Solved: Re: Can't access internet due to DNS Issue (?) - Page 2

karang_dika · ‎08-30-2021

Hi,

I'm new at networking, currently i have ISR4331 working as Router and i have Juniper EX2300 working as L3 Switch that will be my local gateway of my each VLANS i have.

Here's the look of my current topology

I have problem where from all of my internal segments cant access internet but able to ping (Looks like its DNS issue i assume)

Here is the running-config of my router

ip name-server 202.158.3.6 202.158.3.7

interface GigabitEthernet0/0/0
ip address 210.210.178.226 255.255.255.248
ip nat outside
!
interface GigabitEthernet0/0/1
ip address 193.168.255.2 255.255.255.252
ip nat inside
negotiation auto
!
ip default-gateway 210.210.178.225
ip nat pool PUBLIC-1 210.210.178.226 210.210.178.230 netmask 255.255.255.248
ip nat inside source list 1 pool PUBLIC-1 overload
ip forward-protocol nd
no ip http server
no ip http secure-server
ip tftp source-interface GigabitEthernet0
ip dns view default
dns forwarder 202.158.3.6
dns forwarder 202.158.3.7
dns forwarding source-interface GigabitEthernet0/0/1
ip dns view-list conditional
view internal 10
restrict name-group 1
view default 99
ip dns server
ip route 0.0.0.0 0.0.0.0 210.210.178.225
ip route 193.168.1.0 255.255.255.0 193.168.255.1
ip route 193.168.2.0 255.255.255.0 193.168.255.1
ip route 193.255.1.0 255.255.255.0 193.168.255.1
ip route 193.255.255.0 255.255.255.0 193.168.255.1
!
!
ip access-list extended NAT
permit ip any any
permit icmp any any
!
access-list 1 permit 193.168.2.0 0.0.0.255
access-list 1 permit 193.255.1.0 0.0.0.255
access-list 1 permit 192.255.255.0 0.0.0.255
access-list 1 permit 193.168.1.0 0.0.0.255
access-list 1 permit 193.168.255.0 0.0.0.255

I have VMs all in that segments and all of them cant access internet but only ping. I used DNS 193.168.255.2 (My Router) instead of my ISP DNS. Then i tried to change it into ISP DNS but still doesnt work.

Is there any misconfiguration that i did? Perhaps something simple but i didnt aware of it?

Thanks. Regards.

karang_dika · ‎08-30-2021

Hi @Georg Pauwen

Just out of curiousity, what if i already changed my environment to private addresses and yet still cant access internet even cant telnet google.com 80 from router with ISP DNS and Google DNS?

Thanks. Regards.

paul driver · ‎08-30-2021

Hello

@karang_dika wrote:

Hi @paul driver

I got insights from @Giuseppe Larosa to change my Environment from Public Address to Private Addres (I just realized this as well and didnt think about it when planning this). I'm gonna reconfigured it tomorrow and let you know would that solve my issue

TBH at this point it wouldn't matter if your LAN is public addressed or not, its being hidden by NAT, so as far as the public point of view you are reachable via your outside nat domain addressing - (210.210.178.224/29)

example;
RTR
ip dns server
ip name-server 202.158.3.6 202.158.3.7

Client
ip address 193.168.2.10
subnetmask 255.255.255.0
default-gateway 193.168.2.254
dns server 193.168.255.2

Can your clients ping these address?
193.168.255.2,
210.210.178.226,
8.8.8.8,
208.67.222.222

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

karang_dika · ‎08-30-2021

Hi @paul driver

My clients can ping all of those addresses using my Router as the DNS

paul driver · ‎08-31-2021

Hello

have you tested this from various other hosts other than a ubuntu pc?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

karang_dika · ‎08-31-2021

Hi @Georg Pauwen @paul driver @Giuseppe Larosa

Today i just did some evaluation on my network scheme. I didnt know what it was but suddenly 3 of 4 my servers are being able to connect to internet like using wget or something else. All of my servers are in the same segment and there are no any firewalls in my network and im sure my inter vlan routing and inside-outside routing on my router is correct but i dont know why its happening. This is happening while im still on my 193.x.y.z segment (Public Addresses).

Here is the current config of my Router and my Juniper

Cisco ISR4331

Building configuration...


