Koozali.org: home of the SME Server

Windows browsing problem on SME10.x

Offline trevorh

  • 10
  • +0/-0
Windows browsing problem on SME10.x
« on: August 01, 2024, 01:08:17 AM »
Good Morning, we run two SME 10.x servers at two separate locations, linked via an always on VPN connection. Each server operates in Server – Gateway mode with two NICs and both support a small local network. Both Servers were clean new installs of version 10, then updated as these were released. Most clients are Linux Mint and generally are fine. We do have a few Windows machines, both physical and also three W7 VMs for specific apps.

The issue we have is that on both networks Windows machines have issues browsing the internet. Linux PCs browse fine, most times Windows PCs will not browse, but all can ping their resepective SME server fine.

Over the past week we have installed (one at each Site/Server) a new installation of Windows 11. For both during the MS setup process the PC could not detect it had an internet connection at all. Once the offline installation was completed we could ping the local SME Server fine on both PCs. No browsing was possible on either. We enabled SMB1 on one W11 machine, disabled Windows Firewall, no change.

On some Windows machines they will show in the Tray that they are connected to the internet, yet they cannot browse. Pages simply time out. On one SME Server we did try setting up a Corporate DNS pointing to Google 8.8.8.8. Restarted server & workstation, no change. On one W10 and W11 machine we tried enabling SMB1, also no change.

Sometimes changing a setting such as disabling Windows Firewall then and browsing will work, thinking – ah fixed yah! But then a few minutes later pages on that same machine will again just time out web pages. Generally we are using Firefox, but have tried several other browsers with same results.

Can anyone point us in the right direction please, we are out of ideas (and technical depth....). Thanks   

Offline Stefano

  • *
  • 10,874
  • +3/-0
Re: Windows browsing problem on SME10.x
« Reply #1 on: August 01, 2024, 11:46:28 AM »
The issue we have is that on both networks Windows machines have issues browsing the internet. Linux PCs browse fine, most times Windows PCs will not browse, but all can ping their resepective SME server fine.

well, first of all.. from a windows pc, can you ping an external ip?
can you resolve names?
which dns are you using on windows pcs?
is there any firewall in your network?

Offline trevorh

  • 10
  • +0/-0
Re: Windows browsing problem on SME10.x
« Reply #2 on: August 02, 2024, 10:35:21 AM »
Hi Stefano, sorry the delay, away working. Windows11 PC can ping Google 8.8.8.8 ok. It times out when trying to browse a web page and also gets no reply when pinging a domain name (trademe.co.nz). A Linux PC on same network can ping trademe.co.nz ok, and browses ok. A Windows 7 PC on the same network also times out when trying to browse. DNS on this SME Server is set to Corporate DNS and 8.8.8.8. Tried disabling the Windows11 firewall, that resulted in Windows reporting in the tray that its online, but still cant browse nor access the Windows Update facility. There is no aftermarket firewalls installed, just the SME default setup and the Windows default setup (which we have tried disabling with no change). The issue only affects Windows PCs, and seems to affect all Windows versions which we have, so W7, W10 Pro, W11 Pro. Many thanks for your suggestions, regards Trevor

Offline trevorh

  • 10
  • +0/-0
Re: Windows browsing problem on SME10.x
« Reply #3 on: August 02, 2024, 10:38:17 AM »
Just tried pinging 8.8.8.8 from the W7 box, that works fine. Pinging trademe.co.nz times out. So same result W7 and W11. Thanks

Offline Stefano

  • *
  • 10,874
  • +3/-0
Re: Windows browsing problem on SME10.x
« Reply #4 on: August 02, 2024, 10:42:45 AM »
ok, just for a test, set the dns on a Windows client to 8.8.8.8 and check if name resolution works.
if so, we must investigate your setup
please, share other info about your network (subnet, netmask, gateway, dns and so on)
thank you

Offline trevorh

  • 10
  • +0/-0
Re: Windows browsing problem on SME10.x
« Reply #5 on: August 03, 2024, 12:06:40 PM »
Hi, set the W100 DNS to 8.8.8.8. Can ping that address ok from the W11 machine, but still cannot ping a domain name, request times out. Thanks

Offline ReetP

  • *
  • 3,853
  • +5/-0
Re: Windows browsing problem on SME10.x
« Reply #6 on: August 04, 2024, 12:49:38 AM »
As Stefano rightly says, it will help to actually document out your network settings and particularly your VPN setup so we're not guessing.

Also include any upstream routers, DNS etc.

Have a look at the debug reports in server manager. You can post them somewhere.

