DNS not resolving domain names

davidungurean · June 12, 2020, 9:20pm

Hi friends,
Can any one help me to understand why my computers behind the mikrotik router cannot resolve domain names?
here is my config:

jun/12/2020 20:26:18 by RouterOS 6.42.5

software id = JSTP-DCW3

model = RB750Gr3

serial number = 8AFF09C18EF7

/interface bridge
add fast-forward=no name=BRIDGE-CAMERE
add fast-forward=no name=BRIDGE-LAN
/interface pptp-client
add connect-to= disabled=no name=PPTP-CLP password= user=\

/interface vlan
add interface=BRIDGE-CAMERE name=VLAN-CAMERE vlan-id=200
add interface=BRIDGE-LAN name=VLAN-LAN vlan-id=100
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=POOL-LAN ranges=192.168.101.193-192.168.101.253
add name=POOL-CAMERE ranges=192.168.101.2-192.168.101.14
/ip dhcp-server
add address-pool=POOL-LAN disabled=no interface=BRIDGE-LAN name=DHCP-LAN
add address-pool=POOL-CAMERE disabled=no interface=BRIDGE-CAMERE name=
DHCP-CAMERE
/user group
add name=GroupFTP policy=“ftp,read,write,test,!local,!telnet,!ssh,!reboot,!pol
icy,!winbox,!password,!web,!sniff,!sensitive,!api,!romon,!dude,!tikapp”
/interface bridge port
add bridge=BRIDGE-CAMERE comment=defconf interface=ether2
add bridge=BRIDGE-LAN comment=defconf interface=ether3
add bridge=BRIDGE-LAN comment=defconf interface=ether4
add bridge=BRIDGE-LAN comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.101.254/26 comment=::LAN interface=BRIDGE-LAN network=
192.168.101.192
add address=192.168.100.101/24 comment=::WAN interface=ether1 network=
192.168.100.0
add address=192.168.101.1/28 comment=LAN interface=BRIDGE-CAMERE network=
192.168.101.0
/ip dhcp-server network
add address=192.168.101.0/28 dns-server=8.8.8.8 gateway=192.168.101.1
add address=192.168.101.192/26 dns-server=172.23.2.2 gateway=192.168.101.254
/ip dns
set allow-remote-requests=yes servers=208.67.222.222,208.67.220.220
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input dst-port=21 in-interface=ether1 protocol=tcp
add action=accept chain=input dst-port=22,8291,8728,80 protocol=tcp
src-address=192.168.0.0/16
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment=“defconf: accept in ipsec policy”
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy”
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked disabled=yes
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade”
ipsec-policy=out,none out-interface=ether1
add action=masquerade chain=srcnat dst-address=172.23.2.0/24 out-interface=
PPTP-CLP
add action=masquerade chain=srcnat out-interface=PPTP-CLP src-address=
192.168.0.0/18
/ip route
add distance=1 gateway=192.168.100.1
add distance=1 dst-address=172.23.2.0/24 gateway=PPTP-CLP
add distance=1 dst-address=192.168.0.0/18 gateway=PPTP-CLP
/ip tftp
add ip-addresses=0.0.0.0
/system routerboard settings
set silent-boot=no

/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Thanks

WeWiNet · June 16, 2020, 1:05pm

You need to add the VLAN as ports to the bridge… in Winbox → BRIDGE → VLAN
Example: If Wifi interface is part of the VLAN then need to add it there.
Same for an ethernet port.

If you do not do that, the VLAN will not see the DHCP leases from the bridge.

OH! Sorry did not see you are on very old FW! 6.42. !!!
you should absolutely upgrade as that FW is unsafe…
VLAN handling has changed over time and is now done differently.

mutluit · June 16, 2020, 1:14pm

Do your computers get their IPs via DHCP?
If they have static IPs then you have to specify the DNS server manually on the PCs.

What is the output of this command on the PC:
nslookup google.com

davidungurean · June 16, 2020, 1:32pm

Yes, my computers get theirs IPs via DHCP, including DNS server. They don’t have static IPs.

The result of nslookup google.com is:

DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 8.8.8.8

Thank you

davidungurean · June 16, 2020, 1:35pm

Dear WeWiNet,

I’ve follow your advice’s but the result is the same.
I added a new Bridge Vlan, the VLAN IDs and no working.

Thanks

mutluit · June 16, 2020, 1:56pm

This indicates that the DNS server setting on the PC is wrong or couldn’t be set / get.

To diagnose the error you better should test with a manually given static IP and DNS server IP on the PC.
Of course the IP and subnetmask must be in the same subnet as the router’s LAN side.
The IP of the DNS server must be that of the router (ie. the LAN side IP).

Btw, I just don’t get it why people unnecessarily complicate their life by using VLAN . VLAN is intended for switches in ISP rooms with many ports like 24 or 48 ports, but surely not with a home router with 5 ports. Not even in corporate LANs, IMHO. Have fun VLAN users! (Or should I say VLAN losers? )

anav · June 16, 2020, 2:06pm

Here is what I would do…
Read through this article as the best guide on how to setup vlans…
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

For simplicity and clarity (readability)
USE TWO DIFF subnets for your vlans, 192.168.10.x for one, and 192.168.20.x for the other.
You only need one bridge, the vlans give you L2 separation.
interface list members should include the vlans for LAN
associate the ip addresses with the VLANs.

Your FW rules are hosed,
The order is all wrong and important,
Some of your rules in the input chain look like dstnat rules to me.

mutluit · June 16, 2020, 2:14pm

@anav, IMO there is ZERO need for VLAN with routers, especially not in home environment as well not in a corporate LAN. VLAN might be maybe good for carriers, ie. ISPs with L2 switches only…

WeWiNet · June 16, 2020, 4:20pm

davidungurean, what I told you is only valid for the 6.44(?) and more recent.
ROS changed the way how to setup/manage VLANs.

I don’t remember how it was done in the past.
I would recommend you move to latest FW first, remove maybe VLAN and see if all works.
Then add in VLANs…

BlackRat · November 28, 2022, 7:04pm

Try to add access rule at the top:
add action=accept chain=input comment=“ESTABLISHED, RELATED” connection-state=established,related

Guscht · November 28, 2022, 7:28pm

VLANs are an integral, fundamental component of any network, in which a segregation between layer2 domains is necessary.
In a home-enviroment, a guest network, a IoT-network or a DMZ for a self-hosted webserver are a few examples for VLANs.

anav · November 28, 2022, 7:41pm

Concur Guscht, mutluit is out to lunch. As soon as you say guest network in a home scenario, a vlan is a natural path, and of course all the other types of entities you may have at home.