Current configuration : 3493 bytes
!
! Last configuration change at 16:46:03 UTC Tue Aug 31 2021 by karang
!
ip name-server 202.158.3.7 202.158.3.6 8.8.8.8
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0/0
 ip address 210.210.178.226 255.255.255.248
 ip nat outside
 negotiation auto
!
interface GigabitEthernet0/0/1
 ip address 193.168.255.2 255.255.255.252
 ip nat inside
 negotiation auto
!
interface Vlan1
 no ip address
 shutdown
!
ip nat pool INTERNET-1 210.210.178.226 210.210.178.230 netmask 255.255.255.248
ip nat inside source static tcp 193.255.1.10 443 210.210.178.227 443 extendable
ip nat inside source static tcp 193.255.1.10 2020 210.210.178.227 2020 extendable
ip nat inside source static tcp 193.255.1.10 9440 210.210.178.227 9440 extendable
ip nat inside source list 10 pool INTERNET-1
ip forward-protocol nd
no ip http server
no ip http secure-server
ip tftp source-interface GigabitEthernet0
ip dns server
ip route 0.0.0.0 0.0.0.0 210.210.178.225
ip route 193.168.1.0 255.255.255.0 193.168.255.1
ip route 193.168.2.0 255.255.255.0 193.168.255.1
ip route 193.255.1.0 255.255.255.0 193.168.255.1
ip route 193.255.255.0 255.255.255.0 193.168.255.1
!
access-list 10 permit 193.168.1.0 0.0.0.255
access-list 10 permit 193.168.2.0 0.0.0.255
access-list 10 permit 193.255.1.0 0.0.0.255
access-list 10 permit 193.255.255.0 0.0.0.255
access-list 10 permit 193.168.255.0 0.0.0.255

Juniper EX2300

karang@BRIIT-DC2-OOB1# show | display set


set system name-server 193.168.255.2

set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members MGMT1
set interfaces ge-0/0/0 unit 0 family ethernet-switching storm-control default
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members MGMT1
set interfaces ge-0/0/1 unit 0 family ethernet-switching storm-control default
set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members MGMT1
set interfaces ge-0/0/2 unit 0 family ethernet-switching storm-control default
set interfaces ge-0/0/3 unit 0 family ethernet-switching vlan members MGMT1
set interfaces ge-0/0/3 unit 0 family ethernet-switching storm-control default

set interfaces ge-0/0/12 unit 0 family ethernet-switching interface-mode trunk
set interfaces ge-0/0/12 unit 0 family ethernet-switching vlan members VLAN10
set interfaces ge-0/0/12 unit 0 family ethernet-switching vlan members VLAN20
set interfaces ge-0/0/12 unit 0 family ethernet-switching vlan members CVM1
set interfaces ge-0/0/12 unit 0 family ethernet-switching storm-control default

set interfaces ge-0/0/13 unit 0 family ethernet-switching interface-mode trunk
set interfaces ge-0/0/13 unit 0 family ethernet-switching vlan members VLAN10
set interfaces ge-0/0/13 unit 0 family ethernet-switching vlan members VLAN20
set interfaces ge-0/0/13 unit 0 family ethernet-switching vlan members CVM1
set interfaces ge-0/0/13 unit 0 family ethernet-switching storm-control default

set interfaces ge-0/0/14 unit 0 family ethernet-switching interface-mode trunk
set interfaces ge-0/0/14 unit 0 family ethernet-switching vlan members VLAN10
set interfaces ge-0/0/14 unit 0 family ethernet-switching vlan members VLAN20
set interfaces ge-0/0/14 unit 0 family ethernet-switching vlan members CVM1
set interfaces ge-0/0/14 unit 0 family ethernet-switching storm-control default

set interfaces ge-0/0/15 unit 0 family ethernet-switching interface-mode trunk
set interfaces ge-0/0/15 unit 0 family ethernet-switching vlan members VLAN10
set interfaces ge-0/0/15 unit 0 family ethernet-switching vlan members VLAN20
set interfaces ge-0/0/15 unit 0 family ethernet-switching vlan members CVM1
set interfaces ge-0/0/15 unit 0 family ethernet-switching storm-control default

set interfaces ge-0/0/23 unit 0 family inet address 193.168.255.1/30

set interfaces irb unit 0 family inet
set interfaces irb unit 10 family inet address 193.168.1.254/24
set interfaces irb unit 20 family inet address 193.168.2.254/24
set interfaces irb unit 2551 family inet address 193.255.1.254/24
set interfaces irb unit 2555 family inet address 193.255.255.254/24

set routing-options static route 0.0.0.0/0 next-hop 193.168.255.2

set vlans CVM1 vlan-id 2551
set vlans CVM1 l3-interface irb.2551
set vlans MGMT1 vlan-id 2555
set vlans MGMT1 l3-interface irb.2555
set vlans VLAN10 vlan-id 10
set vlans VLAN10 l3-interface irb.10
set vlans VLAN20 vlan-id 20
set vlans VLAN20 l3-interface irb.20
set vlans default vlan-id 1
set vlans default l3-interface irb.0

With that current configuration, 3 of 4 my servers are able to access internet like via wget and downloading update. Those 4 servers are on CVM1 VLANs. And 1 of that server are unable to ping my ISP GW (210.210.178.225) while the other 3 are works just fine.

I'm so confused why is that happening. Please enlight me what did i miss.

Thank you so much.

Giuseppe Larosa · ‎08-31-2021

Hello @karang_dika ,

>> Those 4 servers are on CVM1 VLANs. And 1 of that server are unable to ping my ISP GW (210.210.178.225) while the other 3 are works just fine.

the one that cannot ping the ISP GW is also the one that is not able to use wget ? Isn't it ?

check carefully if the port to which the server is connected is in the right VLAN

then

check the TCP/IP settings of the affected server.

Can the affected server ping the other three servers ?

Can the affected server sees the other three servers in its ARP table?

Can the affected server ping its DEF gateway ?

Hope to help

Giuseppe

karang_dika · ‎08-31-2021

Hi @Giuseppe Larosa

"the one that cannot ping the ISP GW is also the one that is not able to use wget ? Isn't it ?"

Yes it is.

check carefully if the port to which the server is connected is in the right VLAN >> It actually connected to the right VLAN and when i try to direct connect it to my laptop, my laptop can get access to the internet instantly and can ping the ISP GW Normally

Can the affected server ping the other three servers ? Yes it can, it can ping just normally

Can the affected server sees the other three servers in its ARP table? Yes the IP shows up in the ARP Table

Can the affected server ping its DEF gateway ? The server can ping DEF Gateway (210.210.178.226) but not ISP GW (210.210.178.225) like its routing problem but when i check out my routing configurations, there is nothing fishy bout it.

Thats why im confused

Giuseppe Larosa · ‎08-31-2021

Hello @karang_dika ,

clearly the issue is on the affected server from what you have reported in your last post.

check carefully its networking configuration subnet mask, default gateway and so on.

When I ask for default gateway I mean a device in the same subnet as the server that acts as gateway that is the Juniper IRB unit irb.2551 IP address.

>> The server can ping DEF Gateway (210.210.178.226) but not ISP GW (210.210.178.225)

it looks like NAT is not triggered for this host.

The router can answer even if the NAT is not happening , the ISP GW cannot.

Hope to help

Giuseppe

karang_dika · ‎08-31-2021

Hi @Giuseppe Larosa

Thank you for your response.

Oh if you mean DEF Gateway is the VLAN Gateway, yes it can ping the DEF GW normally like others but when it comes to pinging ISP GW, it doesnt reply anything and says network unreachable (Like NAT Source or Routing problem)

Even more, the other segments like irb.10, irb.20 are also not able to access internet just like in the affected server that connected to irb.2551. I proved this when i connect my laptop to VLAN10 port and VLAN20 port of my juniper, my laptop also cant reach the ISP GW but able to ping all IPs inside router. Hence cant ping ISP GW, it also makes unable to access the internet.

I'm afraid im missing something small but critical. I checked my configurations multiple times yet nothing seems strange to me.

paul driver · ‎08-31-2021

Hello

@karang_dika wrote:

Those 4 servers are on CVM1 VLANs. And 1 of that server are unable to ping my ISP GW (210.210.178.225) while the other 3 are works just fine.

