DNS requests are not working
Team,
I have a customer who is using 6 of these ER605-V2 routers.
We can not get DNS working on all 6 - even with just one additional vlan (beside the default management vlan 1).
The things we tried:
* Tried with Google and Cloudflare DNS servers on WAN and LAN site (with or without DHCP)
* Disable DHCP on the LAN-site and use Pihole/dnsmasq as DHCP and DNS server
* Proxy with DoH to Cloudflare
* Factory reset and running in standalone mode (with and without DHCP on LAN-side)
* Ping and tracert executed by the router itself
* Replaced one ER605 with an ER707-M2
Only the ER707 setup is working as expected.
It looks like all the ER605 routers are blocking all DNS requests - regardless its settings.
As if there is some hidden ACL-rule blocking all DNS traffic.
Please advice - where to go from here?
With warm regards - Will
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
@MR.S remember this DNS problem with the ER605 router bench?
We where finally able to solve it (or at least have a workaround).
We eventually started testing with OpnSense and run in the same issue; only less consistent.
It turned out that this was because OpnSense has somesort of a watchdog going.
Which restarted the DNS service once it was failing.
We fixed this with an Omada switch.
The ports with the OpnSense and/or ER605 routers are attached to ports running with PVID 4080 in Isolation mode.
The port with the ISP-router (and the actual access to the internet) was also running with PVID 4080 - but without port isolation.
When we replace the Omada switch with a basic unmanaged switch sooner or later the problem comes back.
I have no clue what this port isolation mode is actually doing - but everything is running as expected for a few weeks now.
Cheers - Will
- Copy Link
- Report Inappropriate Content
that sounds very strange. I here several ER605v2 that do not have this problem. it's a blind shot but have you tried to upgrade to the latest version that came out today?
another thing you can try is to set the dns server to auto on the lan/vlan interfaces and try to activate the dns proxy, try DoH and choose cloudflare or google as provider.
- Copy Link
- Report Inappropriate Content
Thank you for the suggestions.
Tried the firmware upgrade released earlier today - no improvements
The same for DoH proxy with Cloudflare or any of the others.
Even a ping-test and tracert-test on the router itself fails.
I tried with google.com, cisco.com and microsoft.com.
In all cases the response for the ping was:
There is no response from DNS.
please check the domain name or DNS.
=====
The output of the tracert was:
BAD ADDRESS
Trace Complete.
=====
It doesn't matter if the router does the DNS request or something external - all DNS requests are blocked - as if there is an ACL rule.
To me this looks like a serious issue in the router (hardware and/or firmware) - also because the issue shows in stand-alone mode as well as controller mode.
Will try an ER7206-V2 later today - see if that helps. If yes, we will ask TPlink/Omada for refund of the ER605-V2 routers.
And replace them with ER7206-V2.
=====
Any suggestions?
- Copy Link
- Report Inappropriate Content
It sounds very strange if something is blocked on the ER605v2, I don't think it's on the router, I have 3 myself, 2 use normal dns which is defined on the lan/vlan interface, 1 uses DoH
one last question, are you using DNS Cache on the router if yes try to deactivate cahe.
- Copy Link
- Report Inappropriate Content
I have one more question. are all these routers out at the customer's or all connected on the bench before you deliver.
- Copy Link
- Report Inappropriate Content
Tried with DNS cache enabled and disabled - no difference.
All routers are on the prep/staging bench on the customer site.
Each router is managed by the same controller - just with a different location name.
Also tried with a different controller and stand-alone mode - no difference.
- Copy Link
- Report Inappropriate Content
ok then I know what the problem is, I had the same problem 4-5 years ago with the ER605v1. if I connected 2 or more ER605v1 in the same switch on the WAN, the network did not work for one of the ER605. an ER605v1 and ER7206v1 worked together, the same with ER7206 2 or more then the network did not work, when the ER605v2 arrived I ordered two and connected these to the wan in the same switch the same thing happened. so I found out that you can have many TP-Link routers of different model and versions on same switch but no two TP-Link routers that are the same model and version.
that's why the ER707-M2 worked for you, if I had to guess, two ER707-M2s don't work either if you connect the wan to the same switch.
I tried to take this up with support but at the time TP-Link had a policy that the customer is always wrong so I didn't get on with the matter, it was rejected by TP-Link
try to connect only one ER605v2 in the switch and it will work for sure. you can connect an ER707-M2 and both will work, but if you connect an ER605v2 nr2, one of the ER605v2 will not work.
- Copy Link
- Report Inappropriate Content
Thank you for sharing this experience - great!
Does this problem happen if all routers are connected to the same switch via the LAN-side?
Or does this also happen when they are all connected to the same switch via the WAN-side?
And regarding the LAN-side:
Would different management vlans/subnet make a difference?
For example assign a different PVID on the LAN-ports for each router?
Meaning router A has PVID A on all LAN-ports, router B has PVID B on all LAN-ports, etc.
Including a different subnet => the connected switch has L3 capabilities with static routes.
Where I can use an ACL to prevent seeing each other.
Alternatively I could use ACL rules on the switch to prevent the routers seeing each other?
- Copy Link
- Report Inappropriate Content
My experience with this is that this only applies if the routers are connected to a switch on the WAN side, it happens regardless of whether the router is in control or stand alone, it happens if you have no configuration at all, you can connect a new router wan to a switch and only one router will work.
I think there is something with the hardware that creates a conflict, it applies to completely identical routers with the same hardware version. you can use an ER605v1 and an ER605v2 together, but not two with the same version.
I had completely forgotten about this until I thought a little more about your case, which seemed very strange and familiar :-)
there is no problem, everything will work when you set up the routers at the customer, but you have to configure one router at a time, don't connect them all at the same time on the workbench.
but I'm amazed that TP-Link hasn't figured this out in almost 5 years.
- Copy Link
- Report Inappropriate Content
You can try with some vlan / acl. I have not tried this. I had two routers connected to a WAN switch at the time I was doing this. but found that it was not possible.
- Copy Link
- Report Inappropriate Content
I also don't think it's just dns that's the problem, so the title is a bit wrong :-.) , but it's not so easy to define the problem sometimes. I don't think you can ping anything on ip either. when I was doing this I completely lost communication to internett so nothing worked.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 1598
Replies: 29
Voters 0
No one has voted for it yet.