Also see "documenting things" here - audit tools help.

https://forums.koozali.org/index.php/topic,54724.0.html

My gut feeling is your routing is getting messed about by VPNs. Have you tried disabling the VPN?

...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline trevorh

  • 10
  • +0/-0
Re: Windows browsing problem on SME10.x
« Reply #7 on: August 18, 2024, 10:14:42 AM »
Regarding my issue where various Windows version cant browse the web on either of our two different SME 10.1 servers & networks we operate, I decided to try and simplify the mix to see if I could work out the issue without making ad hoc changes on our production servers.

Steps were as follows:
Downloaded a new version of Koozali SME Server 10.1 from the web site.
Set up a spare machine with 2x 2TB Drives, mirrored pair.
Created a bootable USB stick & installed the new SME 10.1 onto this spare machine.
Set all relevant settings to the same as one of our production servers, so Server – Gateway, no VPN or other add ons were installed.
No Contribs were added at all, so just a totally standard SME install, two NICs, generally taking all default options.
Server operated as Server Gateway, connecting to the internet via Starlink

Initially the new server was not patched, access was then tested but it was not possible for W11 PCs to connect to the Server via the local area network.
The new SME Server was then patched with all recommended updates via Software Update, reconfigured & restarted.
W11 PCs could now connect to the Server via the LAN ok.

PCs running W11 and all other versions of Windows we have could also browse the internet ok.
Started changing settings one by one to match the settings on our production server.
The W11 and other Windows PCs could no longer browse after we changed the DOMAIN from RESOLVE LOCALLY to INTERNET DNS SERVERS. Reversed the change back the default settings, restarted and browsing again worked.

On our Production Server we normally have the DOMAIN set to INTERNET DNS SERVERS as the web addresses are valid actual live web sites which we have to be able to access. We have also tried setting Corporate DNS Settings and pointing these to Google. Same result, Windows PCs could not browse.
 
So – setting  DOMAIN to anything other than RESOLVE LOCALLY stops all Windows PCs from browsing – on a bog standard SME 10.1 installation. We tested Windows 7, Win10 and W11 PCs, sames result with all.

We then changed our Production Servers DOMAIN settings to RESOLVE LOCALLY, retarted all Servers and PCs, all Windows PCs can now browse fine (as can our Linux Workstations). The RESOLVE LOCALLY setting was not required to allow Linux Mint (current version) to browse, these always worked just fine.

I am unsure if the DOMAIN settings issue is actually a fault, or whether its related to some other issue and just makes an apparent fix. Maybe there is something else going on under the hood and the DOMAIN settings change just makes it work for whatever reason !

So at this stage we have our primary problem solved, although it does create an issue for us to access and maintain our external web sites. We did try a VPN connection from a PC to a remote country using ExpressVPN and tried accessing the external web site but the domain address was still captured locally by the SME Server.

Many thanks for the suggestions re this problem, and any further thoughts anyone may have. 

Offline ReetP

  • *
  • 3,853
  • +5/-0
Re: Windows browsing problem on SME10.x
« Reply #8 on: August 18, 2024, 10:58:25 AM »
If your local domain is say

mydomain.com

But you have a host elsewhere eg

www.mydomain.com

Leave DNS set to local (the preferred choice) and add the host in the Hosts section with the remote IP so SME knows it is off site.

I have loads of these with specific sites hosted in different places.

Other thoughts.

Quote
Server operated as Server Gateway, connecting to the internet via Starlink

Ahhhhh. Ok.

Are these websites totally remote or on the other end of the vpn?

What traffic goes over the VPN? Purely site to site or does one site route everything via the other?

Is there anything else that could block 8.8.8.8 eg Starlink ? Have you checked the firewall logs?

You may need to supply some diagrams  to clarify your networking & routing.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline mmccarn

  • *
  • 2,647
  • +10/-0
Re: Windows browsing problem on SME10.x
« Reply #9 on: August 18, 2024, 03:01:57 PM »
Apologies in advance if this turns out to be off target....

Up-to-date versions of Firefox, Edge, and Chrome use DNS over HTTPS (DoH) by default, which adds an extra layer of complexity.

DoH will use a public server for all lookups - even local hosts - from within the browser - and will only query the local DNS if the DoH lookup fails and the browser DoH settings allow fallback to local DNS.

You can disable DoH individually, browser by browser, or you can disable it by creating a canary domain on your DNS server.


Reference Info
* Canary domain - use-application-dns.net
* Disable DNS over HTTPS on enterprise browsers
* How does Firefox handle split-horizon DNS?
* Configure DNS over HTTPS protection levels in Firefox
* Enable or Disable Secure DNS over HTTPS (DoH) in Microsoft Edge

If your SME servers are providing local DNS then creating the domain "use-application-dns.net" in server-manager set to "Resolve locally" satisfies the canary domain requirement.

