My apologies for the previous reply post to ask this new question.
I have a home network that appears to stop working whenever the ISP connection to the outside world is dropped. I am not sure why or how to remedy it which is why I am posting here.
I have 5 linux workstations on the internal network 3 MINT 18, 1 XUbuntu, and 1 UbuntuStudio all the latest versions. 3 of the workstations (all MINT ones dual boot to Win 7 Pro as well). I also have a dedicated Ubuntu server on the network (also the latest Ubuntu version).
The ISP connection (being in a rural area) is a cellular voice/data hub. The data connection from the hub feeds the hot or RED NIC input to the dedicated firewall machine Smoothwall Express. The GREEN or LAN side output from the Smoothwall machine then feeds a couple of Gigabit Ethernet smartswitches connecting to the network workstations, server, and smart TV's and Canon MP620 networked printer.
The Smoothwall dhcp server capabilities are set up to assign IPv4 addresses to each permanently connected LAN device with a reserved IPv4 address based on the device's MAC address.
All network devices have the Smoothwall specified as the 1st dns address as well as gateway device. The second dns device is the IPv4 address assigned to the ISP voice data hub which is the gateway for the smoothwall machine. A third alt dns address is Google's public dns at 8.8.8.8.
Under normal serviceable connections, all is well, however if I lose the ISP connection everything running linux appears to get bogged down as if it was waiting for long timeouts of some sort; and if win 7 Pro is running the IP address assigned to the NIC's in those machines get changed from the initially assigned class C address to the default windows 169 series and of course the networking quits working on them as well.
What I am trying to find out is if the smoothwall is acting as a local dhcp server, a local dns caching server as well as the gateway why is everything grinding to a halt whenever the ISP connection goes down? and what I can do to prevent it from stopping functions in the future.
All machines have full local network addresses specified in hosts, host.sam files and the order of precedence is to resolve using those files first then dns.
When ISP connection is down the linux boxes are all able to see the NFS shares by using the host file info but samba and windows boxes just go south for some reason.
Any tips or help is appreciated.
On 2016-11-21 c0l0nelFlagg wrote:
What I am trying to find out is if the smoothwall is acting as a local dhcp server, a local dns caching server as well as the gateway why is everything grinding to a halt whenever the ISP connection goes down? and what I can do to prevent it from stopping functions in the future.
You're right, it's almost certainly a DNS problem.
A caching DNS name server (NS) isn't good enough, as many domains have short-ish TTL timeouts. In any case, if "local" operations are bogging down when the net is down, the issue is probably your serving-up of local DNS names.
Do you use dynamic DNS (usually via DHCP) so that you can use the names you assign on each computer to access each other on the network? Or even assign them statically on the local DNS server. Are they setup to update the DNS for your top-level domain, or a subdomain? Seeing your DNS zone files might help if you can paste them.
I have a similar setup but I use a home-brew linux firewall and have carefully setup DNS to have both a valid "internal view" for local computers to register their names with, and a separate "external view" for outside-world users to use.
I have no experience with smoothwall, but if you can root ssh into it, you can check out the DNS conf/zone files to see how it is setup.
Oh ya, your problem could also just be that you should not have a 2ndary or 3rdary DNS set on the clients that point to the outside world. This could cause programs to timeout longer than they have to. They must suffer 3 timeouts (possibly 30-60s each?) as they step through all DNS servers. For clients it is sufficient to specify your firewall as the only DNS server.
When ISP connection is down the linux boxes are all able to see the NFS shares by using the host file info but samba and windows boxes just go south for some reason.
If you have properly setup local authoritative DNS on the firewall you should never need to use a host file (long obsolete). What you write above further proves that the problem is DNS related.
Samba and Windows (esp older ones) should be using broadcast NMB for name lookups first, so as long as one box is a DMB/LMB it should still work. Newer Windows might try DNS first. I assume you're NATing on the firewall (internal addresses are 192.168 or 10...), so one of your local boxes should be the DMB/LMB. How are you specifying the other boxes in Windows? Just \workstation2\ ?? Are you using workgroup mode, or domain mode?
If you can ssh into that smoothwall and run tcpdump you could snarf all the packets into a file and look at them on a workstation to see what exactly is being sent (and not getting a reply).
Try getting rid of your 2nd/3rd DNS entries first and you can always report back with more info.
Thanks for the tips highlighted below; I will give them all a close look here and see if I can realize some success
On 2016-11-21 11:51 PM, Trevor Cordes wrote:
On 2016-11-21 c0l0nelFlagg wrote:
What I am trying to find out is if the smoothwall is acting as a local dhcp server, a local dns caching server as well as the gateway why is everything grinding to a halt whenever the ISP connection goes down? and what I can do to prevent it from stopping functions in the future.
You're right, it's almost certainly a DNS problem.
A caching DNS name server (NS) isn't good enough, as many domains have short-ish TTL timeouts. In any case, if "local" operations are bogging down when the net is down, the issue is probably your serving-up of local DNS names.
Do you use dynamic DNS (usually via DHCP) so that you can use the names you assign on each computer to access each other on the network? Or even assign them statically on the local DNS server. Are they setup to update the DNS for your top-level domain, or a subdomain? Seeing your DNS zone files might help if you can paste them.
Yes the smoothwall firewall PC runs as a dhcp server. For permanent local LAN connections though it serves up reserved IP addresses based on the MAC address asking to be assigned an IP address when it first connects to the network. Any other temporary visitors with a laptop say get assigned a random IP address from withing the preset range of available addresses that are not in the reserved list.
The local network is not assigned a domain name instead just runs with default localdomain settings. Basically runs in a peer-to-peer workgroup fashion.
I have a similar setup but I use a home-brew linux firewall and have carefully setup DNS to have both a valid "internal view" for local computers to register their names with, and a separate "external view" for outside-world users to use.
do you have a link to a blog or tutor web site on setting this up?
I have no experience with smoothwall, but if you can root ssh into it, you can check out the DNS conf/zone files to see how it is setup.
OK will take a look at these as well
Oh ya, your problem could also just be that you should not have a 2ndary or 3rdary DNS set on the clients that point to the outside world. This could cause programs to timeout longer than they have to. They must suffer 3 timeouts (possibly 30-60s each?) as they step through all DNS servers. For clients it is sufficient to specify your firewall as the only DNS server.
When ISP connection is down the linux boxes are all able to see the NFS shares by using the host file info but samba and windows boxes just go south for some reason.
If you have properly setup local authoritative DNS on the firewall you should never need to use a host file (long obsolete). What you write above further proves that the problem is DNS related.
Samba and Windows (esp older ones) should be using broadcast NMB for name lookups first, so as long as one box is a DMB/LMB it should still work. Newer Windows might try DNS first. I assume you're NATing on the firewall (internal addresses are 192.168 or 10...), so one of your local boxes should be the DMB/LMB. How are you specifying the other boxes in Windows? Just \workstation2\ ?? Are you using workgroup mode, or domain mode?
everything is just workgroup mode to avoid need to configure PDC/BDC's
If you can ssh into that smoothwall and run tcpdump you could snarf all the packets into a file and look at them on a workstation to see what exactly is being sent (and not getting a reply).
Try getting rid of your 2nd/3rd DNS entries first and you can always report back with more info.
On 2016-11-22 c0l0nelFlagg wrote:
Do you use dynamic DNS (usually via DHCP) so that you can use the names you assign on each computer to access each other on the network? Or even assign them statically on the local DNS server. Are they setup to update the DNS for your top-level domain, or a subdomain? Seeing your DNS zone files might help if you can paste them.
Yes the smoothwall firewall PC runs as a dhcp server. For permanent local LAN connections though it serves up reserved IP addresses based on the MAC address asking to be assigned an IP address when it first
That's the DHCP side. You can also usually assign a name in BIND/named (if that's what smoothwall uses) to go with a static-MAC IP address in dhcp. It might already be doing this.
Again, how are you referring to computerA from computerB, say for Windows file sharing? \computerA\myshare ?? or by IP address \192.168.0.11\myshare ??
The local network is not assigned a domain name instead just runs with default localdomain settings. Basically runs in a peer-to-peer workgroup fashion.
OK, that should make things easier and rule out weird domain-based name issues.
I have a similar setup but I use a home-brew linux firewall and have carefully setup DNS to have both a valid "internal view" for local computers to register their names with, and a separate "external view" for outside-world users to use.
do you have a link to a blog or tutor web site on setting this up?
Setting up a complete home-brew firewall? That's a non-trivial exercise, though there probably should be some good google hits to get you started. Most people would probably recommend using a pre-made linux firewall distro, though I'm not sure what the names of those are these days. Maybe smoothwall is one of them? Personally, I'd build one myself for supreme customization, but trust me it'll take a lot of time and learning and tinkering.
As for just setting up dual views for DNS in BIND, there's a ton of tutorials on that out there. Just search for "bind dns internal external views". Though you need a somewhat recent BIND version on your box to do that.
Oh ya, your problem could also just be that you should not have a 2ndary or 3rdary DNS set on the clients that point to the outside world. This could cause programs to timeout longer than they have
The above is really key... I strongly recommend you do this before anything else... get rid of all outside DNS server references except on your firewall. It might fix all your problems without having to do anything else!
-
Adrian Stoness -
c0l0nelFlagg -
Trevor Cordes