Hi,
On my previous post, with the help of this forum I was able to create a guest network that connects through a VPN using a WireGuard interface.
Now I am trying to get Adblock to work but it seems that no matter which network I am connect to (direct internet or VPN) ads are not getting blocked.
I believe it has something to do with DNS or DHCP but I am very new to this and cannot figure out what’s wrong.
Adblock says enabled and shows 51000 domains blocked.
Any suggestions?
Thanks in advance!
what kind of adblock ?
in the router, pihole ?
if in router, you have to make sure your DHCP DNS settings point back to your router.
Yes the Adblock is in the router. I am using a WRT3200.
I changed a setting under DHCP and DNS to forward DNS to 10.64.0.1 and under Network→Interfaces→Guest to change DHCP-options to 6,10.64.0.1
This was to prevent DNS leaks.
Is this why it is not working?
Can this be fixed to have both Adblock working and prevent DNS leaks?
Don't know why it wasn't working, since I don't know what the setup looked like before.
You could always catch all outgoing DNS requests in the FW and forward them to your own DNS.
So I would have to create a firewall rule?
How can I tell to which dns I have to forward them to?
Your own, if you want the adblock to work.
Thanks for your help.
I really wish I could say I understand what I’m supposed to do but I don’t.
How do I forward request to my own dns?
Do I need to create one?
Where would I read what my dns is and where should I go to forward request to it?
I can give you an overview of my setup if it helps.
network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fd36:2b80:fdcc::/48'
network.lan=interface
network.lan.type='bridge'
network.lan.ifname='eth0.1'
network.lan.proto='static'
network.lan.ipaddr='192.168.1.1'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.wan=interface
network.wan.ifname='eth1.2'
network.wan.proto='dhcp'
network.wan6=interface
network.wan6.ifname='eth1.2'
network.wan6.proto='dhcpv6'
network.@switch[0]=switch
network.@switch[0].name='switch0'
network.@switch[0].reset='1'
network.@switch[0].enable_vlan='1'
network.@switch_vlan[0]=switch_vlan
network.@switch_vlan[0].device='switch0'
network.@switch_vlan[0].vlan='1'
network.@switch_vlan[0].ports='0 1 2 3 5t'
network.@switch_vlan[1]=switch_vlan
network.@switch_vlan[1].device='switch0'
network.@switch_vlan[1].vlan='2'
network.@switch_vlan[1].ports='4 6t'
network.guest=interface
network.guest.type='bridge'
network.guest.proto='static'
network.guest.ipaddr='192.168.3.1'
network.guest.netmask='255.255.255.0'
network.vpn=interface
network.vpn.proto='wireguard'
network.vpn.listen_port='51820'
network.vpn.private_key='YIDYlnffJnhSmhM410zQKsLRrvO3ra/jsY1mE6HMRnU='
network.vpn.addresses='10.68.191.159/32' 'fc00:bbbb:bbbb:bb01::5:bf9e/128'
network.wgserver=wireguard_vpn
network.wgserver.endpoint_port='51820'
network.wgserver.persistent_keepalive='25'
network.wgserver.allowed_ips='0.0.0.0/0' '::/0'
network.wgserver.endpoint_host='ca11-wireguard.mullvad.net'
network.wgserver.public_key='Dss8vKaAS2tUf55tHLrhQcMgHjePouQHfwiDMKPIz2Q='
network.vpn_route=route
network.vpn_route.interface='vpn'
network.vpn_route.target='0.0.0.0/0'
network.vpn_route.table='100'
network.lan_rule=rule
network.lan_rule.in='guest'
network.lan_rule.dest='192.168.1.0/24'
network.lan_rule.lookup='main'
network.vpn_rule=rule
network.vpn_rule.in='guest'
network.vpn_rule.lookup='100'
network.lan_route=route
network.lan_route.interface='lan'
network.lan_route.target='192.168.1.0/24'
network.lan_route.table='100'
firewall.@defaults[0]=defaults
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@defaults[0].synflood_protect='1'
firewall.lan=zone
firewall.lan.name='lan'
firewall.lan.network='lan'
firewall.lan.input='ACCEPT'
firewall.lan.output='ACCEPT'