The main thing thats i can see if your ip addressing doesn't look correct, your default static route is::

set routing-options static route 0.0.0.0/0 next-hop 193.168.255.2 but you dont have any routed interface for it!

unit 10 family inet address 193.168.1.254/24
unit 20 family inet address 193.168.2.254/24
unit 2551 family inet address 193.255.1.254/24
unit 2555 family inet address 193.255.255.254/24

Also looking further at your juniper configuration, It seems your are using IRB which isn't something I've used before when working with junos for intervlan routing, would have expected to see something like below,

set interfaces vlan unit 0 family inet
set interfaces vlan unit 10 family inet address 193.168.1.254/24
set interfaces vlan unit 20 family inet address 193.168.2.254/24
set interfaces vlan unit 2551 family inet address 193.255.1.254/24
set interfaces vlan unit 2555 family inet address 193.255.255.254/24
set vlans CVM1 vlan-id 2551

Suggest you make the ip address changes first and test again?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

karang_dika · ‎08-31-2021

Hi @paul driver

Thank you for your response.

I set my default static route 0.0.0.0/0 next-hop 193.168.255.2 >> Which means it is IP Peer to peer that connects to my Router

Cisco Gig0/0/1 > 193.168.255.2/30

Juniper Ge-0/0/23 > 193.168.255.1/30

That configuration is fine isn't it? or it isn't?

Yes paul, in my juniper i also use IRB for intervlan, i used this method also in my previous configurations and its working well. Should i change it into vlan instead of irb?

I found this KB regarding vlan usage rather than irb usage

https://kb.juniper.net/InfoCenter/index?page=content&id=KB11000

Giuseppe Larosa · ‎08-31-2021

Hello @paul driver ,

the routed interface to the router exists

set interfaces ge-0/0/23 unit 0 family inet address 193.168.255.1/30

I agree on your concerns about the use of IRB units instead of VLAN ( called RVI in Juniper terms) I suspect this can depend from JUNOS version on the switch.

@karang_dika : you should try to configure RVI interfaces instead of IRB as explained by Paul.

However, looking at router config I see the follwing:

ip nat inside source list 10 pool INTERNET-1

With this config your router can serve up to 3 clients concurrently one address is used for static NAT.

you need to add the keyword overload to make possible the use for many clients ( PAT)

ip nat inside source list 10 pool INTERNET-1 overload

Try this I'm sorry we were not able to see this before.

Hope to help

Giuseppe

karang_dika · ‎08-31-2021

Hi @Giuseppe Larosa

Thanks for your suggestion on RVI instead of IRB. I will try to get a plan on it to evaluate my network scheme.

And for that "overload" i also just noticed that. But when i fix it, it makes all of my servers unable to reach internet (wget google.com)

I used this command to clear previous Dynamic NAT

clear ip nat translation *
conf t
no ip nat pool INTERNET-1
ip nat pool INTERNET-1 210.210.178.226 210.210.178.230 netmask 255.255.255.248
ip nat inside source list 10 pool INTERNET-1 overload

But when i restored it back without "Overload" it goes back with 3 out of 4 servers only able to access internet.

Thats weird.

^^^^

Sorry @Giuseppe Larosa turns out there was quiet some delay on network changes after i add "overload".

Right now 3 of my IRB are able to access internet normally. And now im in checking state.

Please give me suggestion what should i change about my network scheme besides:

1. Use RVI

2. Use "Private Addresses" >I'm thinking using 10.x.y.z network

Thank you.

Giuseppe Larosa · ‎08-31-2021

Hello @karang_dika ,

the correct configuration for your scenario requires either to use overload with the NAT pool or to use overload with a NAT statement that uses the exit WAN interface on the router.

without the overload keyword each client consumes a public IP address so the first three are served all the others cannot go to the internet.

if you have issues with the NAT pool try to use the external interface

ip nat inside source list 10 interface giga0/0/0 overload

This should solve your issues.

Hope to help

Giuseppe

karang_dika · ‎08-31-2021

Hi @Giuseppe Larosa

Yes i just realized i missing "overload" statement there. It was previously there before i created a new pool but when i created new one, i left the overload statement that makes only 3 of my servers have access to the internet.

My problem has been solved now. But from all of this discussion, i received so many suggestions regarding RVI Usage instead of IRB, and then Private Addresses instead of Public Addresses. I will try to consider all of this and i might plan about it.

Thank you very much for all of your responses. Really helpful and guideful. @Giuseppe Larosa @paul driver @Georg Pauwen