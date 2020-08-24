Hello all, ive got another strange scenario that I was hoping to get some help with, be warned though.......its an apple issue. I have a guest network, very basic setup, it has its own VLAN (we can call it 5) and I am using a virtual interface on my firewall as the gateway for the internet (same setup as my printer subnet from my other routing thread). I am assigning DHCP from my server subnet, with an IP helper on the firewall interface, and there is just one policy on the FW that points the guest interface to the WAN interface, nothing special whatsoever, no communication with my other subnets. DHCP is handing out 8.8.8.8 as the only DNS server, and all clients can receive the appropriate IP address on the subnet. All of my non apple clients can get to the internet beautifully, windows devices, android devices, chrome/pixel devices, and even my personal macbook that runs OSX 10.6 (the last usable OS apple ever made), the issue I am having is that none of the iPhones/iPads and modern crapple computers can actually browse the internet. I can verify that they are at least able to communicate out to the WAN and onto the internet by browsing directly to an IP rather than DNS name, but most websites simply return some answer about not allowing traffic directly to an IP address, but the fact that I can get to the website to see that answer pretty much proves that the connection is being made. Obviously this seems like some sort of DNS issue, but its ONLY on modern apple devices, so im wondering if there are any other apple admins out there that know of some trick to make these devices play nicely? Im going to play around with some stuff now, but I wanted to get the question out there first to see if there is any low hanging fruit im missing. Im borrowing someones iphone to test with now, ive done all the things as far as forgetting the network, resetting network settings etc..



The devices all do seem to work on my production network, but as far as configuration goes the only difference is that I am only handing out 8.8.8.8 as DNS rather than my main DCs address. I am specifying a DNS suffix, but I have already tried removing that option from the DHCP settings.



Things I will try next:

Make a new SSID on the same VLAN

Add a policy to allow the subnet to communicate with my main DC that allows only DNS querries (I did try this before, but I might have made a mistake so ill try it again)

Reboot all the things in general

More as I think of it