Here are the resulting settings on my SME server:
Code: [Select]
# db domains show use-application-dns.net
use-application-dns.net=domain
    Content=Primary
    Description=DoH Canary Domain
    Nameservers=localhost

# these host entries are created automatically by SME but don't cause any issues
# db hosts show |grep use-application-dns.net
ftp.use-application-dns.net=host
mail.use-application-dns.net=host
office.use-application-dns.net=host
proxy.use-application-dns.net=host
wpad.use-application-dns.net=host
www.use-application-dns.net=host

Offline Jean-Philippe Pialasse

  • *
  • 2,840
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: Windows browsing problem on SME10.x
« Reply #10 on: August 18, 2024, 03:32:11 PM »
I suggest you to follow Mmccarn suggestion for DoH.

also pay attention that a linux distro might use also its own dns resolver.

However looking at the fact it works when domain is set as resolve locally and not when set as resolved from the internet this poimt more likely to :
1- DNS not set correctly at your registrar
2- setting on how your SME server get remote DNS info to redistribute to your local machine is either blocked by your provider or your third party dns provider is flaky.


what is not clear in your description is does it affect only browsing to your domain or does it affect any domain.

Offline trevorh

  • 10
  • +0/-0
Re: Windows browsing problem on SME10.x
« Reply #11 on: August 18, 2024, 11:41:55 PM »
Good Morning
Many thanks for the various thoughts, comments & suggestions. I will work through these over the coming days.
Some of these do get beyond my tech ability but will see how we go.

A few points worth noting in relation to comments atm.
We can ping 8.8.8.8 reliably from both LANs.
The test server setup (new install as above) was connected via Starlink. That test machine allowed Windows PCs to browse via the Starlink connection fine until we set the SME Server to resolve DNS Remotely.
Our remote site Server connects via a local ISP via max speed Fibre, the symptoms re browsing were identical on both networks, so I discounted any issues relating to the ISPs as they are totally separate and utilize different tech.
The Windows browsing issues were for all external domains, so when attempting to access any external domain using current versions of Firefox, Chrome or Edge the pages simply time out, we tested various domains to ensure one was not simply offline etc.
Even though the Windows PCs generally reported they had an internet connection (indicator in the tray) with the Domain set to resolve Remotely they still timed out on all external domains with Resolve Remotely enabled on the SME Servers.
On our two production servers the VPN connection between them is always on, but is only used to copy occasional files manually and run overnight data synchs and backups between the machines. Everything else is resolved locally, not via the VPN. An exception is we use Remina or NoMachine at times to access workstations at the remote site, but this is only occasional.     
As the two ISPs we connect to are totally different configurations, technologies & even based in different countries this would seem to indicate its not an ISP related issue.
The two production sites use different domain names, one is registered via a US registrar, the other via an NZ registrar. However BOTH these domains are hosted via Rochen on US based servers. So there is a common factor there.
I dont understand the tech enough to know what to check in relation to that, or ask Rochen about in relation to their settings, or if indeed that may relate to the issue.

Regards Trevor

Offline ReetP

  • *
  • 3,853
  • +5/-0
Re: Windows browsing problem on SME10.x
« Reply #12 on: August 19, 2024, 08:30:55 PM »
Up-to-date versions of Firefox, Edge, and Chrome use DNS over HTTPS (DoH) by default, which adds an extra layer of complexity.

Also for reference FF policy templates are here:

https://github.com/mozilla/policy-templates

Of course they are always some way behind in what you can enable/disable but gets shot of a lot of their nonsense :-(

On *buntu

Code: [Select]
sudo nano /usr/lib/firefox/distribution/policies.json
Code: [Select]
{
  "policies": {
    "DNSOverHTTPS": {
      "Enabled":  true | false,
      "ProviderURL": "URL_TO_ALTERNATE_PROVIDER",
      "Locked": true | false
    }
  }
}

And this...

Quote
If your SME servers are providing local DNS then creating the domain "use-application-dns.net" in server-manager set to "Resolve locally" satisfies the canary domain requirement.

Nice one :-)
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline ReetP

  • *
  • 3,853
  • +5/-0
Re: Windows browsing problem on SME10.x
« Reply #13 on: August 19, 2024, 08:35:14 PM »
The Windows browsing issues were for all external domains, so when attempting to access any external domain using current versions of Firefox, Chrome or Edge the pages simply time out, we tested various domains to ensure one was not simply offline etc.

Likely not Firefox DoH then.

FWIW IPv6 anywhere?
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation