DNS issues?

[Adcadet]

Very frustrated. Hoping this old gem of the internet can save me.

My two kids both have relatively new PCs, both runs Windows 11. My wife and I run Windows 11 as well. My kids would each, individually, occasionally not be able to connect with Discord, Steam, or other gaming servers. I would flush DNS cache, restart the machine, curse, it would work again magically. Tonight my youngest's machine had this issue, and for the life of me, I can't get things working again. The easiest way for me to tell that the internet connectivity is borked is (not ironically) googling "DNS reddit" and then not being able to follow any of the links. Many other sites don't load as well (e.g. Nvidia). Trying wired, wireless, and USB wireless adapters didn't seem to help. Booting into a copy of Linux Mint live CD (USB) got the same errors. Using Window's reset network feature didn't help, not did a Windows 11 reset (both the shorter and longer versions). I tried turning off Windows defender and antivirus. No help.

I suspect the issue is related to my network setup. My router is a Netgate appliance running pfSense. I have a virtual machine running PiHole. Disabling blocking made no difference. I tried setting the Netgate/pfSense to just use 8.8.8.8 and 8.8.4.4 (under general setup) and 1.1.1.1 and 1.0.0.1 under DHCP server/LAN with DNS resolver unchecked and DNS forwarder enabled. No joy.

When I manually set the computer's network card to use 8.8.8.8 and 8.8.4.4 under IPV4, Reddit loaded a few times before then refusing to work. Putting in the public DNS servers under IPV6 did not help.

Oddly, my other son is playing on his PC just fine the whole time, my PC is fine, and I can reboot my wife's PC and it works fine. No idea why the one PC seems so sensitive to what I suspect is a DNS issue.

I suspect I still have an issue with how I've set up pfSense, but I don't know enough about it. I hope I don't have to go back to using a junk consumer wifi router that just works.

 

[ddrueding]

I agree that it feels like a pfSense config thing, but I don't know enough about it to recognize the issue. But before I went back to junk consumer stuff I'd format, reinstall, and reconfigure the Netgate using the latest version of pfSense.

Separately, does the PiHole run on the Netgate? What happens when you turn it off entirely?

Does your internet connection support DHCP? What happens when you connect the misbehaving PC directly to it? Or, if it has WiFi, hotspot your phone, connect the PC, and see if there are internet issues.

 

[Mercutio]

Is it possible that you have computers with significant time drift?

 

[sedrosken]

Yeah, I use pfSense at home and it smacks of an obscure configuration issue but I couldn't tell you what. I'd maybe look at the time issue as well -- a few minutes makes a huge difference.

 

[Adcadet]

In the morning all systems were working. Perhaps they just needed time to renew their DHCP leases?

Time drift could have been an issue. At one point my son's clock was clearly off, and I manually adjusted it.

 

[Adcadet]

I run pfSense on a Netgate SG5100.

I have a Truenas Scale server running Pihole as an app. Before that, I did run a PiHole on an actual Raspberry Pi but got nervous running a critical piece of hardware on such consumer gear. I can't say I ever did much with the data from PiHole, and I'm not sure how much good it did me blocking adds. We'll see what life is like without it for a while.

 

[Mercutio]

PfSense supports pfBlockerNG, which is as good or better than running PiHole. It's just a service you can enable in DNS configuration on your appliance. In theory you can use both by making the Pfsense DNS the upstream provider for Pihole but that's needless complexity IMO.

 

[Adcadet]

At one point I used pfBlockerNG, but family approval factor was low and I liked the pretty graphics that PiHole offered instead. Maybe I'll look again at pfBlockerNG. So far nobody is complaining about the lack of add blocking.

Do you guys run an add blocker?

 

[Mercutio]

Do you guys run an add blocker?

uBlock on Firefox and uBlock Lite on other browsers + some form of network-level blocker everywhere I have control over the network. I use DNS66 for Android, which functions as a VPN but exists entirely to redirect DNS queries. I like this better than Samsung's built-in DNS redirector, which for some reason breaks if you move between mobile and WLAN frequently. The only places where I see ads are mobile apps that have them baked-in and delivered via SSL, like Tumblr.

I also use Sponsorblock specifically to kill Youtube secondary annoyances. It's a brower add-on, but it's also baked in to SmartTube, the AndroidTV Youtube client I use.

pfBlockerNG should be transparent to members of your household, just like the PiHole. Was there something that just needed to be whitelisted somewhere?

