Windows Clients cannot access the internet, very strange unexpected DNS problem.

IrixOS

@johnpoz Yes it might be a mess, should I be ashamed? The left side is a three tier model and multiple links is common, correct me? As for the port-channels, It
technically works.

IrixOS

@johnpoz The 1Gigabit internet speed might change some time in the future right?

johnpoz

@IrixOS said in Windows Clients cannot access the internet, very strange unexpected DNS problem.:

to have the feeling being on an enterprise network,

I can tell you right now, enterprise networks don't use /20s.. Not any of the ones I have been on, or companies I have worked for or supported in 30 some years of doing this ;) I have seen customers use /16 for their printer vlan - they had maybe 100 tops.. But that was just because the guy didn't have a clue....

Sure you plan out an IP scheme for a location, sure you leave room for growth, so if you can add more devices to a specific vlan/network if you need too.. But unless you have or know for sure sometime real soon your going to be over a /24, use /24 to keep it simple!! leave room before the next network so you can expand that network if you want before bumping into the next one.. Sure leave room so it could grow to a /20 if you want..

Go try and work in a DC for a couple of hours.. It won't be music to your ears ;) hehehehe

If you want to lab with routing protocols - great more power too you.. But wouldn't be playing around with ospf, nobody uses that any more.. I haven't seen that used anywhere in years and years and years.. BGP is what is used in any actual enterprise network. Got to be atleast 20 some years since I have seen that used anywhere.. eigrp sure.. Still see that hanging around in some shops.. I have a change tmrw actually to remove some old eigrp config that was sitting on some routers at a site that was acquired years ago and just needs to be cleaned up.. Since its no longer needed, bgp is doing all the routing.

Here is what I suggest you do - take your "production" and make it as simple as possible!! If you want to lab, then do it on your lab/learn.. Do it on your lab.. Not your network.. Be it actual user going to yell when something not working, or if just the wife and kids going to yell when they can't watch netflix.. You shouldn't lab in what is "production"

Also if you want to play with routing - play with it being multiple sites, not all the same network.. Your going to notice companies collapsing their networks, reducing equipment, routing is done at the distribution layer or the core for a large campus.. But unless it is a huge campus that is really spread out and really is more like different sites, you are seeing the distribution layer collapse and route just at what is being called the core.. But the typical core, distribution, access layer is still quite common.. Looking at that drawing I don't see the 3 layers of your traditional network.. No "enterprise" would be setup like that..

You want your network to be simple, simple is easier and faster to find where the problem is.. You want it to be redundant so failure can happen and network still functions.. I don't see simple in that setup, I see a pain the ass to troubleshoot, I see multiple places for problems to happen and just break everything..

And don't pay attention to the text? Documentation is key in any network.. If your going to do a drawing it should be easy to read, it should be well documented and correct! Or you might as well just throw it out.. Because its useless, and if anything going to lead you down the wrong path trying to fix something.

IrixOS

@johnpoz

I have 2x 3750G series, 1x 3750E, 4x 4948 series and some X2 and FSP modules, what do you recommend I should do then?

According to the cisco pages, the left side represents a three tier model, the access switches connected to both HSRP routers and each switch for a given vlan has a 10Gbit port monitored and the vlan traffic is routed to the middle switch/router. Okay the links between might be overkill, what do you think I should do then?
As for the switch connected to the servers, it has some redundancy, are these servers supposed to be in a private vlan? I read that servers are interconnected in a ToR topology

What do you want me to do next? How would you design it?

IrixOS

@johnpoz I am sorry mate.

johnpoz

@IrixOS said in Windows Clients cannot access the internet, very strange unexpected DNS problem.:

How would you design it?

for what the couple of boxes you have shown... I would throw it all out and just get 1 switch, and connect that to pfsense and let it route.. I see nothing on that drawing that suggest you need any of that... I do even see an arrow that say 200 users here, Or 50 users, or any thing that would justify anything near that complexity..

It looks like you threw together some stuff to try and lab something.. But not sure what you wanted to lab.. And had a bunch of cables laying around and figured what the hell lets plug them all in ;)

If your single devices you show - you don't even show what vlans they are?? From what I can tell they are all in the single /20

You have 2 networks this 10.214.48 and then some 10.214.64/s that look like transits? Is your 10.214.48 your management vlan?

