Solved: Can't access internet due to DNS Issue (?)

karang_dika · ‎08-30-2021

Hi,

I'm new at networking, currently i have ISR4331 working as Router and i have Juniper EX2300 working as L3 Switch that will be my local gateway of my each VLANS i have.

Here's the look of my current topology

I have problem where from all of my internal segments cant access internet but able to ping (Looks like its DNS issue i assume)

Here is the running-config of my router

ip name-server 202.158.3.6 202.158.3.7

interface GigabitEthernet0/0/0
ip address 210.210.178.226 255.255.255.248
ip nat outside
!
interface GigabitEthernet0/0/1
ip address 193.168.255.2 255.255.255.252
ip nat inside
negotiation auto
!
ip default-gateway 210.210.178.225
ip nat pool PUBLIC-1 210.210.178.226 210.210.178.230 netmask 255.255.255.248
ip nat inside source list 1 pool PUBLIC-1 overload
ip forward-protocol nd
no ip http server
no ip http secure-server
ip tftp source-interface GigabitEthernet0
ip dns view default
dns forwarder 202.158.3.6
dns forwarder 202.158.3.7
dns forwarding source-interface GigabitEthernet0/0/1
ip dns view-list conditional
view internal 10
restrict name-group 1
view default 99
ip dns server
ip route 0.0.0.0 0.0.0.0 210.210.178.225
ip route 193.168.1.0 255.255.255.0 193.168.255.1
ip route 193.168.2.0 255.255.255.0 193.168.255.1
ip route 193.255.1.0 255.255.255.0 193.168.255.1
ip route 193.255.255.0 255.255.255.0 193.168.255.1
!
!
ip access-list extended NAT
permit ip any any
permit icmp any any
!
access-list 1 permit 193.168.2.0 0.0.0.255
access-list 1 permit 193.255.1.0 0.0.0.255
access-list 1 permit 192.255.255.0 0.0.0.255
access-list 1 permit 193.168.1.0 0.0.0.255
access-list 1 permit 193.168.255.0 0.0.0.255

I have VMs all in that segments and all of them cant access internet but only ping. I used DNS 193.168.255.2 (My Router) instead of my ISP DNS. Then i tried to change it into ISP DNS but still doesnt work.

Is there any misconfiguration that i did? Perhaps something simple but i didnt aware of it?

Thanks. Regards.

Giuseppe Larosa · ‎08-31-2021

Hello @paul driver ,

the routed interface to the router exists

set interfaces ge-0/0/23 unit 0 family inet address 193.168.255.1/30

I agree on your concerns about the use of IRB units instead of VLAN ( called RVI in Juniper terms) I suspect this can depend from JUNOS version on the switch.

@karang_dika : you should try to configure RVI interfaces instead of IRB as explained by Paul.

However, looking at router config I see the follwing:

ip nat inside source list 10 pool INTERNET-1

With this config your router can serve up to 3 clients concurrently one address is used for static NAT.

you need to add the keyword overload to make possible the use for many clients ( PAT)

ip nat inside source list 10 pool INTERNET-1 overload

Try this I'm sorry we were not able to see this before.

Hope to help

Giuseppe

View solution in original post

Georg Pauwen · ‎08-30-2021

Hello,

what DNS server IP address are your clients configured with ? Try to get rid of all the DNS config on the router and configure your clients with the IP address of the Google DNS server, 8.8.8.8, instead.

Make the changes marked in bold:

ip name-server 202.158.3.6 202.158.3.7
!
interface GigabitEthernet0/0/0
ip address 210.210.178.226 255.255.255.248
ip nat outside
!
interface GigabitEthernet0/0/1
ip address 193.168.255.2 255.255.255.252
ip nat inside
negotiation auto
!
--> no ip default-gateway 210.210.178.225
ip nat pool PUBLIC-1 210.210.178.226 210.210.178.230 netmask 255.255.255.248
ip nat inside source list 1 pool PUBLIC-1 overload
ip forward-protocol nd
no ip http server
no ip http secure-server
ip tftp source-interface GigabitEthernet0
--> no ip dns view default
--> no dns forwarder 202.158.3.6
--> no dns forwarder 202.158.3.7
--> no dns forwarding source-interface GigabitEthernet0/0/1
--> no ip dns view-list conditional
--> no view internal 10
--> no restrict name-group 1
--> no view default 99
--> no ip dns server
ip route 0.0.0.0 0.0.0.0 210.210.178.225
ip route 193.168.1.0 255.255.255.0 193.168.255.1
ip route 193.168.2.0 255.255.255.0 193.168.255.1
ip route 193.255.1.0 255.255.255.0 193.168.255.1
ip route 193.255.255.0 255.255.255.0 193.168.255.1
!
ip access-list extended NAT
permit ip any any
permit icmp any any
!
access-list 1 permit 193.168.2.0 0.0.0.255
access-list 1 permit 193.255.1.0 0.0.0.255
access-list 1 permit 192.255.255.0 0.0.0.255
access-list 1 permit 193.168.1.0 0.0.0.255
access-list 1 permit 193.168.255.0 0.0.0.255

karang_dika · ‎08-30-2021

Hi @Georg Pauwen

Sorry for questioning your solution but i'm asking if i remove that default GW of my ISP, wouldnt i lose the public internet connection to my router? Or would it be safe since its already configured with default route 0.0.0.0?

And for the clients, i configured the DNS with 193.168.255.2 (It is my Router as my DNS)

Thanks. Regards.

paul driver · ‎08-30-2021

Hell

@karang_dika wrote:

Hi @Georg Pauwen

Sorry for questioning your solution but i'm asking if i remove that default GW of my ISP, wouldnt i lose the public internet connection to my router?

No as you router is preforming routing it isn't a host device as such ip default-gateway is redundant, also your dynamic clients should be allocated a D/G via dhcp (assuming juniper) which would be the juniper SVI ip address of the vlan they are assigned to.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

paul driver · ‎08-30-2021

Hello

I assume the juniper is providing dhcp allocation, if so amend the dhcp scopes to include your router(193.168.255.2) for dhcp clients dns server then leave the rtr to be the a forwarder towards your ISP DNS:

Please see attached file:

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

karang_dika · ‎08-30-2021

Hi, @paul driver

Actually i didnt enable DHCP in juniper so i assign it statically about the IPs.

Here is the config of my Juniper, it assign as L3 VLAN

set system services ssh protocol-version v2
set system services netconf ssh
set system services web-management http
set system syslog user * any emergency
set system syslog file messages any notice
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands any
set system phone-home server https://redirect.juniper.net
set system phone-home rfc-compliant
deactivate system phone-home
set chassis redundancy graceful-switchover
set interfaces ge-0/0/8 unit 0 family ethernet-switching interface-mode trunk
set interfaces ge-0/0/8 unit 0 family ethernet-switching vlan members VLAN10
set interfaces ge-0/0/8 unit 0 family ethernet-switching vlan members VLAN20
set interfaces ge-0/0/8 unit 0 family ethernet-switching vlan members CVM1
set interfaces ge-0/0/8 unit 0 family ethernet-switching storm-control default
set interfaces ge-0/0/9 unit 0 family ethernet-switching interface-mode trunk
set interfaces ge-0/0/9 unit 0 family ethernet-switching vlan members VLAN10
set interfaces ge-0/0/9 unit 0 family ethernet-switching vlan members VLAN20
set interfaces ge-0/0/9 unit 0 family ethernet-switching vlan members CVM1
set interfaces ge-0/0/9 unit 0 family ethernet-switching storm-control default
set interfaces ge-0/0/10 unit 0 family ethernet-switching interface-mode trunk
set interfaces ge-0/0/10 unit 0 family ethernet-switching vlan members VLAN10
set interfaces ge-0/0/10 unit 0 family ethernet-switching vlan members VLAN20
set interfaces ge-0/0/10 unit 0 family ethernet-switching vlan members CVM1
set interfaces ge-0/0/10 unit 0 family ethernet-switching storm-control default
set interfaces ge-0/0/23 unit 0 family inet address 193.168.255.1/30
set interfaces irb unit 0 family inet
set interfaces irb unit 10 family inet address 193.168.1.254/24
set interfaces irb unit 20 family inet address 193.168.2.254/24
set interfaces irb unit 2551 family inet address 193.255.1.254/24
set interfaces irb unit 2555 family inet address 193.255.255.254/24
set interfaces me0 unit 0 family inet
set forwarding-options storm-control-profiles default all
set routing-options static route 0.0.0.0/0 next-hop 193.168.255.2
set protocols lldp interface all
set protocols lldp-med interface all
set protocols igmp-snooping vlan default
set protocols rstp interface all
set vlans CVM1 vlan-id 2551
set vlans CVM1 l3-interface irb.2551
set vlans MGMT1 vlan-id 2555
set vlans MGMT1 l3-interface irb.2555
set vlans VLAN10 vlan-id 10
set vlans VLAN10 l3-interface irb.10
set vlans VLAN20 vlan-id 20
set vlans VLAN20 l3-interface irb.20
set vlans default vlan-id 1
set vlans default l3-interface irb.0

From the router below, it only able to ping outside network / internet.

From your suggestion, i need to delete all dns in the router instead of replace it with 8.8.8.8? And also in my clients side, should i use 193.168.255.2 as my DNS? or just 8.8.8.8?

paul driver · ‎08-30-2021

Hello

You clients ip addressing should point to the related vlan juniper L3 addressing you have applied, and yes apply the dns server of the rtr

193.168.255.2

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

karang_dika · ‎08-30-2021

Hi @paul driver ,

Yes i did that. I already have clients in those segments configured and the inter-vlan communication is fine. But when it comes to resolving hostnames like ping google.com from 1 of my clients, it says temporary failure in name resolutions (i used 193.168.255.2 (my router) as my DNS on all of my clients)

And also i did as you suggested about editing some config but still the same.

paul driver · ‎08-30-2021

Hello

Apologies Just checked the cfg i sent you ,I asked you to remove the name-server, is this yoiur isp dns if so please re-add it and test?
ip name-server 202.158.3.6 202.158.3.7

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

karang_dika · ‎08-30-2021

Hi @paul driver

Yes thats my ISP DNS. I already put it back to my router and still my devices cant get access to the internet even with apt-get update on my ubuntu. I got insights from @Giuseppe Larosa to change my Environment from Public Address to Private Addres (I just realized this as well and didnt think about it when planning this). I'm gonna reconfigured it tomorrow and let you know would that solve my issue right away.

