Community discussions

MikroTik App
 
davidungurean
just joined
Topic Author
Posts: 3
Joined: Sat Jun 13, 2020 12:07 am

DNS not resolving domain names

Sat Jun 13, 2020 12:20 am

Hi friends,
Can any one help me to understand why my computers behind the mikrotik router cannot resolve domain names?
here is my config:

# jun/12/2020 20:26:18 by RouterOS 6.42.5
# software id = JSTP-DCW3
#
# model = RB750Gr3
# serial number = 8AFF09C18EF7
/interface bridge
add fast-forward=no name=BRIDGE-CAMERE
add fast-forward=no name=BRIDGE-LAN
/interface pptp-client
add connect-to= disabled=no name=PPTP-CLP password= user=\

/interface vlan
add interface=BRIDGE-CAMERE name=VLAN-CAMERE vlan-id=200
add interface=BRIDGE-LAN name=VLAN-LAN vlan-id=100
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=POOL-LAN ranges=192.168.101.193-192.168.101.253
add name=POOL-CAMERE ranges=192.168.101.2-192.168.101.14
/ip dhcp-server
add address-pool=POOL-LAN disabled=no interface=BRIDGE-LAN name=DHCP-LAN
add address-pool=POOL-CAMERE disabled=no interface=BRIDGE-CAMERE name=\
DHCP-CAMERE
/user group
add name=GroupFTP policy="ftp,read,write,test,!local,!telnet,!ssh,!reboot,!pol\
icy,!winbox,!password,!web,!sniff,!sensitive,!api,!romon,!dude,!tikapp"
/interface bridge port
add bridge=BRIDGE-CAMERE comment=defconf interface=ether2
add bridge=BRIDGE-LAN comment=defconf interface=ether3
add bridge=BRIDGE-LAN comment=defconf interface=ether4
add bridge=BRIDGE-LAN comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.101.254/26 comment=::LAN interface=BRIDGE-LAN network=\
192.168.101.192
add address=192.168.100.101/24 comment=::WAN interface=ether1 network=\
192.168.100.0
add address=192.168.101.1/28 comment=LAN interface=BRIDGE-CAMERE network=\
192.168.101.0
/ip dhcp-server network
add address=192.168.101.0/28 dns-server=8.8.8.8 gateway=192.168.101.1
add address=192.168.101.192/26 dns-server=172.23.2.2 gateway=192.168.101.254
/ip dns
set allow-remote-requests=yes servers=208.67.222.222,208.67.220.220
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input dst-port=21 in-interface=ether1 protocol=tcp
add action=accept chain=input dst-port=22,8291,8728,80 protocol=tcp \
src-address=192.168.0.0/16
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface=ether1
add action=masquerade chain=srcnat dst-address=172.23.2.0/24 out-interface=\
PPTP-CLP
add action=masquerade chain=srcnat out-interface=PPTP-CLP src-address=\
192.168.0.0/18
/ip route
add distance=1 gateway=192.168.100.1
add distance=1 dst-address=172.23.2.0/24 gateway=PPTP-CLP
add distance=1 dst-address=192.168.0.0/18 gateway=PPTP-CLP
/ip tftp
add ip-addresses=0.0.0.0
/system routerboard settings
set silent-boot=no

/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Thanks
 
WeWiNet
Long time Member
Long time Member
Posts: 591
Joined: Thu Sep 27, 2018 4:11 pm

Re: DNS not resolving domain names

Tue Jun 16, 2020 4:05 pm

You need to add the VLAN as ports to the bridge... in Winbox --> BRIDGE --> VLAN
Example: If Wifi interface is part of the VLAN then need to add it there.
Same for an ethernet port.

If you do not do that, the VLAN will not see the DHCP leases from the bridge.

OH! Sorry did not see you are on very old FW! 6.42. !!!
you should absolutely upgrade as that FW is unsafe...
VLAN handling has changed over time and is now done differently.
 
User avatar
mutluit
Forum Veteran
Forum Veteran
Posts: 821
Joined: Wed Mar 25, 2020 4:04 am

Re: DNS not resolving domain names

Tue Jun 16, 2020 4:14 pm

Hi friends,
Can any one help me to understand why my computers behind the mikrotik router cannot resolve domain names?
here is my config:
Do your computers get their IPs via DHCP?
If they have static IPs then you have to specify the DNS server manually on the PCs.

What is the output of this command on the PC:
nslookup google.com
 
davidungurean
just joined
Topic Author
Posts: 3
Joined: Sat Jun 13, 2020 12:07 am

Re: DNS not resolving domain names

Tue Jun 16, 2020 4:32 pm

Yes, my computers get theirs IPs via DHCP, including DNS server. They don't have static IPs.

