DrayTek UK Users' Community Forum
Help, Advice and Solutions from DrayTek Users
DNS problems over LAN to LAN VPN
- runningdeere
- Topic Author
- Offline
- Junior Member
Less
More
- Posts: 97
- Thank you received: 0
13 May 2020 09:41 #96188
by runningdeere
DNS problems over LAN to LAN VPN was created by runningdeere
Hi,
I have 2 sites connected by an IPSec LAN to LAN VPN connection.
Site 1 uses IP range 192.168.100.0 / 24 - router 2860
Site 2 uses IP range 192.168.110.0 / 23 - router 2862
Site 2 dials in to Site 1.
I have a PIHole DNS server at site 1.
The router at site 2 is set as DHCP server (addresses on the 192.168.111.0 subnet) and to use 192.168.100.105 as the DNS server.
This all worked perfectly well until a couple of days ago when I switched ISP at site 2.
Now, while the VPN establishes perfectly well, I can ping machines through the VPN,and other services work as expected, DNS queries from Site 2 do not seem to be routed through to the server at site 1. The machines have the correct DNS address, but if I do an nslookup they time out.
I have added routing rules in at both ends (never needed anything previously) but that has not helped.
I can't see that the change of ISP has anything to do with this, as the VPN itself is working, and this traffic should just be routed through that. I did swap the router at Site 2 at the same time, but for an identical model, and I started with a configuration backup from the previous one.
Has anybody any ides please, it's driving me mad!
Thank you
I have 2 sites connected by an IPSec LAN to LAN VPN connection.
Site 1 uses IP range 192.168.100.0 / 24 - router 2860
Site 2 uses IP range 192.168.110.0 / 23 - router 2862
Site 2 dials in to Site 1.
I have a PIHole DNS server at site 1.
The router at site 2 is set as DHCP server (addresses on the 192.168.111.0 subnet) and to use 192.168.100.105 as the DNS server.
This all worked perfectly well until a couple of days ago when I switched ISP at site 2.
Now, while the VPN establishes perfectly well, I can ping machines through the VPN,and other services work as expected, DNS queries from Site 2 do not seem to be routed through to the server at site 1. The machines have the correct DNS address, but if I do an nslookup they time out.
I have added routing rules in at both ends (never needed anything previously) but that has not helped.
I can't see that the change of ISP has anything to do with this, as the VPN itself is working, and this traffic should just be routed through that. I did swap the router at Site 2 at the same time, but for an identical model, and I started with a configuration backup from the previous one.
Has anybody any ides please, it's driving me mad!
Thank you
Please Log in or Create an account to join the conversation.
- hornbyp
- Offline
- Big Contributor
Less
More
- Posts: 1323
- Thank you received: 0
19 May 2020 03:30 #96229
by hornbyp
Can you 'Ping' the DNS server (192.168.100.105) from a machine on Site 2's LAN? (Does 192.168.100.105 know how to reach the 192.168.110.0/23 (or is it 111.0/24? ) network?)
You can try "Diagnostics >> Route Policy Diagnosis " and/or 'Tracert' to try and figure out where your DNS lookups should go @ the Router level.
(I'm assuming there's no accidental firewall rule blocking DNS - either on the router or the client )
Replied by hornbyp on topic Re: DNS problems over LAN to LAN VPN
runningdeere wrote:
Site 2 uses IP range 192.168.110.0 / 23 - router 2862
The router at site 2 is set as DHCP server (addresses on the 192.168.111.0 subnet) and to use 192.168.100.105 as the DNS server.
Can you 'Ping' the DNS server (192.168.100.105) from a machine on Site 2's LAN? (Does 192.168.100.105 know how to reach the 192.168.110.0/23 (or is it 111.0/24?
You can try "
(I'm assuming there's no accidental firewall rule blocking DNS - either on the router or the client )
Please Log in or Create an account to join the conversation.
- runningdeere
- Topic Author
- Offline
- Junior Member
Less
More
- Posts: 97
- Thank you received: 0
20 May 2020 20:02 #96233
by runningdeere
Replied by runningdeere on topic Re: DNS problems over LAN to LAN VPN
Hi,
Apologies for the delay in replying.
So I can ping out from site 2 to the DNS server at site 1 on 192.168.100.105, and I can ping in the other direction.
I have the problem on multiple clients so that rules out any firewall issues on the clients. I only really have the default firewall rules currently set on the routers. I can try disabling them at both ends to see if that helps, but everything else appears to work as expected through the vpn apart from DNS.
if I use the Route Policy Diagnosis, on the router at site 2, it says the packet gets sent down the vpn link.
If I do the check on the router at site 1, I get a message 'The packet was dropped It did not come from one of router's legitimate subnets' - I'm assumiing that's because it's not from a local address.
My Clients list the first DNS server as 192.168.100.105
The machine running PiHole on 192.168.100.105 has it's firewall disabled.
if I do a tracert from site 2 to 192.168.100.105 I see what I would expect, which is the 2 routers and then the target machine.
After a bit more investigation, it appears that if I run DNS on another machine (Windows server) on site 1, machines on site 2 can see that.
So it looks like the routers are working properly after all (Not surprising really since I've never had this trouble before)
So the problem must lie on the target machine, either due to an OS update or Pi-Hole update.
Thank you for your help.
Paul
Apologies for the delay in replying.
So I can ping out from site 2 to the DNS server at site 1 on 192.168.100.105, and I can ping in the other direction.
I have the problem on multiple clients so that rules out any firewall issues on the clients. I only really have the default firewall rules currently set on the routers. I can try disabling them at both ends to see if that helps, but everything else appears to work as expected through the vpn apart from DNS.
if I use the Route Policy Diagnosis, on the router at site 2, it says the packet gets sent down the vpn link.
If I do the check on the router at site 1, I get a message 'The packet was dropped It did not come from one of router's legitimate subnets' - I'm assumiing that's because it's not from a local address.
My Clients list the first DNS server as 192.168.100.105
The machine running PiHole on 192.168.100.105 has it's firewall disabled.
if I do a tracert from site 2 to 192.168.100.105 I see what I would expect, which is the 2 routers and then the target machine.
After a bit more investigation, it appears that if I run DNS on another machine (Windows server) on site 1, machines on site 2 can see that.
So it looks like the routers are working properly after all (Not surprising really since I've never had this trouble before)
So the problem must lie on the target machine, either due to an OS update or Pi-Hole update.
Thank you for your help.
Paul
Please Log in or Create an account to join the conversation.
Moderators: Chris, Sami
Copyright © 2024 DrayTek