New problem, one subnet sees too many page can not be founds..

[knc]

I have a scenario where the ISP comes into a Zyxel router, from there it goes to a hybrid link of ethernet to fiber via media converter to a sonicwall TZ400 router. 192.168.0.x on the zyxel to 10.10.10.x on the sonicwall..

The 10 network has been having LOT's of page cannot be found issues lately. So last friday I set a static ip on a few computers (all mac's for what that's worth) and used open dns and googles dns.

Troubleshooting: I pinged the gateway router on the 192 from the 10 and not one dropped packet. I pinged 8.8.8.8 and not one dropped packet, pinged cnn.com and not one dropped packet.

Took the sonicwall out, and installed a Netgear fvs318g router and I hear today that was dropping web pages.

WTF? This JUST started recently 2-3 weeks now. No new equipment in place. The zywall

It looks as if there are NO dropped packets all along the path but is the zywall or a switch acting wonky?

This is in a reform school and thos little buggers could be running a denial of service inside.. lol.. however they just have ipads.

 

[Slaters Kustum Machines]

Sounds like a DNS issue. Can you confirm the DNS settings on both routers? Why are there two routers? Can you clear DNS cache on either of them? Is this a Windows Domain?

 

[Markverhyden]

Typically page not found is a DNS issue. So you will probably see no issue with IP based testing. Have you seen this issue yourself? Open terminal and try to ping the same FQDN. It will return the IP even if it fails. Then ping the IP itself. I've seen rogue DNS servers cause this issue.

 

[knc]

Sounds like a DNS issue. Can you confirm the DNS settings on both routers? Why are there two routers? Can you clear DNS cache on either of them? Is this a Windows Domain?

An admin side, and a student side. Were originally running 2 isp's we consolidated them and have the 10. subnet for the students. Yes sounds definitely like a dns issue but the dns is hard coded in most of the desktop machines.

 

[Slaters Kustum Machines]

Do you have the option to try replacing the Zywall or maybe a different port on it?

 

[knc]

Do you have the option to try replacing the Zywall or maybe a different port on it?

I don't really have the option to replace the Zywall, but I can try a different port. I am thinking it may be a switch issue???

 

[nlinecomputers]

Hard coded to what? What is providing DNS?

 

[knc]

Hard coded to what? What is providing DNS?

I set dns static in some of the machines. using googles dns as well as open-dns'...

 

[nlinecomputers]

I don't really have the option to replace the Zywall, but I can try a different port. I am thinking it may be a switch issue???

What switch? We need a full map of this setup.

 

[knc]

What switch? We need a full map of this setup.

ISP modem> Zywall 110 router> Zyxel switch> at this point everything on 192.168.0.x network, about 60 clients > fiber link via media converters > sonicwall > zyxel switch 10.10.10.x network. The 10.10.10.x network has the appearance of DNS issues, "page not found". Statically assigned IP and DNS on test computers. While pinging gateway upstream, we never lose a packet, or pinging 8.8.8.8 not one drop.

 

[nlinecomputers]

So how is the Sonicwall configured? Is it NAT? Is it's path to the outside via the Zywall router or that first Zyxel switch? Does the SonicWALL have it's own IP address on its wan side or does it get a 192.168.0.X IP? If you need to isolate both networks from each other why is this not done at Zywall itself? That seems to be the place I would have a SonicWall.

 

[knc]

So how is the Sonicwall configured? Is it NAT? Is it's path to the outside via the Zywall router or that first Zyxel switch? Does the SonicWALL have it's own IP address on its wan side or does it get a 192.168.0.X IP? If you need to isolate both networks from each other why is this not done at Zywall itself? That seems to be the place I would have a SonicWall.

I took the sonicwall out of the mix and added a netgear FVS318g router, and the results were the same.. and yes it had it's own ip address.

 

[nlinecomputers]

I took the sonicwall out of the mix and added a netgear FVS318g router, and the results were the same.. and yes it had it's own ip address.

Same question. Why? What is the Netgear doing that the Zywall 110 router isn't? Unless you are plugging that Netgear or Sonicwall directly into the modem then you've got a double NAT or double firewall for no purpose.

 

[nlinecomputers]

Hey @YeOldeStonecat do you see what I see?

 

[YeOldeStonecat]

Hey @YeOldeStonecat do you see what I see?

I see complexity that a double NAT setup of mixed brands technology stack can create.

...and if a Nutgear ProSafe router is in the mix...one of the first things I do it throw those in the circular file (garbage can). Can't stand those things...seems like 90% of weird problems and slowdowns..are caused by those.

I see the reason for double NAT...to isolate the staffs network from the students network. However...if you want to keep double NAT...you have the network backwards for protection. On a double NAT setup, the inside network (10.0.0.0/24) can always browse the outside network (192.168.0.0/24) via IP address. Since the WAN port of the 10.0.0.0 network is routing to a 192.168.0.0 network. So those kids can still easily map out the staff network. They can't "browse" it in 'network hood...but they can access via IP. So if for some reason you choose to maintain a double NAT setup, and if the office network needs to be protected from the student network...reverse that setup. Students on the outside network, staff on the inside network.

What make/model "modem/gateway/whatever" does the ISP have there? Does it already run NAT itself too? Does it have a web admin page that is matching either of your internal networks IP ranges?

Although I'm against double NAT'ing networks...technically this should work "OK" for web browsing for the second (inside) network...so what I'd do next is update firmware on both routers...and, determine what MTU should be used with this ISP..and hard code each router to use the same MTU. Often for DSL it used to be 1492 with PPPoE DSL, and 1500 for cable/T/etc...but many DSL setups are now switching over to non-PPPoE so they're more commonly 1500 also now. I'm wondering if there's a change in something with the ISP that is causing MTU to have a hiccup..and the inside Sonicwall router cannot "auto" adjust MTU because it's not directly talking to the ISP on-prem equip. (and auto MTU isn't reliable anyways).

There's definitely no chances of a loop-back happening here? Some second cable doing another uplink 'tween the two?

My advice would be to eliminate the router behind the router...and get a biz grade edge router...and create 2x separate IP networks managed by the router. Keep it separated up there...simplify things, enforce things better, and keep it easier to troubleshoot, and perform better without the many glitches of double NAT.

 

[nlinecomputers]

To solve this problem you need to eliminate the router on your fiber connection. It is not needed. Take your Sonicwall and place it where the Zywall is now. You configure it as your edge device and as your only NAT router. You plug your local building's switch into X1 and you plug the fiber link into X2. And the other end of the fiber link is that building's switch. Nothing more. Presto you have one big integrated network. If you really need to have both networks isolated from each other then you can configure X2 as isolated VLAN. This will streamline the network and put your best protection at the edge of everything where it is needed. The SonicWALL alone will keep the bad guys out and keep the two halves in their own private networks with full protection.

 

[nlinecomputers]

I don't really have the option to replace the Zywall, but I can try a different port. I am thinking it may be a switch issue???

Missed seeing this. Why don't you have that option?

 

[knc]

Missed seeing this. Why don't you have that option?

Well, technically I can, if I can find the fiber link from the first building to the middle building. but this scenario just went south on us late last week. Yesterday and today it's been rock solid. No one knows where the ethernet in one building comes from. This will affect users downstream as they need to be on the 192.168 subnet. I believe I may have found a good fiber run to terminate and that will solve these questions.

 

[knc]

Yeold there is always a chance of loopback.... and the Nutgear lol was put in place to see if the sonicwall was the issue and it wasn't. The ISP should not be Natting as we are in bridged mode. If I can get that fiber found and terminated I will pull a second lan port off of the zywall and channelizes this mess. We need the sonicwall filtering for the proxy sites the kids go to.

They are using ipads for the most part and dont have access to PC's. The ipads are on the Apple DEP management program, so app purchase should not be possible.

 

[knc]

This is an OLD 4 story building with ethernet wires laid on top of ethernet wires.