SRM and DNS Resolution

[JOINSO]

Hi!

Few days ago, I setup a Mesh Wifi System for a customer with this configuration:

"Router ISP" ---- WAN PORT ----> RT6600ax (working in Wireless AP mode).
And from RT6600ax I use this LAN Ports:
Port 1: Goes to an unmanaged switch.
Port 2: Goes to an WRX560.
Port 3: Goes to TV.

And from unmanaged Switch:
Port 1: comes from RT6600ax
Port 2: Goes to an WRX560
Port 3: Goes to an WRX560
Port 4. Goes to an WRX560
Port 5: Goes to an WRX560
Port 6: Goes to an WRX560

On RT6600ax, there two netkworks: main and guest with their respective wifis.
People can navigate and use guest wifi without problem over all the mesh wifi.
But people can only navigate over the main wifi if they connect using RT6600ax as an access point.
They cannot if they use another accesspoint (any of the WRX560).

After this, I try to test the wired connections, with these results:
we cannot navigate if we use any of the lan ports of any device.
The first question that I think it was a network basic problem, but not.
After a lot of checks, and ticket opened in Synology support I found the main issue.
Note: Synology Support Level is very bad. Only I receive response like this: try to change router mode, .....
It is a DNS resolution problem.
We can only navigate to Google services!

I check this:

1) Check connection and DNS resolution when I connect direct to ISP router:
Works as expected.
2) Check connection and DNS resolution from wired connection or from router directly (SSH):
It fails.
Some examples:
root@Restaurant:~# more /etc/resolv.conf <---- DO NOT WORRY ABOUT THIS: I TRY A LOT OF COMBINATIONS OF DNS SERVERS ....
nameserver 192.168.1.230 <---- DNS SERVER IN ROUTER (I TRY TO UNINSTALL AND IT DOES NOT WORK)
nameserver 1.1.1.1
root@Restaurant:~# traceroute google.com
traceroute to google.com (142.250.200.110), 30 hops max, 46 byte packets
1 192.168.1.1 (192.168.1.1) 0.924 ms 0.861 ms 0.752 ms
2 100.64.254.254 (100.64.254.254) 16.930 ms 19.782 ms 16.975 ms
3 10.7.8.37 (10.7.8.37) 40.234 ms 38.906 ms 39.015 ms
4 37.red-215-142-78.static.citelia.es (78.142.215.37) 33.679 ms 37.498 ms 42.247 ms
5 google.baja.espanix.net (193.149.1.94) 41.830 ms 37.132 ms 40.897 ms
6 108.170.253.241 (108.170.253.241) 44.002 ms 108.170.253.225 (108.170.253.225) 40.616 ms 108.170.253.241 (108.170.253.241) 41.023 ms
7 142.251.60.115 (142.251.60.115) 36.827 ms 36.627 ms 209.85.247.245 (209.85.247.245) 39.820 ms
8 mad41s13-in-f14.1e100.net (142.250.200.110) 34.955 ms 45.757 ms 40.304 ms
root@Restaurant:~# traceroute youtube.com
traceroute to youtube.com (142.250.184.174), 30 hops max, 46 byte packets
1 192.168.1.1 (192.168.1.1) 1.919 ms 1.263 ms 0.686 ms
2 100.64.254.254 (100.64.254.254) 17.697 ms 18.299 ms 17.175 ms
3 10.7.8.37 (10.7.8.37) 33.023 ms 38.197 ms 39.455 ms
4 37.red-215-142-78.static.citelia.es (78.142.215.37) 33.071 ms 96.813 ms 63.964 ms
5 213.249.106.41 (213.249.106.41) 37.821 ms 33.246 ms 52.918 ms
6 72.14.203.172 (72.14.203.172) 42.426 ms 38.829 ms 39.348 ms
7 74.125.242.177 (74.125.242.177) 43.084 ms 36.667 ms 40.380 ms
8 142.250.213.125 (142.250.213.125) 39.430 ms 39.031 ms 37.909 ms
9 mad07s23-in-f14.1e100.net (142.250.184.174) 32.958 ms 39.235 ms 38.926 ms
root@Restaurant:~# traceroute elpais.com
traceroute to elpais.com (96.16.88.134), 30 hops max, 46 byte packets
1 192.168.1.1 (192.168.1.1) 0.961 ms 1.292 ms 2.293 ms
2 100.64.254.254 (100.64.254.254) 18.809 ms 16.850 ms 18.192 ms
3 10.7.8.37 (10.7.8.37) 38.193 ms 38.153 ms 41.769 ms
4 37.red-215-142-78.static.citelia.es (78.142.215.37) 38.898 ms 38.169 ms 39.573 ms
5 213.249.106.41 (213.249.106.41) 41.754 ms 68.663 ms 43.786 ms
6 213.249.120.94 (213.249.120.94) 65.674 ms 42.936 ms 36.786 ms
7 195.10.46.201 (195.10.46.201) 38.351 ms 35.619 ms 41.099 ms
8^C


