Hello everyone, I’ve made a recent change to att for the fiber gig speed for my home network lab that I have utilizing an FGT 60F model as my layer 3 device. The issue that I’m running into is that att requires the modem (BGW 32 model) to be used as part of the topology, so I’ve enabled pssthrough mode on it, disabled any firewall rules on the modem, and disabled Wi-Fi broadcast as well. That worked partially because my public ip is showing up on the WAN1 int but when it’s assigning ip address automatically to end devices, the dns is showing up at the standard “192.168.1.254” ip address. I’ve gone to the dns settings on the FGT to manually set it the dns server, but not avail. Has anyone ram into this issue when utilizing the att fiber and if so, what would be solution for this?
P.S. my topology is this:
BGW 320 modem > FGT 60F> 2960 Cisco Switch > End devices
Vlans:
10 & 20, Native is 99.
It’s should be mentioned that the labs was working just fine when I was with Xfinity and I didn’t change anything except moving the connection of the modems. The static route on the FGT have been updated and there are policies for the vlan with no security profiles to interfere. I believe the issue with the dns because one thing I noticed when trying to tracert or ping is that the dns cannot be resolved. I confirmed when trying to go to any websites and it cannot be resolved due the dns being the modems ip and manually configuring the dns doesn’t seem to work either not dynamic.
-TIA
Update: just want to say thanks everyone who has commented on this post. If was really helpful and Im able to access the internet via my home lab set up. I sat there and reviewed everyone input to ensure I’ve tried everything. The issue ended up being that while the Wan1 int was receiving the public ip via the dhcp method, a static route would be configured but with the wrong gateway via att. I needed to make the wan1 int static and then assign the gateway from att. I feel dumb because I said did this until I looked again and missed that step. Thank you everyone for the help
Take a look at the vlan interfaces, expand “advanced” on the dhcp server section, and check that you’re manually specifying valid dns servers. I’d use google or cloudflare dns over Fortinet dns servers ; I’d use AT&T dns over Google or cloudflare just for faster RTT times most likely. (Ymmv on that)
The DNS issue can be resolved by going under the FG WAN interface and turning off that DNS checkbox
Power cycle the modem a few times and confirm that passthrough is still enabled.
The DNS servers used on the upstream might be restricted.
When using DHCP on the WAN1 interface there is the option to use the DNS servers obtained.
It should also have a option to use the default gateway.
The obtained DNS should be mentioned in the interface screen once it has gotten DHCP info.
The routing to 0.0.0.0/0.0.0.0 should be mentioned in the routing monitor/network dashboard.
You can test DNS from the FortiGate CLI using execute ping using IP and FQDN.
Try with IP first, test the gateway shown in the routing monitor, than test the obtained DNS IPs , than something like cloudflare / google/ quad9 etc.
If all this is ok, try FQDN (www.google.com) etc. to check DNS functionality.
Note : you might need to switch the method used by the FortiGate itself on the DNS server page to use UDP / TCP / TLS etc. This will affect the FortiGate itself and the clients is DNS/Web filtering is used. Without DNS/Web filtering , clients won’t be affected.
If this info is present and everything is working correct, you can adjust the DHCP service on the LAN / INTERNAL to “use system dns” and it will use values set by the WAN1 obtained DNS.
When the client has received DHCP you should be able to see the DNS servers be the same as the FortiGate WAN1 obtained DNS.
The default gateway for the client should usually be the FortiGate.
After all this is ok, it’s a matter of making the correct policies from LAN to WAN and test IPs / FQDN again.
Reset ur sessions
Re configure dns servers
Power cycle the modem
Make sure u can use a laptop with the static ip on it as the dhcp lease u got in the firewall
Test dns from the firewall: exec ping 1.1.1.1 for routing and then exec ping cnn.com for dns from the firewall internally.
This is ATT consumer service, no doubt?
Which device was providing DNS when you were using DHCP?
And what firmware are you using?
I would would sure that if you are using v7.0 or v7.2 that you make sure that your DNS setting in the Gate is straight TCP 53 and not DNS over HTTPS or anything else for now.
not sure if you have tried this, but you might disable “overide internal dns”. its under the wan interface configuration. this will keep your clients using the fortigate as their dns server and not the ATT device.
Doing it via the vlan int was an idea I didn’t try until you mentioned so thank you for that, but it did not work as well. I did set the dns to via the tab to 4.2.2.2 and configured the wan ip to manual instead of dhcp and that seemed to have gotten me an Ethernet icon and it says I’m connected but I still cannot ping or go to websites
Tried this as well but no avail. I did try setting the dns on FGT to 4.2.2.2 via the DNs tab and now, I’m seeing an Ethernet connection but I still cannot ping or go to the internet even though I have an Ethernet connection
Pass through was enabled still but no avail
It’s says the FGT is providing the dns based on the settings I put and I use it for dhcp as well. My firmware is 7.2.3
Can you ping from the firewall itself? You likely aren’t receiving your default gateway now (would’ve come from dhcp on your wan port if you were a dhcp client).
ip a on a Mac / Linux, or ipconfig on windows — what’s your dns server? Nslookup also works to figure this out. You can override in nslookup with “server 8.8.8.8”. Have you rebooted / renewed your lease since changing the dns on the vlan dhcp? Otherwise workstation still using old.
If you can ping from the firewall, then routing is good. Go to workstation and ping 8.8.8.8 and see if it replies. If it does, then your problem is dns.
BGW 320 modem
This happened to a few on my client’s sites. There are 3 ways that I resolved this.
Request a downgrade to the BGW210 modem which is more fortigate friendly.Call it into ATT and have one of their techs take a look at the config. If I recall, there is an ISP specific option that is not available to the customer. What that setting is, I don’t recall.Convert to a static IP.
Just re-read your symptoms, It does sound like DNS issue. Can you ping quad 8? The solution provided was for the fortigate not getting a public IP and not forwarding packets.
You should consider upgrading to 7.2.5. As always, check the notes, but that has been a very stable version for me, and corrects a number of security vulnerabilities.
Now, definitely check the DNS page to be sure that DNS is straight TCP 53.
If your device is the one providing DHCP, then “192.168.1.254” shouldn’t automatically be there, unless that is what is being provided by the upstream DHCP server to your firewall’s WAN port.
But that won’t impact what your internal customers see as their DNS.
So I am able to ping the FGT from client desktop. I actually turned off the dhcp on the wan int and manuall put my public ip add but that’s didn’t work as well. On the windows client my dns is coming back as 4.2.2.2 due to me setting it that on the FGT via the dns tab found under networks. I believe that my dns is not being resolved due to maybe a policy
Lack of policy, or again you didn’t mention adding the default route. Network > static routes. You need a 0.0.0.0 route via your gateway from AT&T.
Default route is already configured via ATT gateway on the FGT, but I’ll take another look at the policies