Thank you. Regards.

Giuseppe Larosa · ‎08-30-2021

Hello @karang_dika ,

I agree with @Georg Pauwen the router has DNS related commands that can be the cause of your issue.

You should try to use the google DNS 8.8.8.8 on your devices and to remove all the DNS related commands from router config.

The ip default-gateway command is not effective on a router that is doing routing

the default static route is used for going to the internet

Finally be aware that 193.168.x.y are public IP addresses. Private IP addresses are 192.168.x.y

This can just be an error in typing your message. if so just ignore this comment.

Hope to help

Giuseppe

karang_dika · ‎08-30-2021

Hi @Giuseppe Larosa

I just edited my router configuration as @Georg Pauwen suggested. But it still gives me the same result when i try to ping google.com from my clients and it still shows Failure Name Resolutions. But when i tried to use my ISP DNS on my router, and then use my router as my DNS on Juniper and my clients, now all of them able to ping google.com, but when i try to do literally accessing internet like apt-get update, it still unsuccesful eventhough i can ping archive.ubuntu.com, etc.

Oh my.. I just realized i build my environment using public IP Address Range. But does it really be a root cause of my issue right now? Sorry if it is a silly questions.

Giuseppe Larosa · ‎08-30-2021

Hello @karang_dika ,

>> Oh my.. I just realized i build my environment using public IP Address Range. But does it really be a root cause of my issue right now? Sorry if it is a silly questions

you cannot access public services in the subnets in 193.168.x.y you are using this is the only effect as then you perform NAT.

However, the fact that some basic applications like linux apt-get does not work suggest that you are still in time to fix your environment and use private IP addresses ( look for RFC 1918 addresses).

>> But when i tried to use my ISP DNS on my router, and then use my router as my DNS on Juniper and my clients, now all of them able to ping google.com, but when i try to do literally accessing internet like apt-get update, it still unsuccesful eventhough i can ping archive.ubuntu.com, etc.

this is good news .

Hope to help

Giuseppe

karang_dika · ‎08-30-2021

Hi @Giuseppe Larosa

Thank you for your suggestions. Really appreciate that helps for some newbie like me. I will try to reconfigure the whole network tomorrow.

I'll let you know how's the result of it.

But just to make sure, this is my final configuration of my router. Is there anything left that needs to be corrected? Since im able to ping google.com from all of my devices.

Building configuration...


ip name-server 202.158.3.6 202.158.3.7
interface GigabitEthernet0/0/0
 ip address 210.210.178.226 255.255.255.248
 ip nat outside
 negotiation auto
 crypto map map-vpn-briit
!
interface GigabitEthernet0/0/1
 ip address 193.168.255.2 255.255.255.252
 ip nat inside
 negotiation auto
!
interface Virtual-Template1
 ip unnumbered GigabitEthernet0/0/0
 peer default ip address pool khusus-vpn
 ppp authentication ms-chap-v2
!
interface Vlan1
 no ip address
 shutdown
!
ip nat pool PUBLIC-1 210.210.178.226 210.210.178.230 netmask 255.255.255.248
ip nat inside source list 1 pool PUBLIC-1 overload
ip forward-protocol nd
no ip http server
no ip http secure-server
ip tftp source-interface GigabitEthernet0
ip dns server
ip route 0.0.0.0 0.0.0.0 210.210.178.225
ip route 172.17.1.0 255.255.255.0 193.168.255.1 <<This will be my new Clients segment
ip route 172.17.2.0 255.255.255.0 193.168.255.1 <<This will be my new Clients segment
ip route 193.168.1.0 255.255.255.0 193.168.255.1
ip route 193.168.2.0 255.255.255.0 193.168.255.1
ip route 193.255.1.0 255.255.255.0 193.168.255.1
ip route 193.255.255.0 255.255.255.0 193.168.255.1
!
!
access-list 1 permit 193.168.2.0 0.0.0.255
access-list 1 permit 193.255.1.0 0.0.0.255
access-list 1 permit 192.255.255.0 0.0.0.255
access-list 1 permit 193.168.1.0 0.0.0.255
access-list 1 permit 193.168.255.0 0.0.0.255
access-list 1 permit 172.16.1.0 0.0.0.255 <<This will be my new Clients segment
access-list 2 permit 172.16.2.0 0.0.0.255 <<This will be my new Clients segment
!
end

And also in my juniper and clients side, i put my router address as the DNS.

Thanks. Regards.

Georg Pauwen · ‎08-30-2021

Hello,

the configuration looks good now. Good luck with the implementation...