The result of nslookup google.com is:

DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 8.8.8.8

Thank you
 
davidungurean
just joined
Topic Author
Posts: 3
Joined: Sat Jun 13, 2020 12:07 am

Re: DNS not resolving domain names

Tue Jun 16, 2020 4:35 pm

You need to add the VLAN as ports to the bridge... in Winbox --> BRIDGE --> VLAN
Example: If Wifi interface is part of the VLAN then need to add it there.
Same for an ethernet port.

If you do not do that, the VLAN will not see the DHCP leases from the bridge.

OH! Sorry did not see you are on very old FW! 6.42. !!!
you should absolutely upgrade as that FW is unsafe...
VLAN handling has changed over time and is now done differently.
Dear WeWiNet,

I've follow your advice's but the result is the same.
I added a new Bridge Vlan, the VLAN IDs and no working.

Thanks
 
User avatar
mutluit
Forum Veteran
Forum Veteran
Posts: 821
Joined: Wed Mar 25, 2020 4:04 am

Re: DNS not resolving domain names

Tue Jun 16, 2020 4:56 pm

Yes, my computers get theirs IPs via DHCP, including DNS server. They don't have static IPs.

The result of nslookup google.com is:

DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 8.8.8.8
This indicates that the DNS server setting on the PC is wrong or couldn't be set / get.

To diagnose the error you better should test with a manually given static IP and DNS server IP on the PC.
Of course the IP and subnetmask must be in the same subnet as the router's LAN side.
The IP of the DNS server must be that of the router (ie. the LAN side IP).

Btw, I just don't get it why people unnecessarily complicate their life by using VLAN :-). VLAN is intended for switches in ISP rooms with many ports like 24 or 48 ports, but surely not with a home router with 5 ports. Not even in corporate LANs, IMHO. Have fun VLAN users! :-) (Or should I say VLAN losers? :-))
Last edited by mutluit on Tue Jun 16, 2020 5:21 pm, edited 3 times in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: DNS not resolving domain names

Tue Jun 16, 2020 5:06 pm

Here is what I would do......
Read through this article as the best guide on how to setup vlans........
viewtopic.php?f=13&t=143620

For simplicity and clarity (readability)
USE TWO DIFF subnets for your vlans, 192.168.10.x for one, and 192.168.20.x for the other.
You only need one bridge, the vlans give you L2 separation.
interface list members should include the vlans for LAN
associate the ip addresses with the VLANs.

Your FW rules are hosed,
The order is all wrong and important,
Some of your rules in the input chain look like dstnat rules to me.
 
User avatar
mutluit
Forum Veteran
Forum Veteran
Posts: 821
Joined: Wed Mar 25, 2020 4:04 am

Re: DNS not resolving domain names

Tue Jun 16, 2020 5:14 pm

@anav, IMO there is ZERO need for VLAN with routers, especially not in home environment as well not in a corporate LAN. VLAN might be maybe good for carriers, ie. ISPs with L2 switches only...
 
WeWiNet
Long time Member
Long time Member
Posts: 591
Joined: Thu Sep 27, 2018 4:11 pm

Re: DNS not resolving domain names

Tue Jun 16, 2020 7:20 pm

davidungurean, what I told you is only valid for the 6.44(?) and more recent.
ROS changed the way how to setup/manage VLANs.

I don't remember how it was done in the past.
I would recommend you move to latest FW first, remove maybe VLAN and see if all works.
Then add in VLANs...
 
User avatar
BlackRat
Frequent Visitor
Frequent Visitor
Posts: 97
Joined: Sat Jul 21, 2012 8:37 am

Re: DNS not resolving domain names

Mon Nov 28, 2022 9:04 pm

Try to add access rule at the top:
add action=accept chain=input comment="ESTABLISHED, RELATED" connection-state=established,related
 
Guscht
Member Candidate
Member Candidate
Posts: 236
Joined: Thu Jul 01, 2010 5:32 pm

Re: DNS not resolving domain names

Mon Nov 28, 2022 9:28 pm

IMO there is ZERO need for VLAN with routers, especially not in home environment as well not in a corporate LAN. VLAN might be maybe good for carriers, ie. ISPs with L2 switches only...

VLANs are an integral, fundamental component of any network, in which a segregation between layer2 domains is necessary.
In a home-enviroment, a guest network, a IoT-network or a DMZ for a self-hosted webserver are a few examples for VLANs.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: DNS not resolving domain names

Mon Nov 28, 2022 9:41 pm

Concur Guscht, mutluit is out to lunch. As soon as you say guest network in a home scenario, a vlan is a natural path, and of course all the other types of entities you may have at home.

Who is online

Users browsing this forum: tangent and 44 guests