Wireless Access

New Contributor

VLANS and DNS Resolution?

I'm kind of a n00b, so there's probably something obvious I'm overlooking.


I have an Aruba Mobility Access Switch, which I created all my VLANs on, and assigned them IP addresses. I also have an Aruba 7200 series mobility controller. The switch and controller are connected via trunked ports. I also created the VLANs on the controller and assigned them an IP. Each VLAN on the controller has the DHCP server service running with a scope that matches the corresponding VLAN subnet. The DHCP server for each VLAN also has the VLAN's IP address on the switch set as the default router/gateway. From what I understand, this allows the switch to do the routing between VLANs. I then connected the firewall to an access port on the switch and added a static route on the switch,, (destination IP, destination subnet, next hop). Finally, I added static routes on the firewall from it's LAN interface to the IP address of the switch. 

Here's the current situation:

I connect a client to port 12 (GE0/0/12) on the switch. The client successfully pulls a correct IP ( from the DHCP server running on the controller. ipconfig shows (Switch VLAN 90 IP) as the default gateway, and as the DHCP server (Controller VLAN 90 IP). From the client, I can ping the switch, controller, firewall, etc, as well as any internet address (i.e. I can also access the management interface of all the devices from the client. This makes sense to me so far as I have not set up any ACLs yet.

However, what I can NOT do is ping any devices by their FQDN or ping an external domain (i.e. google.com),

I'm not exactly sure what to do at this point. I've tried a few different settings for DNS server on the controller's DHCP settings. Using the same IP as the default router doesn't work, nor does using the IP of the firewall. 

BUT.... If I manually configure the DNS server on the client to an external address (, then I can ping google.com and have full internet access. I'm stumped. 


lan diagram.jpg


Re: VLANS and DNS Resolution?

If I have followed correctly things look OK except DNS as you have described. You have all the bits except a DNS server though. I wouldn’t necessarily suggest you have any of the existing devices perform this role unless the firewall had some kind of DNS filtering you wanted to take advantage of.

The good thing is it works when you point things at a real DNs server ( Have you tried issuing this as the nameserver from the DHCP pool?

If you want internal address lookup you will need to build a DNS server and host it on your network.
New Contributor

Re: VLANS and DNS Resolution?

So, it sounds like I might have a pfSense/firewall issue... maybe

For instance, I can take my old HPE VPN/Router (factory default settings) and connect it to the same pfSense/firewall. The router's local IP address is and DHCP hands out that address as the default gateway, DHCP, and DNS server. Everything works fine and dandy. I can even access the management interface by typing in the router's FQDN.

So basically, what exactly is my HPE router doing that my Aruba Mobility switch is not? 

Also, everything I know about networking is self-taught, so don't be surprised if im overlooking something super obvious haha.

lan diagram 2.jpg


Re: VLANS and DNS Resolution?

The switch doesn’t do DNS by the looks. I had a quick look at the Software User Guide for MAS switches and could not find the feature you need. Typically you would not use a switch for this. A router does this because it can often be the only device in a small network capable of DHCP, DNS and routing. Switches aren’t really (typically) designed to cater to the entire stack like that. Generally they will do some internal network routing and could do basic DHCP but I don’t remember seeing a switch with a built in DNS.

It looks like you could achieve what you need with the pfsense. It may act as the DNS server or simply forward requests onwards.

I would highly recommend you setup a DNS server.
New Contributor

Re: VLANS and DNS Resolution?

Progress (slightly)...

You are correct, the switch doesn't seem to have the capability. The controller however, does (I think).

Through the CLI, I used:
(Aruba7240XM) #configure terminal

(Aruba7240XM) (config) #ip domain-name internal.example.com

(Aruba7240XM) (config) #ip domain lookup

(Aruba7240XM) (config) #write mem


I then changed the DHCP config on the controller to issue it's own IP ( on VLAN 90) as the DNS server.

I can now successfully ping unqualified domain names and FQDNs of hosts on the network, as well as external domains such as google.com from the client system through CMD.

However, now when I open up a Chrome window and try to naviate to www.google.com, it resolves to https://www.google.com:4343 with a certificate error. The page displays: "The network you are using may require you to visit its login page," along with a "connect" button.

Clicking connect redirects to https://www.gstatic.com:4343/generate_204
Not sure if there's something else I need to configure, or if it's trying to use a captive portal (which I never set up). Hmmm....

Search Airheads
Showing results for 
Search instead for 
Did you mean: