I try to explain the problem as structured as I can but upfront the whole thing feels “strange”.
I convinced my boss that we revamp our WiFi infrastructure and so we bought 2 Unifi AP LR (33 more will be ordered when the test is successful).
I setup a Ubuntu 20.04.1 LTS server (2 CPU, 4 GB RAM, 25 GB HDD) on our VMWare infrastructure. Installed the latest unifi controller (6.0.45). I created one site with the two APs inside and setup two wireless networks. One for our VLAN1 and one for the new VLAN140 (guest’s).
Company-internal: radius authentication → Only Domain computers (GPO, certificate) can authenticate.
Company-external: guest portal → voucher or domain user can authenticate.
After the setup I tested the guest portal and it didn’t open on external laptops or mobile devices. After a long search for the error, I just disabled the guest setting in the wireless network and the guest portal itself. Waited 5 minutes and re-enabled everything, and suddenly it worked. Today (one they after setup) the problems started again. Mobile device (gets or still has an IP) but no guest portal will open. So the user can’t authorize them self and therefore the device is not authorized and not seen by the hotspot manager.
I triple checked the setup, and the network infrastructure and I don’t know where to look next. Oh, I also see messages on the dashboard (Wifi Anomalies, which I am only able to see on the dashboard)
Message: Client is having trouble resolving a domain name to an IP address (DNS timeout).
DHCP Server for VLAN140 is our Cisco router. Which hands out DHCP with 9.9.9.9 as DNS server.
Parties involved:
Cisco router
Cisco Switch WS-C4506-E (APs port is set to trunk vlan 1,140)
Ubuntu Server 20.04.1 on VMWare with Unifi controller 6.0.45
Unifi AP-LR
Mobile Device
I uploaded some setup pictures to my cloud → TGCloud
We never use the UniFi guest portal because it always seems much more buggy than letting a another device handle it such as pfsense. Might want to check the UniFi forums.
Firmware updated didn’t help… and the Dashboard still shows DNS timeouts.
I figured out why I have DNS timeouts. The mobile device gets complete IP address information:
IP: 10.140.5.46
Subnet: 255.255.255.0
Default GW: 10.140.5.1
DNS-1: 9.9.9.9
DNS-2: 149.112.112.112
Because the splash screen from the portal never appears I am still in the pre-Authorization phase where
only the IP from the controller is allowed. I know this because when I add 9.9.9.9 to the pre-Authorization part I can immediately access the internet.
So my problem is: The splash screen is not showing up and therefore no authorization is possible.
I guess I have to create a user at the unifi forums.
After a lot of setting changes, firmware up and downgrades the problem still existed. I am working 2 decades in IT and have quite some experience but I never dived deep into networking. But encouraged by Tom’s Videos I installed a Pop! OS virtual machine and did a live tcpdump via Wireshark from the access points.
So I could figure out that the problem is really a DNS Problem. I then found a post on the unifi forum and suddenly everything was clear.
(copied from the unifi forum and modified by me:)
Guests (VLAN140) are set to have 9.9.9.9 and 149.112.112.112. as DNS and the firewall has a rule to allow DNS to external for our internal DNS servers, as well as the Guest subnet (VLAN140). However the APs are intercepting and forwarding the DNS requests under their own (VLAN1) IP, which results in the firewall blocking packages from AP IPs to 9.9.9.9 and 149.112.112.112. Therefore, for example, captive.apple.com couldn’t be resolved and so no portal.
My solution is now to add the AP IPs into the DNS outgoing rule, although I’m not all to happy with that.