But can't tell what is actually doing routing? And for what networks? How much data flow is actually needed?

If you got some gear and you want to play/learn - great do that.. But I wouldn't run your actual whatever network on it.. If you want to hang your lab off of some transit network on pfsense or even multiple vlans off pfsense for your "lab" then do that... But your PC to get to the internet or other devices you use like your nas/filer or DC, etc. that shouldn't sit on on what your labbing on.

IrixOS

@johnpoz Rough but honest...

IrixOS

@johnpoz I have one space with my PCs, and a virtual server and a file server I don't want to hear in another room. Between the rooms there is a corridor. There are two fiber links type SC build into cable trays mounted against the wall to access the servers.

What should I do? That's one switch more to interconnect the rooms.

bmeeks

@IrixOS said in Windows Clients cannot access the internet, very strange unexpected DNS problem.:

What should I do? That's one switch more to interconnect the rooms.

We are not trying to be "mean" with the critique. Just stating that you have created a hideously complex network just to connect a few PCs and two servers together. And its complexity is leading to random and strange failures such that your network periodically goes "down" as in devices can't seem to talk to each other. A little fiddle here or a tweak there and it starts working for a bit, then crashes again. This kind of uncertainty is what unnecessary complexity breeds.

All you need is at most two switches. One in the room with your PCs and another in the room with your servers. Connect the two switches via that existing fiber. If you want to, and have the switches that support it, you could buy 10 Gig SFP modules and connect the two switches with redundant 10 Gig links. Or you could just keep it simple and connect them over a single 10 Gig link. That would be more than enough for a home network.

Connect a port on the PC room switch to the pfSense LAN port and you are good to go. A nice simple flat network. I would keep it a /24 since you don't even have a dozen devices. There's plenty of room to grow. You could always add VLANs later.

IrixOS

@bmeeks There is actually three rooms:

Where the servers reside
My space where the PCs reside
A smaller space where the internet connection comes in

Between 1 and 2, there I have a dual fiber link connected with 10GB X2.

To access the servers in the room were the servers reside it requires dot1q encapsulation so I don't know in which rack and in which space I have to install the L3 device.

I had no UTP cables lying around, I bought them brand new, the connector and the coating is so fine fabricated, I like the stiff cables, too bad cannot use it, I exaggerated.
Glad you came along.

So no hsrp ,really wanted to see it working real life.

bmeeks

@IrixOS said in Windows Clients cannot access the internet, very strange unexpected DNS problem.:

To access the servers in the room were the servers reside it requires dot1q encapsulation

No it does not (or at least it should not). You seem intent on making this as complicated as possible and don't seem open to honest advice from folks that have been doing this for 30 years or more.

You started this whole 97 post thread because your setup was not working reliably. After quite a bit of back and forth to pull information out of you, we finally got a drawing posted and both me and @johnpoz are like OMG! What a convoluted and complicated mess! We gave you some suggestions to simplify it and have a reliable home network. I'm assuming this is a home network because you have not stated otherwise, and a serious business enterprise would not be using a VDSL Internet connection.

I wish you the best in this endeavor, but I'm bowing out.

IrixOS

@bmeeks Okay, who said I am not open to listen? 'and a serious business enterprise would not be using a VSDL internet connection' Don't you think I knew that?

IrixOS

@johnpoz Yes I see your point.

Two catalyst, average power consumption 212Watts with one PSU each.

johnpoz

@IrixOS yeah common mistake users make.. Oh I can pick up some enterprise switch for cheap and just use that.. Sure ok you save some bucks up front.. But then they sound like a jet taking off, and they suck 200W or something, and any money you saved is eaten away in year or two in your added elec cost even if you don't have issue with the noise.

And sure its great they have lots of great features.. But your better off buying some say a fanless small business or entry level switch that has the features you need.. But quiet and sucks little power.

My main switch is a cisco sg300-28.. fanless sucks like 20W max and has 28 ports to work with. Has a very rich feature set, maybe not as full blown catalyst.. But everything I would even need on my home network, and can even route if I wanted it to.. In my AV cab in the living room I have a sg300-10, also low power, same feature rich as the -28... I do multicast filtering with some ACLs, I run vlans, there is really nothing I could think from a full enterprise feature set that I would want that I can not do.. The syntax of commands is a bit off on some commands compared to a full catalyst.. But for many its exactly the same.. I can manage it via ssh, or even web, and it has a console port I can console into if need be.

