Solved

DNS configuration for Fortigate 90D with WAN Link Load Balancing

Posted on 2016-09-29
10
54 Views
Last Modified: 2016-10-13
I have 2 Internet connections each with a router. The routers are both connected as WAN connections to the Fortigate 90D. The connections are from different providers.
I have configured a "Weighted Round Robin" WAN Link Load Balancing Interface and created Policies using this interface.
I use a Ping "Probe Type" for the "Health Check" for each WAN interface.
I specify Primary and Secondary DNS addresses under System -> Network -> DNS
This configuration works "most of the time" but some devices complain of a DNS error and after some hours (8?) many devices on the internal network start to report Internet connection issues. Some devices show this behavior more quickly.
Dropping either WAN link immediately resolves the problem.

A DHCP server is configured on the Internal Interface and the "DNS  Server" option is set to "Same as System DNS"

Firmware is: v5.2.9 build 736
My question is: How should DNS be configured for this set-up if the above is not correct. If the above is correct where else should I look to resolve the problem?
Note: Looking at System -> Fortiview -> “All Sessions”  shows a good mix of both WAN links being used.
0
Comment
Question by:Austrian_Des
  • 5
  • 3
  • 2
10 Comments
 
LVL 41

Expert Comment

by:Jackie Man
ID: 41822466
A DHCP server is configured on the Internal Interface and the "DNS  Server" option is set to "Same as System DNS".

Can you upload your network diagram?

.
0
 

Author Comment

by:Austrian_Des
ID: 41822995
I'm not sure what information you need as I don't understand why you just copied my text into your answer. However, a simple diagram is attached. If you can ask specific questions I can try to give a more detailed answer.

The firewall is a Fortigate 90D

Network-Diagram.jpg
0
 
LVL 41

Expert Comment

by:Jackie Man
ID: 41823103
Are your dual wan aiming at providing failover to secondary WAN of LTE when the primary WAN is down?

In practice, it is rare to use a firewall as a DHCP and DNS server for a dual wan setup.

You need another network device on the LAN / internal network to act as the default gateway which acts as DHCP and DNS servers.
0
 
LVL 41

Expert Comment

by:Jackie Man
ID: 41823190
Actually, I do not have your firewall but we have requested our ISP to make a dual wan setup from two different carriers for high availability and my previous comment is based on our current dual wan setup.

Anyway, maybe the document in the link below can give you some insight.

http://docs.fortinet.com/uploaded/files/1646/using-two-ISPs-for-redundant-Internet-connections.pdf
using-two-ISPs-for-redundant-Interne.pdf
0
 

Author Comment

by:Austrian_Des
ID: 41823212
The dual WAN config is to increase network performance due to low bandwidth availability at my location.

The document you linked to was the one of the ones I used to create my config.

I have no plans to purchase extra network equipment to provide DHCP / DNS when I have equipment designed for the purpose, unless of course you can provide a more comprehensive reason than "In practice, it is rare to use ..."

While I'm grateful for your input it doesn't seem that you are doing anything to answer my question.

Perhaps there is an expert here who understands FortiOS / WAN / DNS configuration ...

My time is valuable to me which is why I pay for this service and don't just trawl through forums relying on the goodwill of others. Hope you don't mind me saying it straight ...
0
Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

 

Accepted Solution

by:
Austrian_Des earned 0 total points
ID: 41834948
I solved this problem myself, but for those who may come here in the future with a similar issue here is the solution:

Diagnostics applied:
1.      From System -> Network -> Interfaces: Right click Wan1 and select “Administrative Down
2.      From a command prompt: nslookup www.google.com. The result showed a successful resolution of the domain name to an IP address. Further, the DNS server and IP of the DNS server were seen. This showed that Wan2 was able to complete a DNS Lookup.
3.      From System -> Network -> Interfaces: Right click Wan1 and select “Administrative Up
4.      From System -> Network -> Interfaces: Right click Wan2 and select “Administrative Down
5.      From a command prompt: nslookup www.google.com. The result was a failure to resolve the address. Clearly the DNS problem lay with Wan1.
6.     From System -> Network -> Interfaces: Right click Wan2 and select “Administrative Up

The DNS configuration (System -> Network -> DNS) contained the DNS server IP address of the ISP for Wan2. My conclusion was that this ISP would not resolve DNS requests from “external” Internet users.

I performed a search for “Public DNS Servers” and found this page:
http://pcsupport.about.com/od/tipstricks/a/free-public-dns-servers.htm

From there I chose Verisign (for personal reasons I didn’t choose Google) and entered the 2 DNS IP addresses into: System -> Network -> DNS

I disconnected the Wi-Fi connection on my test machine, re-connected and re-ran the above steps 1-6. In both cases the DNS resolved correctly.
0
 
LVL 26

Expert Comment

by:skullnobrains
ID: 41836108
you may use routing policies in the fortinet in order to forward selectively to each isp's dns using the proper link. might be useful if their servers are faster. please note that verisign and other free dns providers send their own ips rather than NXDOMAINs for non-existent sites, usually in an attempt to sell the corresponding domain name.

opendns servers work pretty fine, there is also 4.2.2.1-6 which work fine. i'd recommend using sevral of those.

i'd also recommend you use the dns forwarder in the fortinet. it will use up less sessions and even a small cache is useful on slow internet connections. additionally the dns failover in the fortinet is more reliable than most os's incuding all versions of windows and linux i know of.

also note that dual link setups mess up many web sites and tools such as skype, so just don't always expect them to work well. you probaby can stick each user to a link if you end up with such problems.

i concur : i see little to no reason to use a separate equipment for dns or dhcp in your case.

i don't want or expect points for my 2 cents and could not care less anyway. but please note that most of the people who answer your questions don't get paid and do so out of their own free will or for various personal reasons. some comments are not helpful, and i also got angry with cluttered threads a couple of times while being on the asker's side but please bear in mind that most posts are possibly inefficient but genuine attempts to help.
1
 

Author Comment

by:Austrian_Des
ID: 41836436
Hi - You raise some interesting points about DNS. After making my post I dug a little further into the performance side of my DNS config and used Steve Gibson's great piece of software "DNS Benchmark (https://www.grc.com/dns/benchmark.htm) Once I had built the custom list and then run the benchmarking process I was able to choose the fastest servers. I did this once with only Wan1 active and once with only Wan2 active choosing the best from each and then re-ran with both WANs active. I think I now have a fairly well performing setup now!

As for the difficulty of using Experts Exchange, I think there is a fundamental underlying problem with the proposition that the "asker" has paid for a service which is collected by Experts Exchange however the answers are given by "volunteers". This inevitably leads to frustration because from the "askers" point of view a service has been paid for and not received. From the Experts point of view it seems that just jumping in and offering a vague, generic answer "might" be enough to gain points. On several occasions I have asked questions and then been required to spend time and effort answering questions that are not really related to the question (because if I don't answer how can I expect help) only to discover further down the line that the "Expert" has no direct experience or knowledge of my particular piece of equipment / software. I understand that Experts are driven by a need to gain points but this desire to "help" seems to be at the expense of the real ability to solve the issue. As I mentioned in my post, if I had “just” used a forum then I do so in the full knowledge that I am reliant on the goodwill and time of true volunteers. Although I accept that “Experts” at EE may not get paid directly, they can gain enough points to “unlock” the same service for which I pay. This, in my opinion, amounts to the same as being paid. Or at least there is an equivalence between the answers they give and the rewards they gain.

It is this knowledge that my “Experts” are not necessarily answering from the pure wish to help, but to further their own ends that I find so frustrating. What’s even worse is that if I dare to mention that I am paying for a service then “Experts” become both offended and defensive.

Perhaps there is a page on the EE site that explains that although EE makes a lot of money from paying customers, those same customers should not expect any level of support or service and further should on no account EVER dare to suggest that an “expert” is anything less than exactly that.

Please note: This is absolutely NOT an attack on you “skullnobrains” or any other expert but a heartfelt explanation of my experience using EE.
0
 
LVL 26

Expert Comment

by:skullnobrains
ID: 41837985
I was able to choose the fastest servers

bear in mind that the fastest servers will change over time and even quite often depending on the time of day depending on the timezone the heavy users are in. it is also interesting to use dns forwarders/resolvers because they are usually able to send more/all queries to the fastest servers. i don't know about the builtin resolver in the fortinet though.

--

as far as the policies at EE go, i'm probably not the best person to discuss this with, and the topic question might not be the right place either but i do understand your frustration

in most cases, i noticed that the way questions are formulated, and the quantity of debug tend to have a huge impact on the quality of the answers. it is also helpful to let people know about your level of knowlege, and how much time you did spend and are willing to spend on the problem. then you may or may not be lucky

there is a section dedicated to such discussions somewhere at ee. i've been wondering about setting up a blacklisting and possibly a negative points system but it is difficult to esteem the impact of setting up such things and would most definitely require lots of time from the moderators at least at the beginning...
0
 

Author Closing Comment

by:Austrian_Des
ID: 41841660
I had to solve this myself because no one else would help
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now