firewall.lan.forward='ACCEPT'
firewall.wan=zone
firewall.wan.name='wan'
firewall.wan.network='wan' 'wan6' 'vpn'
firewall.wan.input='REJECT'
firewall.wan.output='ACCEPT'
firewall.wan.forward='REJECT'
firewall.wan.masq='1'
firewall.wan.mtu_fix='1'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.guest=zone
firewall.guest.name='guest'
firewall.guest.network='guest'
firewall.guest.output='ACCEPT'
firewall.guest.input='ACCEPT'
firewall.guest.forward='ACCEPT'
firewall.guest_wan=forwarding
firewall.guest_wan.src='guest'
firewall.guest_wan.dest='wan'
firewall.guest_dns=rule
firewall.guest_dns.name='Allow-DNS-Guest'
firewall.guest_dns.src='guest'
firewall.guest_dns.dest_port='53'
firewall.guest_dns.proto='tcp udp'
firewall.guest_dns.target='ACCEPT'
firewall.guest_dhcp=rule
firewall.guest_dhcp.name='Allow-DHCP-Guest'
firewall.guest_dhcp.src='guest'
firewall.guest_dhcp.dest_port='67'
firewall.guest_dhcp.family='ipv4'
firewall.guest_dhcp.proto='udp'
firewall.guest_dhcp.target='ACCEPT'
firewall.guest_lan=forwarding
firewall.guest_lan.src='guest'
firewall.guest_lan.dest='lan'
firewall.lan_guest=forwarding
firewall.lan_guest.src='lan'
firewall.lan_guest.dest='guest'
firewall.@forwarding[4]=forwarding
firewall.@forwarding[4].dest='lan'
firewall.@forwarding[4].src='wan'
firewall.@rule[11]=rule
firewall.@rule[11].src_port='5353'
firewall.@rule[11].src='*'
firewall.@rule[11].target='ACCEPT'
firewall.@rule[11].dest_ip='224.0.0.251'
firewall.@rule[11].dest_port='5353'
firewall.@rule[11].proto='udp'
firewall.@rule[11].name='Allow-mDNS'
firewall.adblock_dns_853=redirect
firewall.adblock_dns_853.name='Adblock DNS, port 853'
firewall.adblock_dns_853.src='lan'
firewall.adblock_dns_853.proto='tcp udp'
firewall.adblock_dns_853.src_dport='853'
firewall.adblock_dns_853.dest_port='853'
firewall.adblock_dns_853.target='DNAT'
firewall.adblock_dns_5353=redirect
firewall.adblock_dns_5353.name='Adblock DNS, port 5353'
firewall.adblock_dns_5353.src='lan'
firewall.adblock_dns_5353.proto='tcp udp'
firewall.adblock_dns_5353.src_dport='5353'
firewall.adblock_dns_5353.dest_port='5353'
firewall.adblock_dns_5353.target='DNAT'
dhcp.@dnsmasq[0]=dnsmasq
dhcp.@dnsmasq[0].domainneeded='1'
dhcp.@dnsmasq[0].localise_queries='1'
dhcp.@dnsmasq[0].rebind_protection='1'
dhcp.@dnsmasq[0].rebind_localhost='1'
dhcp.@dnsmasq[0].local='/lan/'
dhcp.@dnsmasq[0].domain='lan'
dhcp.@dnsmasq[0].expandhosts='1'
dhcp.@dnsmasq[0].authoritative='1'
dhcp.@dnsmasq[0].readethers='1'
dhcp.@dnsmasq[0].leasefile='/tmp/dhcp.leases'
dhcp.@dnsmasq[0].resolvfile='/tmp/resolv.conf.auto'
dhcp.@dnsmasq[0].localservice='1'
dhcp.@dnsmasq[0].server='10.64.0.1'
dhcp.@dnsmasq[0].confdir='/tmp/dnsmasq.d'
dhcp.lan=dhcp
dhcp.lan.interface='lan'
dhcp.lan.start='100'
dhcp.lan.limit='150'
dhcp.lan.leasetime='12h'
dhcp.lan.dhcpv6='server'
dhcp.lan.ra='server'
dhcp.wan=dhcp
dhcp.wan.interface='wan'
dhcp.wan.ignore='1'
dhcp.odhcpd=odhcpd
dhcp.odhcpd.maindhcp='0'
dhcp.odhcpd.leasefile='/tmp/hosts/odhcpd'
dhcp.odhcpd.leasetrigger='/usr/sbin/odhcpd-update'
dhcp.odhcpd.loglevel='4'
dhcp.guest=dhcp
dhcp.guest.interface='guest'
dhcp.guest.start='100'
dhcp.guest.limit='150'
dhcp.guest.dhcp_option='6,10.64.0.1'
dhcp.guest.leasetime='12h'
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1
==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1
==> /tmp/resolv.conf.auto <==
# Interface wan
nameserver 24.200.241.37
nameserver 24.202.72.13
nameserver 24.200.0.1
head: /tmp/resolv.*/*: No such file or directory
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 532
link/ether 30:23:03:e0:68:80 brd ff:ff:ff:ff:ff:ff
inet6 fe80::3223:3ff:fee0:6880/64 scope link
valid_lft forever preferred_lft forever
3: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 532
link/ether 32:23:03:e0:68:80 brd ff:ff:ff:ff:ff:ff
inet6 fe80::3023:3ff:fee0:6880/64 scope link
