Fortinet Document Library

Version:


Table of Contents

New Features

7.0.0
Download PDF
Copy Link

DNS configuration for local standalone NAT VAPs 7.0.1

For SSIDs in local standalone NAT mode, up to three DNS servers can be defined and assigned to wireless endpoints through DHCP.

Example

In this example, an SSID (wifi.fap.01) is configured in local standalone mode with local standalone NAT enabled. Two DNS servers are specified so that wireless endpoints receive the DNS server IP addresses through DHCP when the endpoints connect to the SSID.

To configure the DNS servers and confirm that they are propagated to the endpoints:
  1. Configure a VAP:

    config wireless-controller vap
        edit "wifi.fap.01"
            set ssid "wifi-ssid.fap.01"
            set passphrase **********
            set local-standalone enable
            set local-standalone-nat enable
            set local-standalone-dns enable
            set local-standalone-dns-ip 8.8.8.8 8.8.4.4
            set local-bridging enable
            set local-authentication enable
        next
    end
  2. Check the configured DNS server:

    # diagnose wireless-controller wlac -c wlan wifi.fap.01
    WLAN (001/002) vdom,name: vdom1, wifi.fap.01
         vlanid             : 0 (auto vlan intf disabled)
         ...
         mesh backhaul      : disabled
         local standalone   : enabled (nat enabled 0.0.0.0/0.0.0.0 lease 2400 dns enabled dns-ip 8.8.8.8 8.8.4.4)
         local bridging     : enabled
         ...
         ldpc config        : rxtx
         mf acl cfg         : disabled, allow, 0 entries
      WTP 0001              : 3, FP431FTF20013818
          ---- 3-10.100.100.230:5246 (13 - CWAS_RUN)
  3. On the managed FortiAP, verify the configuration:

    FortiAP-431F # vcfg
    -------------------------------VAP Configuration    1----------------------------
    Radio Id  1 WLAN Id  0 wifi-ssid.fap.01 ADMIN_UP(INTF_UP) init_going 0.0.0.0/0.0.0.0 unknown (-1)
               vlanid=0, intf=wlan10, vap=0xb85018, bssid=e0:23:ff:b5:2a:40
               11ax high-efficiency=enabled target-wake-time=enabled bss-color=0 partial=enabled
               mesh backhaul=disabled
               local_auth=enabled standalone=enabled nat_mode=enabled
               standalone_dns=enabled dns_ip=8.8.8.8,8.8.4.4
               bandsteering=disabled
               ...
               primary wag:
               secondary wag:
    -------------------------------Total    1 VAP Configurations----------------------------
    FortiAP-431F # dhcpconf
    # dhcpd.conf
    
    default-lease-time 2400;
    max-lease-time 8640000;
    option domain-name-servers 172.17.254.148,208.91.112.53;
    ddns-update-style none;
    authoritative;
    
    # intf br.nat.0
    subnet 192.168.116.0 netmask 255.255.255.0 {
        option subnet-mask 255.255.255.0;
        option broadcast-address 192.168.116.255;
        option routers 192.168.116.1;
        option domain-name-servers 8.8.8.8,8.8.4.4;
        range 192.168.116.20 192.168.116.249;
        default-lease-time 2400;
    }
    FortiAP-431F # acconf | grep dns
    local_st_dns_1_0=1
    sz_st_dns_ip_1_0=2
    local_st_dns_ip_list[0]_1_0=8080808
    local_st_dns_ip_list[1]_1_0=8080404
  4. Check the SSID and DNS configuration on a Linux client connected to that SSID:

    # iwconfig
    wlan0     IEEE 802.11  ESSID:"wifi-ssid.fap.01" 
              Mode:Managed  Frequency:5.22 GHz  Access Point: E0:23:FF:B5:2A:40  
              Bit Rate=260 Mb/s   Tx-Power=200 dBm  
              ...
    
    #  resolvectl status | grep -1 'DNS Server'
        DNSSEC supported: no
      Current DNS Server: 8.8.8.8
             DNS Servers: 8.8.8.8
                          8.8.4.4

DNS configuration for local standalone NAT VAPs 7.0.1

For SSIDs in local standalone NAT mode, up to three DNS servers can be defined and assigned to wireless endpoints through DHCP.

Example

In this example, an SSID (wifi.fap.01) is configured in local standalone mode with local standalone NAT enabled. Two DNS servers are specified so that wireless endpoints receive the DNS server IP addresses through DHCP when the endpoints connect to the SSID.

To configure the DNS servers and confirm that they are propagated to the endpoints:
  1. Configure a VAP:

    config wireless-controller vap
        edit "wifi.fap.01"
            set ssid "wifi-ssid.fap.01"
            set passphrase **********
            set local-standalone enable
            set local-standalone-nat enable
            set local-standalone-dns enable
            set local-standalone-dns-ip 8.8.8.8 8.8.4.4
            set local-bridging enable
            set local-authentication enable
        next
    end
  2. Check the configured DNS server:

    # diagnose wireless-controller wlac -c wlan wifi.fap.01
    WLAN (001/002) vdom,name: vdom1, wifi.fap.01
         vlanid             : 0 (auto vlan intf disabled)
         ...
         mesh backhaul      : disabled
         local standalone   : enabled (nat enabled 0.0.0.0/0.0.0.0 lease 2400 dns enabled dns-ip 8.8.8.8 8.8.4.4)
         local bridging     : enabled
         ...
         ldpc config        : rxtx
         mf acl cfg         : disabled, allow, 0 entries
      WTP 0001              : 3, FP431FTF20013818
          ---- 3-10.100.100.230:5246 (13 - CWAS_RUN)
  3. On the managed FortiAP, verify the configuration:

    FortiAP-431F # vcfg
    -------------------------------VAP Configuration    1----------------------------
    Radio Id  1 WLAN Id  0 wifi-ssid.fap.01 ADMIN_UP(INTF_UP) init_going 0.0.0.0/0.0.0.0 unknown (-1)
               vlanid=0, intf=wlan10, vap=0xb85018, bssid=e0:23:ff:b5:2a:40
               11ax high-efficiency=enabled target-wake-time=enabled bss-color=0 partial=enabled
               mesh backhaul=disabled
               local_auth=enabled standalone=enabled nat_mode=enabled
               standalone_dns=enabled dns_ip=8.8.8.8,8.8.4.4
               bandsteering=disabled
               ...
               primary wag:
               secondary wag:
    -------------------------------Total    1 VAP Configurations----------------------------
    FortiAP-431F # dhcpconf
    # dhcpd.conf
    
    default-lease-time 2400;
    max-lease-time 8640000;
    option domain-name-servers 172.17.254.148,208.91.112.53;
    ddns-update-style none;
    authoritative;
    
    # intf br.nat.0
    subnet 192.168.116.0 netmask 255.255.255.0 {
        option subnet-mask 255.255.255.0;
        option broadcast-address 192.168.116.255;
        option routers 192.168.116.1;
        option domain-name-servers 8.8.8.8,8.8.4.4;
        range 192.168.116.20 192.168.116.249;
        default-lease-time 2400;
    }
    FortiAP-431F # acconf | grep dns
    local_st_dns_1_0=1
    sz_st_dns_ip_1_0=2
    local_st_dns_ip_list[0]_1_0=8080808
    local_st_dns_ip_list[1]_1_0=8080404
  4. Check the SSID and DNS configuration on a Linux client connected to that SSID:

    # iwconfig
    wlan0     IEEE 802.11  ESSID:"wifi-ssid.fap.01" 
              Mode:Managed  Frequency:5.22 GHz  Access Point: E0:23:FF:B5:2A:40  
              Bit Rate=260 Mb/s   Tx-Power=200 dBm  
              ...
    
    #  resolvectl status | grep -1 'DNS Server'
        DNSSEC supported: no
      Current DNS Server: 8.8.8.8
             DNS Servers: 8.8.8.8
                          8.8.4.4