Looking at another threat, It seems that can be related to NTP config.
I try to use diferent servers, but it does not work.
Any idea?

 

[fredbert]

It doesn't make much sense that the directly connected WRX560 also has the same problem as the others on the unmanaged switch. Have you checked the the ports settings?

On the RT6600ax you would set its LAN ports using Network Center / Local Network / Network / VLAN Tag. This is mine where all ports are defaulted to primary LAN but can be used for the other VLANs if a device has its interfaced configured to tag one of the IDs. Though I have the RT6600ax in router mode, not access point, and a managed switch between it (on Port 1) and my sole WRX560.

Without a managed switch you won't isolate primary and guest networks, as this needs you to configure 802.11q VLANs on the switch:

• VLAN ID 1 is used for the primary LAN. Usually this is the default tag and used for untagged ports.
• VLAN ID 1733 is used for the guest LAN.
• On the switch you would have its ports:
  • Untagged for VLAN ID 1, but assigning Port VLAN ID of 1. The switch will add tag ID 1 to untagged packets on ingress and remove the tag on egress.
  • Tagged for VLAN ID 1733.
  • Tagged for other VLAN IDs that you use.

I'm not sure that traceroute (tracert) is showing a DNS issue since it actually started tracing the route to the requested destination. If the resolution hadn't happened then traceroute wouldn't have even started, since it wouldn't know where to go. Some traceroute destinations will start to fail if those networks are configured not to respond back. You would be using nslookup and/or dig to test DNS resolution.

 

[JOINSO]

Hi!
Thanks for your quick response.
The problem is not in the WRX650 access points or switch.
Lets make more easy:
If I connect to one of the Lan ports of the RT6600ax the behaviour is the same.
I get ip settings from ISP router (DHCP) but dns resolution is not working properly.
I try also to ssh into RT6600ax and do the same tests of dns resolution without success.
Only one time, when I change ntp settings i can see dns resolution working fine but after some time it fails again.
And i cannot reproduce again.
I try a lot of combination of Dns servers but without success.
The main question is:
why google services have a good dns resolution and the other ones no?
Very misterious.

 

[fredbert]

traceroute to elpais.com (96.16.88.134), 30 hops max, 46 byte packets

So was this resolution when the RT6600ax was temporarily working correctly? And you use Cloudflare DNS server?

Did you test with when the RT6600ax was disconnected to all the WRX560? To start testing with only the first line of devices.

 

[JOINSO]

Yes, I try with all the access points disconnected without no luck.
When it works correctly, the resolution stack goes to end without problem.
The change I made to do make working temporaly was:
Change ntp settings from google servers to ntp servers in Srm settings.
I wait to customer tests, but after some hours I see that fails again.
I try to change ntp settings again and i does not work anymore.
Regards,
Jordi

 

[fredbert]

Can you provide screenshots of SRM Network Center and WiFi Access. I run my RT6600ax in router mode so don’t know what happens in Access Point mode to the VLAN’ing on the WAN port vs the LAN ports. My guess is that the ISP router has to support VLANs and there could be a tag/untag issue. No idea yet why NTP would affect this.

 

[JOINSO]

Hi!
Here is?

 

[fredbert]

On the SRM Internet settings why are you pointing the primary DNS server IP to the RT6600ax itself? Are you running DNS Server on it? If you aren't, I would expect you to be using the ISP router's IP or some other DNS server. If you are using DNS Server then in there you need to set forwarders in the Resolution setup.

 

[JOINSO]

Yes, I am using DNS Server on it.
But do not worry about this.
I try everything before to start this thread:
1) Disabled the DNS Server and setup another DNS Servers:
I try the ISP DNS Servers, Google DNS Server, CloudFare Server, etc...
It does not work.
2) In DNS Server i setup forwarders
Yes, now is forwarding to CloudFare DNS servers.
The main issue here is that DNS Queries does not work properly.
In Google Services like google.com or youtube.com DNS resolution works properly.
If I try any other dns resolution it does not end.
I ssh into SRM, and try traceourt without sucess.

Regards,
Jordi
JOINSO

 

[fredbert]

I won’t have time today, but maybe tomorrow, I might be able to setup my old RT2600ac+MR2200ac as an access point mesh and see what happens. It would be using the RT6600ax as the Internet router, I won’t reconfigure my ISP router out of bridge mode.

BTW is there a reason you don’t use the RT6600ax in router mode and the ISP router in bridge/modem mode?

 

[JOINSO]

Hi!
Thanks for the help.
There are some reasons that I use "Wireless AP mode".
1) I am not owner of the ISP Router:
It belongs to another company and I can only change a few things.
2) Mesh and Wireless AP Mode:
When I start to build the mesh system, RT6600ax cannot find the WRX560 if I setup RT6600ax in "router mode".
When I setup in "Wireless AP" mode, then RT6600ax starts to find the access point and the wizard ends properly.
3) Synology recommends "Wireless AP" mode if you use with an ISP Router.
From: Operation Modes | SRM - Synology Knowledge Center
"This mode is recommended under the following circumstances:
Your Synology Router is already connected to an ISP modem or router for Internet access with an Ethernet cable."

Also I have more details:
Now I cannot change router modes, because this installation is 1h30m from me by car.
And the "hotel" and restaurant are happy with the status of the wifi.
The only pain is that we cannot use LAN ports: one of this ports is used to send wifi signal to another building using an external antenna.
And the TV only works using the wifi: the wired connection to RT6600ax does not work (same dns problem).
And also find this intereting thread:

Synology Community

Hi! Come and join us at Synology Community. A place to answer all your Synology questions. Ask a question or start a discussion now.

community.synology.com

Regards,
Jordi

 

[fredbert]

The LAN ports are [untagged] on the primary VLAN, so that's why you are finding you can't use them... you were having problems with the primary VLAN.


I setup my RT2600ac in Wireless AP mode with MR2200ac as mesh AP. From what I see:

• The primary network settings apply to both the RT2600ac's Internet/WAN and the Primary VLAN (ID 1). So the main router will be supplying these via its DHCP service for primary LAN devices, though you may manually set them for Internet/WAN port.
• The Guest VLAN on the RT2600ac allows it to be managed completely within the mesh. There is the Advanced setting to use NAT so Guest traffic to the main router will be hidden behind the RT2600ac's WAN IP. The RT2600ac runs the Guest DHCP service.
• In this situation the main router is only aware of the primary VLAN devices, since the Guest VLAN is NAT'ed behind the RT2600ac primary VLAN IP.

So in Wireless AP mode the Guest VLAN is handled like a separate private LAN (similar to a basic home router) while the primary VLAN is part of the main router's LAN.

When I disable Guest VLAN's NAT and DHCP Service, and assigned non-clashing IP to RT2600ac, I can now use my RT6600ax (main router) to manage this VLAN... just like it is always doing on the primary VLAN.

So far I'm just doing thin's in Network Center and WiFi Connect. I haven't run DNS Server or Safe Access on the RT2600ac. But so far it's working for Primary and Guest VLANs, on wired and wireless. And I've not needed NTP changes, though if you have enabled 2FA login and you have a primary network issue then it could be the SRM time is drifting if NTP cannot be accessed.

 

[JOINSO]

Ok, thanks for the test!!!!
I do not habe 2FA login, and also make test with DNS Server i Safe Access disabled wirhout success.
I am going to wait for a Synology Support response.
Here the main question is why the DNS resolution is not working for example inside the router (ssh).
Regards,
Jordi

-- post merged: 10. Apr 2023 --

And I add more notes:
In home, I have a RT2600ac working in wireless AP mode.
I only use for wifi, but two days ago, I test with a wired cable, and works perfectly.
Regards,
Jordi

 

[fredbert]

I would connect a device to the ISP router’s LAN and see what settings it receives via DHCP. Also review what it is, how it is configured, and what restrictions that makes to LAN clients/addition infrastructure.

 

[JOINSO]

Ok, thanks.
I will try your same test on my side.
Regards,
Jordi

 

[JOINSO]

Hi!
Finally, Synology fix the issue.
How?
Disable PPPe acceleration.
How?
With a script that they do not want to share with me....

Regards,
Jordi