.      From System -> Network -> Interfaces: Right click Wan2 and select “Administrative Down
5.      From a command prompt: nslookup www.google.com. The result was a failure to resolve the address. Clearly the DNS problem lay with Wan1.
6.     From System -> Network -> Interfaces: Right click Wan2 and select “Administrative Up

The DNS configuration (System -> Network -> DNS) contained the DNS server IP address of the ISP for Wan2. My conclusion was that this ISP would not resolve DNS requests from “external” Internet users.

I performed a search for “Public DNS Servers” and found this page:

From there I chose Verisign (for personal reasons I didn’t choose Google) and entered the 2 DNS IP addresses into: System -> Network -> DNS

I disconnected the Wi-Fi connection on my test machine, re-connected and re-ran the above steps 1-6. In both cases the DNS resolved correctly.
you may use routing policies in the fortinet in order to forward selectively to each isp's dns using the proper link. might be useful if their servers are faster. please note that verisign and other free dns providers send their own ips rather than NXDOMAINs for non-existent sites, usually in an attempt to sell the corresponding domain name.

opendns servers work pretty fine, there is also which work fine. i'd recommend using sevral of those.

i'd also recommend you use the dns forwarder in the fortinet. it will use up less sessions and even a small cache is useful on slow internet connections. additionally the dns failover in the fortinet is more reliable than most os's incuding all versions of windows and linux i know of.

also note that dual link setups mess up many web sites and tools such as skype, so just don't always expect them to work well. you probaby can stick each user to a link if you end up with such problems.

i concur : i see little to no reason to use a separate equipment for dns or dhcp in your case.

i don't want or expect points for my 2 cents and could not care less anyway. but please note that most of the people who answer your questions don't get paid and do so out of their own free will or for various personal reasons. some comments are not helpful, and i also got angry with cluttered threads a couple of times while being on the asker's side but please bear in mind that most posts are possibly inefficient but genuine attempts to help.
Austrian_DesAuthor Commented:
Hi - You raise some interesting points about DNS. After making my post I dug a little further into the performance side of my DNS config and used Steve Gibson's great piece of software "DNS Benchmark (https://www.grc.com/dns/benchmark.htm) Once I had built the custom list and then run the benchmarking process I was able to choose the fastest servers. I did this once with only Wan1 active and once with only Wan2 active choosing the best from each and then re-ran with both WANs active. I think I now have a fairly well performing setup now!

As for the difficulty of using Experts Exchange, I think there is a fundamental underlying problem with the proposition that the "asker" has paid for a service which is collected by Experts Exchange however the answers are given by "volunteers". This inevitably leads to frustration because from the "askers" point of view a service has been paid for and not received. From the Experts point of view it seems that just jumping in and offering a vague, generic answer "might" be enough to gain points. On several occasions I have asked questions and then been required to spend time and effort answering questions that are not really related to the question (because if I don't answer how can I expect help) only to discover further down the line that the "Expert" has no direct experience or knowledge of my particular piece of equipment / software. I understand that Experts are driven by a need to gain points but this desire to "help" seems to be at the expense of the real ability to solve the issue. As I mentioned in my post, if I had “just” used a forum then I do so in the full knowledge that I am reliant on the goodwill and time of true volunteers. Although I accept that “Experts” at EE may not get paid directly, they can gain enough points to “unlock” the same service for which I pay. This, in my opinion, amounts to the same as being paid. Or at least there is an equivalence between the answers they give and the rewards they gain.

It is this knowledge that my “Experts” are not necessarily answering from the pure wish to help, but to further their own ends that I find so frustrating. What’s even worse is that if I dare to mention that I am paying for a service then “Experts” become both offended and defensive.

Perhaps there is a page on the EE site that explains that although EE makes a lot of money from paying customers, those same customers should not expect any level of support or service and further should on no account EVER dare to suggest that an “expert” is anything less than exactly that.

Please note: This is absolutely NOT an attack on you “skullnobrains” or any other expert but a heartfelt explanation of my experience using EE.
I was able to choose the fastest servers

bear in mind that the fastest servers will change over time and even quite often depending on the time of day depending on the timezone the heavy users are in. it is also interesting to use dns forwarders/resolvers because they are usually able to send more/all queries to the fastest servers. i don't know about the builtin resolver in the fortinet though.


as far as the policies at EE go, i'm probably not the best person to discuss this with, and the topic question might not be the right place either but i do understand your frustration

in most cases, i noticed that the way questions are formulated, and the quantity of debug tend to have a huge impact on the quality of the answers. it is also helpful to let people know about your level of knowlege, and how much time you did spend and are willing to spend on the problem. then you may or may not be lucky

there is a section dedicated to such discussions somewhere at ee. i've been wondering about setting up a blacklisting and possibly a negative points system but it is difficult to esteem the impact of setting up such things and would most definitely require lots of time from the moderators at least at the beginning...
Austrian_DesAuthor Commented:
I had to solve this myself because no one else would help

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

  • 5
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now