Windows Clients cannot access the internet, very strange unexpected DNS problem.
-
@IrixOS said in Windows Clients cannot access the internet, very strange unexpected DNS problem.:
To access the servers in the room were the servers reside it requires dot1q encapsulation
No it does not (or at least it should not). You seem intent on making this as complicated as possible and don't seem open to honest advice from folks that have been doing this for 30 years or more.
You started this whole 97 post thread because your setup was not working reliably. After quite a bit of back and forth to pull information out of you, we finally got a drawing posted and both me and @johnpoz are like OMG! What a convoluted and complicated mess! We gave you some suggestions to simplify it and have a reliable home network. I'm assuming this is a home network because you have not stated otherwise, and a serious business enterprise would not be using a VDSL Internet connection.
I wish you the best in this endeavor, but I'm bowing out.
-
@bmeeks Okay, who said I am not open to listen? 'and a serious business enterprise would not be using a VSDL internet connection' Don't you think I knew that?
-
@johnpoz Yes I see your point.
Two catalyst, average power consumption 212Watts with one PSU each.
-
@IrixOS yeah common mistake users make.. Oh I can pick up some enterprise switch for cheap and just use that.. Sure ok you save some bucks up front.. But then they sound like a jet taking off, and they suck 200W or something, and any money you saved is eaten away in year or two in your added elec cost even if you don't have issue with the noise.
And sure its great they have lots of great features.. But your better off buying some say a fanless small business or entry level switch that has the features you need.. But quiet and sucks little power.
My main switch is a cisco sg300-28.. fanless sucks like 20W max and has 28 ports to work with. Has a very rich feature set, maybe not as full blown catalyst.. But everything I would even need on my home network, and can even route if I wanted it to.. In my AV cab in the living room I have a sg300-10, also low power, same feature rich as the -28... I do multicast filtering with some ACLs, I run vlans, there is really nothing I could think from a full enterprise feature set that I would want that I can not do.. The syntax of commands is a bit off on some commands compared to a full catalyst.. But for many its exactly the same.. I can manage it via ssh, or even web, and it has a console port I can console into if need be.
Cost me 200 bucks, lets do some math.. Lets say I picked up some catalyst full blown enterprise switch that sucks 200W for 50 bucks..
So my switch in first year cost me total 220 bucks, but that "cheap" enterprise" switch going to cost me 260.. Just in year 1.. What if your paying way more than 12 cents per kwh.. Whats your cost of operating that switch for say 3 years or 5..
So in 5 years I am out 300 bucks in total cost running my switch.. Verse say 1100.. I can't image what that would cost if you were playing like 30 cents per kwh.. Well I can do the math 2700.. How many do you have? ;)
If you want to lab sure, pick up some of those enterprise switches - but leave them off unless your actively working on something in your lab..
Other advantage, is if I loose power my full network and APs are up for like 30 minutes because of a couple of UPSes.. And they don't make a sound.. My 28 port switch is on my desk.. Other same blinking lights you wouldn't know its there because it makes zero noise!!
-
I see you have inter-VLAN routing done on a routing switch and some issues with it so I’ll share my experience with it.
Adding pfSense to a configuration like that may be painful. I think a couple of defaults offered by pfSense are the main cause of it.
In a configuration when inter-VLAN routing is done on a switch, it is necessary to create a static route to the local network on the Internet gateway and you’ve done it. Unlike in other products, in pfSense, that requires defining a gateway for that static route locally. This gateway is monitored by pfSense by default and may be automatically selected as the default gateway or marked as down. I have experienced it myself. That causes serious issues since you may not be able to access pfSense through that gateway. And with /30 on the subnet, the only option is to unplug the router and plug in an admin workstation for L2 access if you do not have a monitor and keyboard attached.
To avoid those issues, I’ve changed the default gateway setting from Automatic to WAN and disabled the monitoring of the LAN gateway. Actually, I have also disabled the monitoring of the WAN gateway since I have only one WAN gateway. That seems to help. I also virtualized pfSense on my mini-PC and use /28 on the subnet. This gives me remote terminal access to pfSense as well as L2 access to its Web admin through an additional VM workstation on the hypervisor.
BTW, like johnpoz, I use CISCO small business switches. No compatibility issues with pfSense.
-
Yes what can I say? I destroyed the whole thing yesterday night. Plan to use two, one for production. It's not I didn't knew that, I thought it wasn't going to be too bad, but it is bad.
Yes , I bought 3x WS-C4948-10GE-E, three jewels. -
@IrixOS said in Windows Clients cannot access the internet, very strange unexpected DNS problem.:
one for production
Throwing your money out the window might be more satisfying, as you watch is drift in the wind.. With the likely chance someone will find it and have a great day.. But hey you do you ;)
Those switches were EOL, like complete end of life what 2018.. I do believe.
I would get something that uses like 20W or something and still getting updates.. But hey maybe thats just me.. I tend not to like to waste money heating the room with my switches, and forcing me to wear ear protection while in the same room ;)
-
@johnpoz
I bought a brand new catalyst cisco switch in the past, never switched it off until 6 months ago or so. Never paid more than 64 euro/month, but I swapped the fan with a low noise fan.
So you are exaggerating but you have certainly a point.You say old, why would you crash a brand new car from 2007 with only a few mileage to buy another one that consumes less.
I did what you advised, connected one switch directly to pfsense. I configured vlans on the L3 switch, one access port for the laptop, configured the null route on the switch, configured a static route pointing to the summary of 3 vlans, same TTL error and dns anomaly, from pfsense to internet, dns and ping seems to work.
Now If i connect from a client to pfsense, ping and dns lookup from the menu doesn't work and produces the same output, dns and the TTL error, how can that be? -
@kjk54
You are genius, this problem has been going on for three years right now, couldn't find the cause. Did exactly what you did, disabled LAN and WAN gateway monitoring and changed the rule to WAN.
I thank everybody here on the board for their help on this issue.
Chapeau
-
I connected two switches and pfsense so that's all I use.
I took a look at these switches you are talking about, these cisco office switches, which one do you recommend?