 

[Adcadet]

I probably just screwed up the implementation or couldn't figure out what to whitelist.

 

[Mercutio]

There shouldn't be much more than enabling it and telling it to use Unbound or Unbound Python mode. You can add more block lists if you feel like it. Easylist et al. There's a nice guide here.

 

[Adcadet]

When the family is away I'll probably play with it. Appreciate the encouragement and reference.

 

[Mercutio]

I suspect that a physician doesn't have much time to mess with this stuff even if they want to.

On an unrelated note, I mentioned SmartTube up-thread. SmartTube's primary developer had his Github key exposed over the weekend, so he revoked his signature for the application, which should disable the existing version on anything with the Play Store Framework installed, even if the app itself isn't in the Play Store. There's a new version now with a new digital signature. As this link says, Github is the only official distribution point and the updated version should currently be 30.56.

 

[Adcadet]

Indeed, work makes my computer add^^^^hobby challenging at times. Network hacking is particularly challenging since I do a lot of call from home and need a reliable internet connection so I can VPN into work.

 

[Adcadet]

So...got wife a laptop and she had the DNS issue when moving between Wifi and wired. Very low spousal approval factor. And my kids will occasionally have that issue for a brief time before it seems to self-resolve. Super frustrating. Makes me want to move away from pfSense. I love the concept of open source stuff, but I fear that given my limited time commitment, running pfSense isn't awesome for me. And I barely understand the features - it seems there are a million ways of doing everything.

Other than super basic routing, I really only need assigned IP addresses. A house-wide ad blocker like Pi Hole would be great, but I can just run it on a virtual machine (I have a Proxmox machine that I barely use, and my storage servers run TrueNAS core which has a Pi Hole app). My main switch is Mikrotik CRS354-48P-4S+2Q+RM; any reason I shouldn't just run that as the router?

On the other hand, I kindof like having core functions on discrete devices that I can swap out. Is there a solid, easy to use router that isn't too expensive that people recommend? I wouldn't mind having two; having a backup I can swap out if I screw something up would be very convenient. I don't think I need routing at >1 Gbps but I wouldn't mind being able to connect to my switch faster if it made a difference. I get about 7000 Mbps downstream (according to Openspeedtest) which seems fine for my family (hmmm...that math doesn't math).

Just to be clear - I have a coax cable that bring in my internet which goes to an Aris SB6190 modem which then goes to the Netgate 4100 (I might have misidentified it above) that I use for routing, which then goes to the Mikrotik acting as a switch which connects directly to some devices, and to other runs in the house via a patch panel. The only VPN I used is for work and that's all in software now (they used to provide a physical VPN box that sat on my network). Connected to the switch are 4 commercial WiFi access points (all Asus devices; RT-AX82U, two RT-AX88U, and a RT-AX57 - I update

Anyone have any objection to what I'm using for WiFi access points? I realize they are simple consumer products. I check for firmware updates weekly which I hope mitigates security risks. I think they all do WiFi 6. Performance has been fine. I have very good coverage across my house and 8+ acres of land, with minimal signal making it onto my neighbor's property.

 

[Mercutio]

I don't think your issue is pfSense as such; I've done both pf- and OpnSense installations without running into this. But in your environment, where users regularly switch between wired and wireless, a couple things make sense to check. One of them is that you set your DHCP lease options in pfSense to something low, like 15 minutes. That means the client will query for updated info A LOT more often. That alone might solve the problem.

Another thing you can do is change the interface metric on your client's wired and wireless interfaces. I'm assuming the bother happens when the systems are disconnected from the LAN (and also that your clients are on Windows), so if you head over to Wifi and Ethernet whatever in Network Connections, look at IPv4 Properties, Advanced. Untick the box for Automatic Metric on both Wifi and Ethernet. You'll then be allowed to assign a value to both. Make sure that Ethernet has a much higher value than Wifi. This should cause your clients to prefer to get Wifi connectivity settings in preference to Ethernet.

I'm sure your Wifi is fine, but something you could do is make a switch to a managed platform like either Ubiquiti or Omada. At that point, you'd only have one controller to manage for all your needs. You could still run PiHole or keep pfBlockerNG online in that scenario, or you could switch to Adguard's Public DNS. You'd be giving up some control in that case, but then at least the IT issues would no longer be your problem.