Cost me 200 bucks, lets do some math.. Lets say I picked up some catalyst full blown enterprise switch that sucks 200W for 50 bucks..

So my switch in first year cost me total 220 bucks, but that "cheap" enterprise" switch going to cost me 260.. Just in year 1.. What if your paying way more than 12 cents per kwh.. Whats your cost of operating that switch for say 3 years or 5..

So in 5 years I am out 300 bucks in total cost running my switch.. Verse say 1100.. I can't image what that would cost if you were playing like 30 cents per kwh.. Well I can do the math 2700.. How many do you have? ;)

If you want to lab sure, pick up some of those enterprise switches - but leave them off unless your actively working on something in your lab..

Other advantage, is if I loose power my full network and APs are up for like 30 minutes because of a couple of UPSes.. And they don't make a sound.. My 28 port switch is on my desk.. Other same blinking lights you wouldn't know its there because it makes zero noise!!

@IrixOS

I see you have inter-VLAN routing done on a routing switch and some issues with it so I’ll share my experience with it.

Adding pfSense to a configuration like that may be painful. I think a couple of defaults offered by pfSense are the main cause of it.

In a configuration when inter-VLAN routing is done on a switch, it is necessary to create a static route to the local network on the Internet gateway and you’ve done it. Unlike in other products, in pfSense, that requires defining a gateway for that static route locally. This gateway is monitored by pfSense by default and may be automatically selected as the default gateway or marked as down. I have experienced it myself. That causes serious issues since you may not be able to access pfSense through that gateway. And with /30 on the subnet, the only option is to unplug the router and plug in an admin workstation for L2 access if you do not have a monitor and keyboard attached.

To avoid those issues, I’ve changed the default gateway setting from Automatic to WAN and disabled the monitoring of the LAN gateway. Actually, I have also disabled the monitoring of the WAN gateway since I have only one WAN gateway. That seems to help. I also virtualized pfSense on my mini-PC and use /28 on the subnet. This gives me remote terminal access to pfSense as well as L2 access to its Web admin through an additional VM workstation on the hypervisor.

BTW, like johnpoz, I use CISCO small business switches. No compatibility issues with pfSense.

IrixOS

@johnpoz

Yes what can I say? I destroyed the whole thing yesterday night. Plan to use two, one for production. It's not I didn't knew that, I thought it wasn't going to be too bad, but it is bad.
Yes , I bought 3x WS-C4948-10GE-E, three jewels.

johnpoz

@IrixOS said in Windows Clients cannot access the internet, very strange unexpected DNS problem.:

one for production

Throwing your money out the window might be more satisfying, as you watch is drift in the wind.. With the likely chance someone will find it and have a great day.. But hey you do you ;)

Those switches were EOL, like complete end of life what 2018.. I do believe.

I would get something that uses like 20W or something and still getting updates.. But hey maybe thats just me.. I tend not to like to waste money heating the room with my switches, and forcing me to wear ear protection while in the same room ;)

IrixOS

@johnpoz
I bought a brand new catalyst cisco switch in the past, never switched it off until 6 months ago or so. Never paid more than 64 euro/month, but I swapped the fan with a low noise fan.
So you are exaggerating but you have certainly a point.

You say old, why would you crash a brand new car from 2007 with only a few mileage to buy another one that consumes less.

I did what you advised, connected one switch directly to pfsense. I configured vlans on the L3 switch, one access port for the laptop, configured the null route on the switch, configured a static route pointing to the summary of 3 vlans, same TTL error and dns anomaly, from pfsense to internet, dns and ping seems to work.
Now If i connect from a client to pfsense, ping and dns lookup from the menu doesn't work and produces the same output, dns and the TTL error, how can that be?

IrixOS

@kjk54

You are genius, this problem has been going on for three years right now, couldn't find the cause. Did exactly what you did, disabled LAN and WAN gateway monitoring and changed the rule to WAN.

I thank everybody here on the board for their help on this issue.

Chapeau

IrixOS

@johnpoz

I connected two switches and pfsense so that's all I use.

I took a look at these switches you are talking about, these cisco office switches, which one do you recommend?