One WiFi Access Point no internet access, another has internet (EAP245)

Please follow the below template, it will help us to help you!

Expected Behaviour:

Set Router DNS to PiHole static IP, get faster, cleaner internet on all devices wired or wireless.

Actual Behaviour:

Devices connected to one of the two identical access points don't have internet access.

Debug Token:

Pending -> PiHole taken offline to look for options prior to exhausting the WAF.

Long Story:

I've a Mikrotik Hex S and a few POE network switches, I setup PiHole on a RPI2 hard wired to a port on the router and updated the DNS servers to ONLY include the PiHole static IP. I am using the router as the DHCP server. If I plug either WAP (EAP245) into a long run with an unmanaged POE switch, I get internet access on any device connected to it. If I plug either WAP into the HEX S directly through a POE Injector, devices connected to that WAP do NOT have internet access. I've swapped the WAPs, replaced cables, swapped injectors, even tried another POE switch.. I cannot get both WAPs to provide internet access while the PiHole is setup. While connected to the "no internet" WAP, I can visit the PiHole admin page. Any suggestions before I plug it back up and try again? I'm running low on WAF and need a plan of action prior to re-enabling PiHole.

Your problem is most likely related to the "listening behavior" on the /admin/ page (set on one interface - maybe eth0)

Change it to listen to all, allow all origins and try it again once you connected all the hardware the way it's supposed to be connected.

1 Like

@RamSet I'd had it set to "Listen on all interfaces" but I changed it to "Listen on all interfaces, permit all origins" and reconfigured DNS on my router. Again I lost internet connectivity on the devices connected to that WAP. I ran debug from the admin page. Also, THANK YOU for helping!

Debug key: 070oqgxxop

You are throwing the whole network into a loop with this:
PIHOLE_DNS_3=192.168.1.1#53

I see that the router itself, is pointing at 192.168.1.4 which based on that setting points at 1.1 which loops at 1.4 and on an on.

You need to remove that as it chokes the requests in an endless loop.

Everything else is working fine on the Pi-hole side.

What you can do, is see if a nslookup google.com resolves via 1.4 on one of the clients that's not working (properly).

1 Like

Ah. I'd added my router to the upstream DNS list... probably misread that on the forum. Removed it and still having the same problem. I've run debug again just to see if you notice anything else or if it's still doing it (my router is issuing itself as a DNS server, even though I've only got the PiHole setup in the config).

new debug token: v3nzvjicof

Can you share the network configuration (status screen) of one of the clients that's not working ?
It's fine if the router provides its IP as the DNS to the clients.

Can you please explain again, from a simple connection perspective your topology ?
As in:

ISP in router 1.
Router 1 hardwired Pi-hole and hardwired Router 2.
Devices connected to Router 1 are all working just right.
Whatever is in Router 2 does not work.

Did I get that right ?

I do believe there is a networking (settings) problem as Pi-hole is working as expected.

The debug token provides information related to the Pi-hole environment and Pi-hole settings. Nothing beyond that. Can't really see where and how the network is setup past the Pi-hole hosting device.

What's the output of the nslookup command on the client that's connected to the non working AP ?

Could be that the microtik does not play well with allowing DNS requests from with the LAN.
Maybe DNS Rebind/Hijacking protection settings?

1 Like

Absolutely, thanks!

I've the ISP coming into Ether1 on the Mikrotik Router. Ether2 runs across my home to an unmanaged POE switch with WAP1 (working) plugged into it. Ether3 runs to the managed POE switch (or the injector, which I took out since it didn't help). WAP2 is currently plugged into port1 of the POE switch, other hard wired devices are on that switch working fine.
broken chain: ISP -> Router port1 -> Router Port 3 -> POE Switch -> WAP2 (EAP245)
Working chain: ISP -> Router port1 -> Router port 2 -> POE Switch -> WAP1 (EAP245)
*I tried swapping the WAPs, and swapping ports on the router to the WAPs, as well as using a POE injector directly to port 3 on the router. What's killing my brain is the other WAP working fine...

NSLookup had to be via iOS App, since I only have desktop PCs and they're all wired (some to each of the two POE Switches) Everything is working wired as well.

1 Like

forgot to mention, the RPI2 is connected to ether4 on the Mikrotik router.

How does it look under settings/WiFi and the :information_source: for the SSID ?

Is WAP2 in relay/repeater mode of WAP1 or does it broadcast a different SSID ?

SSID, gets an IP, subnet and gateway. Under DNS it lists the RPI and the Router. If I manually set 8.8.8.8 as the DNS on the phone everything works (thought it was worth checking!).

Same SSID, different channels for both 2.4GHz and 5GHz and load balanced by the TPLink Omada controller software running on my desktop. The two WAPs are identical and both worked fine before.

I really do appreciate your help! The benefits of PiHole are too great to give up on my end :slight_smile:

1 Like

Did you take out the Switch (as in bypassed it) ? :slight_smile:

I believe that your managed switch is blocking the DNS requests to go through. See if you can set-up the DNS parameters under the management page on the managed switch, as DNS requests might drop here (coming in from a client but not cascaded/relayed further down the tree).

What if, for testing purposes, you plug WAP2 into a port in the Mikrotik ?

Good thought, however it's a POE WAP and I'd started with a simple injector vs the POE Switch. Prior to the switch I had no internet through the WAP with just the injector either.
ISP -> Router port 1 -> Router Port 3 -> POE Injector -> WAP2

For completeness I will swap the two switches this evening when the family is done "interneting" to see if the issue follows the switch.

Before you move hardware, see if in the settings for the managed switch ( I own one that is not in use but I do recall of a similar scenario where it would require me to define the DNS downstream from it within the same subnet).

It should be called out in General and Network parameters as DNS...

Fantastic thought again! The TPLink TL-SG108PE doesn't have a setting for DNS. I setup a static IP for the device (IP, subnet, gateway) only.

I see that.

Do you have IGMP Snooping enabled? If yes, try it with it disabled.

It was off on the router, but on at the managed switch (with the no internet WAP). Changed and still have the same issue.

Once more, thank you! I realize this is something AROUND the PiHole or the other WAP and devices wouldn't be working either.

One thing left ... bypass the managed switch and see if that fixes it.
While it’s a L2 switch, it does seem to lack quite a few (needed) features.

I'll swap out for the POE injector that originally didn't work either... because we did make the original changes you recommended. If that doesn't work, I'll try the unmanaged POE switch too. I'll post results.

Thanks @RamSet!

Swapped for the POE Injector, still no internet.
Swapped for the unmanaged switch, still no internet...
I can't figure out where to even look for the problem, so I found a workaround (with one caveat).

Workaround:
On the Mikrotik Firewall, I added a NAT rule for all local addresses to redirect UDP on port 53 to the static IP of the PiHole. This is working (and incredibly fast), with a few potential issues:

  1. I originally setup the network DHCP server to leave some reserved IPs around my router, for the WAPs, switches, PiHoles, etc. When I created the Address list I specifically excluded those reserved addresses. If the PiHole was included in this redirect NAT it would have looped when trying to get to the upstream DNS servers.
  2. I was planning on redundancy with the Pi2 being secondary DNS and the more powerful NanoPi Neo2 as primary. Using this firewall rule workaround I'm not sure of a means to do this.

For future reference, I followed the steps for the NAT rule here: DNS Filtering using MikroTik, Pi-hole, and OpenDNS – RFC

Anyone have any thoughts on creating redundancy with this workaround?