 

[Adcadet]

I'm not sure how often my kids computers switch from wired to Wifi, and I'm not completely sure that's the issue. My youngest reported an issue yesterday, but I was at work and my on-site tech support person doesn't do computers.

Reading through this thread again, I'm inclined to just reinstall the router OS, but taking a single point of failure offline without a backup makes me nervous. Hence the question about using my Mikrotik swtich as a router or getting a dedicated Mikrotik router (or two).

I've seen Ubiquiti used and it's slick, but manually updating checking the firmware on 4 devices isn't too onerous.

 

[Mercutio]

I've never tried to use a Microtik switch as a router myself; I don't even think I've ever used one of their managed switches with more than 8 ports. I'm sure they CAN, but it would probably take some finagling with the management interface to get it going and that sounds like a PITA.

I do suspect that one or other of your Asus AXwhatevers could ably pull router duty for long enough to reconfigure pfSense though. I know those guys have both router and APs modes.

You could also set up a secondary pfSense router as a Gateway Group in Failover mode. This could be a host on your Proxmox system if you don't want to mess with another physical device.

 

[Adcadet]

The Asus devices certainly can do simple routing duty, and one of them did in the past for me. But then I get nervous trusting my whole network to a flimsy piece of plastic marketed to 13 year olds that also did Wifi, so I turned it into an access point only.

I have not been excited to use Mikrotik products for anything other than relatively dumb hardware. The UI seems to have gotten a facelift (https://mikrotik.com/software) but I remain skeptical. They're out of Latvia and I know of a large company that had security concerns for a product on the network that come out of eastern Europe (I know, very broad brush strokes here).

For my level of routing, since I'm not doing packet inspection or VPN, do I need anything with actual computing power, or would the simplest device work fine? What do people install these days for a small business that needs a network? Just a combined cable modem + router + WiFi access point + switch (e.g., Motorola MG8702)? I don't love my router also doing Wifi duty, since it's locked away in a small utility room and I have a nearby access point that isn't nearly as RF shielded. But simplifying my hardware sounds good, especially if cheap enough that I can have a second on the shelf ready to go in case of failure.

 

[Adcadet]

Anyone have experience with the Ubiquiti Cloud Gateway Ultra? $130, so cheap enough that I could get two if I remain paranoid. Set up advertised to be easy (seems consistent with what I've seen in a business that uses their stuff).

 

[Mercutio]

I have two UBNT and two Omada sites. Omada is cheaper, but it's a Chinese company and the US Government keeps telling people not to trust it. Ubiquiti costs more, but has a broader ecosystem that includes things like NAS and PoE cameras. It is also sometimes hard to find someplace that has the full range of hardware available for sale, and something I REALLY didn't appreciate was that the company abandoned a lot of older hardware in about 2022.

I'd definitely say that pfSense is more flexible overall than either solution, but more complexity probably isn't what you're looking for in your life right now.

 

[sedrosken]

We use a lot of Ubiquiti in our shop and I can vouch for it -- everything I need (and most of the stuff I want, too) and it's honestly pretty straightforward. You have advanced settings if you really want them, but the defaults are pretty sane. If you get the CGU, it can manage your APs and switches for you (though they also have to be Ubiquiti products). I've heard Ubiquiti referred to as the "Apple of Networking" and I find it's really not a bad descriptor, though they are noticeably more flexible than Apple products ever were.

I've legitimately been tempted to switch over myself especially as my Netgear business AP starts to age and never really had amazing throughput to begin with. Plus, I find my pfSense implementation needlessly obtuse -- I have to have certain special outbound NAT rules for stuff to work that I'm fairly sure are default on everything else. I also really want one of their nice managed switches, but I could hobble along with setting the native LAN on each port of the firewall and using my existing dumb switches attached to each if I needed to... I'd love PoE but I don't really need it but for maybe one device, so really the handful of injectors I've got around would suffice...

The thing for my home LAN is, though, that I can always think of better things to spend the money on.

 

[Adcadet]

Thanks, Merc and sendrosken. I'll go with Ubiquity and see how it goes. I appreciate the description of "Apple of Networking" as that is sortof the level I'm at. I'm happy to screw around with my Proxmox server and other bits, but my Truenas storage server and networking infrastructure just need to work.