valid_lft forever preferred_lft forever
5: ifb0: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default qlen 32
link/ether ee:08:3e:49:d4:af brd ff:ff:ff:ff:ff:ff
6: ifb1: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default qlen 32
link/ether 16:0f:33:81:79:6c brd ff:ff:ff:ff:ff:ff
94: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 32:23:03:e0:68:80 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
valid_lft forever preferred_lft forever
inet6 fd36:2b80:fdcc::1/60 scope global noprefixroute
valid_lft forever preferred_lft forever
inet6 fe80::3023:3ff:fee0:6880/64 scope link
valid_lft forever preferred_lft forever
95: eth0.1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP group default qlen 1000
link/ether 32:23:03:e0:68:80 brd ff:ff:ff:ff:ff:ff
96: eth1.2@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc cake state UP group default qlen 1000
link/ether 30:23:03:e0:68:80 brd ff:ff:ff:ff:ff:ff
inet 24.48.68.183/24 brd 24.48.68.255 scope global eth1.2
valid_lft forever preferred_lft forever
inet6 fe80::3223:3ff:fee0:6880/64 scope link
valid_lft forever preferred_lft forever
97: br-guest: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 32:23:03:e0:68:80 brd ff:ff:ff:ff:ff:ff
inet 192.168.3.1/24 brd 192.168.3.255 scope global br-guest
valid_lft forever preferred_lft forever
inet6 fe80::3023:3ff:fee0:6883/64 scope link
valid_lft forever preferred_lft forever
98: vpn: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
link/none
inet 10.68.191.159/32 brd 255.255.255.255 scope global vpn
valid_lft forever preferred_lft forever
inet6 fc00:bbbb:bbbb:bb01::5:bf9e/128 scope global
valid_lft forever preferred_lft forever
99: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br-lan state UP group default qlen 1000
link/ether 30:23:03:e0:68:81 brd ff:ff:ff:ff:ff:ff
inet6 fe80::3223:3ff:fee0:6881/64 scope link
valid_lft forever preferred_lft forever
100: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br-lan state UP group default qlen 1000
link/ether 30:23:03:e0:68:82 brd ff:ff:ff:ff:ff:ff
inet6 fe80::3223:3ff:fee0:6882/64 scope link
valid_lft forever preferred_lft forever
101: wlan2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br-lan state UP group default qlen 1000
link/ether 30:23:03:e0:68:83 brd ff:ff:ff:ff:ff:ff
inet6 fe80::3223:3ff:fee0:6883/64 scope link
valid_lft forever preferred_lft forever
104: ifb4eth1.2: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc cake state UNKNOWN group default qlen 32
link/ether 56:3d:ab:e7:80:d4 brd ff:ff:ff:ff:ff:ff
inet6 fe80::543d:abff:fee7:80d4/64 scope link
valid_lft forever preferred_lft forever
106: wlan0-1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br-guest state UP group default qlen 1000
link/ether 32:23:03:e0:68:83 brd ff:ff:ff:ff:ff:ff
inet6 fe80::3023:3ff:fee0:6883/64 scope link
valid_lft forever preferred_lft forever
107: wlan1-1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br-guest state UP group default qlen 1000
link/ether 32:23:03:e0:68:80 brd ff:ff:ff:ff:ff:ff
inet6 fe80::3023:3ff:fee0:6880/64 scope link
valid_lft forever preferred_lft forever
default dev vpn table 100 proto static scope link
192.168.1.0/24 dev br-lan table 100 proto static scope link
default via 24.48.68.1 dev eth1.2 proto static src 24.48.68.183
24.48.68.0/24 dev eth1.2 proto kernel scope link src 24.48.68.183
89.36.78.162 via 24.48.68.1 dev eth1.2 proto static
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
192.168.3.0/24 dev br-guest proto kernel scope link src 192.168.3.1
local 10.68.191.159 dev vpn table local proto kernel scope host src 10.68.191.159
broadcast 24.48.68.0 dev eth1.2 table local proto kernel scope link src 24.48.68.183
local 24.48.68.183 dev eth1.2 table local proto kernel scope host src 24.48.68.183
broadcast 24.48.68.255 dev eth1.2 table local proto kernel scope link src 24.48.68.183
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.1.0 dev br-lan table local proto kernel scope link src 192.168.1.1
local 192.168.1.1 dev br-lan table local proto kernel scope host src 192.168.1.1
broadcast 192.168.1.255 dev br-lan table local proto kernel scope link src 192.168.1.1
broadcast 192.168.3.0 dev br-guest table local proto kernel scope link src 192.168.3.1
local 192.168.3.1 dev br-guest table local proto kernel scope host src 192.168.3.1
broadcast 192.168.3.255 dev br-guest table local proto kernel scope link src 192.168.3.1
fc00:bbbb:bbbb:bb01::5:bf9e dev vpn proto kernel metric 256 pref medium
fd36:2b80:fdcc::/64 dev br-lan proto static metric 1024 pref medium
unreachable fd36:2b80:fdcc::/48 dev lo proto static metric 2147483647 error 4294967183 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
fe80::/64 dev eth1 proto kernel metric 256 pref medium
fe80::/64 dev eth1.2 proto kernel metric 256 pref medium
fe80::/64 dev ifb4eth1.2 proto kernel metric 256 pref medium
fe80::/64 dev wlan0 proto kernel metric 256 pref medium
fe80::/64 dev br-guest proto kernel metric 256 pref medium
fe80::/64 dev wlan0-1 proto kernel metric 256 pref medium
fe80::/64 dev wlan1 proto kernel metric 256 pref medium
fe80::/64 dev wlan1-1 proto kernel metric 256 pref medium
fe80::/64 dev wlan2 proto kernel metric 256 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
local fc00:bbbb:bbbb:bb01::5:bf9e dev vpn table local proto kernel metric 0 pref medium
anycast fd36:2b80:fdcc:: dev br-lan table local proto kernel metric 0 pref medium
local fd36:2b80:fdcc::1 dev br-lan table local proto kernel metric 0 pref medium
anycast fe80:: dev br-lan table local proto kernel metric 0 pref medium
anycast fe80:: dev ifb4eth1.2 table local proto kernel metric 0 pref medium
anycast fe80:: dev eth1.2 table local proto kernel metric 0 pref medium
anycast fe80:: dev eth1 table local proto kernel metric 0 pref medium
anycast fe80:: dev eth0 table local proto kernel metric 0 pref medium
anycast fe80:: dev wlan0 table local proto kernel metric 0 pref medium
anycast fe80:: dev br-guest table local proto kernel metric 0 pref medium
anycast fe80:: dev wlan0-1 table local proto kernel metric 0 pref medium
anycast fe80:: dev wlan1 table local proto kernel metric 0 pref medium
anycast fe80:: dev wlan1-1 table local proto kernel metric 0 pref medium
anycast fe80:: dev wlan2 table local proto kernel metric 0 pref medium
local fe80::3023:3ff:fee0:6880 dev br-lan table local proto kernel metric 0 pref medium
local fe80::3023:3ff:fee0:6880 dev eth0 table local proto kernel metric 0 pref medium
local fe80::3023:3ff:fee0:6880 dev wlan1-1 table local proto kernel metric 0 pref medium
local fe80::3023:3ff:fee0:6883 dev br-guest table local proto kernel metric 0 pref medium
local fe80::3023:3ff:fee0:6883 dev wlan0-1 table local proto kernel metric 0 pref medium
local fe80::3223:3ff:fee0:6880 dev eth1.2 table local proto kernel metric 0 pref medium
local fe80::3223:3ff:fee0:6880 dev eth1 table local proto kernel metric 0 pref medium
local fe80::3223:3ff:fee0:6881 dev wlan1 table local proto kernel metric 0 pref medium
local fe80::3223:3ff:fee0:6882 dev wlan0 table local proto kernel metric 0 pref medium
local fe80::3223:3ff:fee0:6883 dev wlan2 table local proto kernel metric 0 pref medium
local fe80::543d:abff:fee7:80d4 dev ifb4eth1.2 table local proto kernel metric 0 pref medium
ff00::/8 dev eth0 table local metric 256 pref medium
ff00::/8 dev br-lan table local metric 256 pref medium
ff00::/8 dev eth1 table local metric 256 pref medium
ff00::/8 dev eth1.2 table local metric 256 pref medium
ff00::/8 dev ifb4eth1.2 table local metric 256 pref medium
ff00::/8 dev vpn table local metric 256 pref medium
ff00::/8 dev wlan0 table local metric 256 pref medium
ff00::/8 dev br-guest table local metric 256 pref medium
ff00::/8 dev wlan0-1 table local metric 256 pref medium
ff00::/8 dev wlan1 table local metric 256 pref medium
ff00::/8 dev wlan1-1 table local metric 256 pref medium
ff00::/8 dev wlan2 table local metric 256 pref medium
0: from all lookup local
1: from all to 192.168.1.0/24 iif br-guest lookup main
2: from all iif br-guest lookup 100
32766: from all lookup main
32767: from all lookup default
# Generated by iptables-save v1.8.3 on Mon Nov 30 17:35:22 2020
*nat
:PREROUTING ACCEPT [13199:1363322]
:INPUT ACCEPT [1909:176638]
:OUTPUT ACCEPT [2698:198817]
:POSTROUTING ACCEPT [96:18382]
:postrouting_guest_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_guest_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_guest_postrouting - [0:0]
:zone_guest_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
-A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -i eth1.2 -m comment --comment "!fw3" -j zone_wan_prerouting
-A PREROUTING -i vpn -m comment --comment "!fw3" -j zone_wan_prerouting
-A PREROUTING -i br-guest -m comment --comment "!fw3" -j zone_guest_prerouting
-A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
-A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
-A POSTROUTING -o eth1.2 -m comment --comment "!fw3" -j zone_wan_postrouting
-A POSTROUTING -o vpn -m comment --comment "!fw3" -j zone_wan_postrouting
-A POSTROUTING -o br-guest -m comment --comment "!fw3" -j zone_guest_postrouting
-A zone_guest_postrouting -m comment --comment "!fw3: Custom guest postrouting rule chain" -j postrouting_guest_rule
-A zone_guest_prerouting -m comment --comment "!fw3: Custom guest prerouting rule chain" -j prerouting_guest_rule
-A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
-A zone_lan_prerouting -p tcp -m tcp --dport 53 -m comment --comment "!fw3: Adblock DNS, port 53" -j REDIRECT --to-ports 53
-A zone_lan_prerouting -p udp -m udp --dport 53 -m comment --comment "!fw3: Adblock DNS, port 53" -j REDIRECT --to-ports 53
-A zone_lan_prerouting -p tcp -m tcp --dport 853 -m comment --comment "!fw3: Adblock DNS, port 853" -j REDIRECT --to-ports 853
-A zone_lan_prerouting -p udp -m udp --dport 853 -m comment --comment "!fw3: Adblock DNS, port 853" -j REDIRECT --to-ports 853
-A zone_lan_prerouting -p tcp -m tcp --dport 5353 -m comment --comment "!fw3: Adblock DNS, port 5353" -j REDIRECT --to-ports 5353
-A zone_lan_prerouting -p udp -m udp --dport 5353 -m comment --comment "!fw3: Adblock DNS, port 5353" -j REDIRECT --to-ports 5353
-A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
-A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
-A zone_wan_prerouting -p udp -m udp --dport 88 -m comment --comment "!fw3: Xbox Port 88 (UDP)" -j DNAT --to-destination 192.168.1.182:88
-A zone_wan_prerouting -p tcp -m tcp --dport 3074 -m comment --comment "!fw3: Xbox Port 3074 (UDP and TCP)" -j DNAT --to-destination 192.168.1.182:3074
-A zone_wan_prerouting -p udp -m udp --dport 3074 -m comment --comment "!fw3: Xbox Port 3074 (UDP and TCP)" -j DNAT --to-destination 192.168.1.182:3074
-A zone_wan_prerouting -p tcp -m tcp --dport 53 -m comment --comment "!fw3: Xbox Port 53 (UDP and TCP)" -j DNAT --to-destination 192.168.1.182:53
-A zone_wan_prerouting -p udp -m udp --dport 53 -m comment --comment "!fw3: Xbox Port 53 (UDP and TCP)" -j DNAT --to-destination 192.168.1.182:53
-A zone_wan_prerouting -p tcp -m tcp --dport 80 -m comment --comment "!fw3: Xbox Port 80 (TCP)" -j DNAT --to-destination 192.168.1.182:80
-A zone_wan_prerouting -p udp -m udp --dport 500 -m comment --comment "!fw3: Xbox Port 500 (UDP)" -j DNAT --to-destination 192.168.1.182:500
-A zone_wan_prerouting -p udp -m udp --dport 3544 -m comment --comment "!fw3: Xbox Port 3544 (UDP)" -j DNAT --to-destination 192.168.1.182:3544
-A zone_wan_prerouting -p udp -m udp --dport 4500 -m comment --comment "!fw3: Xbox Port (4500)" -j DNAT --to-destination 192.168.1.182:4500
COMMIT
# Completed on Mon Nov 30 17:35:22 2020
# Generated by iptables-save v1.8.3 on Mon Nov 30 17:35:22 2020
*raw
:PREROUTING ACCEPT [3073056:1993844049]
:OUTPUT ACCEPT [63216:13561768]
:zone_guest_helper - [0:0]
:zone_lan_helper - [0:0]
-A PREROUTING -i br-lan -m comment --comment "!fw3: lan CT helper assignment" -j zone_lan_helper
-A PREROUTING -i br-guest -m comment --comment "!fw3: guest CT helper assignment" -j zone_guest_helper
COMMIT
# Completed on Mon Nov 30 17:35:22 2020
# Generated by iptables-save v1.8.3 on Mon Nov 30 17:35:22 2020
*mangle
:PREROUTING ACCEPT [3073056:1993844049]
:INPUT ACCEPT [83483:79666411]
:FORWARD ACCEPT [2988935:1914092014]
:OUTPUT ACCEPT [63218:13562400]
:POSTROUTING ACCEPT [3053191:1927890361]
-A FORWARD -o eth1.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i eth1.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o vpn -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i vpn -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Mon Nov 30 17:35:22 2020
# Generated by iptables-save v1.8.3 on Mon Nov 30 17:35:22 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_guest_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_guest_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_guest_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_guest_dest_ACCEPT - [0:0]
:zone_guest_forward - [0:0]
:zone_guest_input - [0:0]
:zone_guest_output - [0:0]
:zone_guest_src_ACCEPT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -d 224.0.0.251/32 -p udp -m udp --sport 5353 --dport 5353 -m comment --comment "!fw3: Allow-mDNS" -j ACCEPT
-A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i eth1.2 -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i vpn -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i br-guest -m comment --comment "!fw3" -j zone_guest_input
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i eth1.2 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i vpn -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i br-guest -m comment --comment "!fw3" -j zone_guest_forward
-A FORWARD -m comment --comment "!fw3" -j reject
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o eth1.2 -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o vpn -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o br-guest -m comment --comment "!fw3" -j zone_guest_output
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A zone_guest_dest_ACCEPT -o br-guest -m comment --comment "!fw3" -j ACCEPT
-A zone_guest_forward -m comment --comment "!fw3: Custom guest forwarding rule chain" -j forwarding_guest_rule
-A zone_guest_forward -m comment --comment "!fw3: Zone guest to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_guest_forward -m comment --comment "!fw3: Zone guest to lan forwarding policy" -j zone_lan_dest_ACCEPT
-A zone_guest_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_guest_forward -m comment --comment "!fw3" -j zone_guest_dest_ACCEPT
-A zone_guest_input -m comment --comment "!fw3: Custom guest input rule chain" -j input_guest_rule
-A zone_guest_input -p tcp -m tcp --dport 53 -m comment --comment "!fw3: Allow-DNS-Guest" -j ACCEPT
-A zone_guest_input -p udp -m udp --dport 53 -m comment --comment "!fw3: Allow-DNS-Guest" -j ACCEPT
-A zone_guest_input -p udp -m udp --dport 67 -m comment --comment "!fw3: Allow-DHCP-Guest" -j ACCEPT
-A zone_guest_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_guest_input -m comment --comment "!fw3" -j zone_guest_src_ACCEPT
-A zone_guest_output -m comment --comment "!fw3: Custom guest output rule chain" -j output_guest_rule
-A zone_guest_output -m comment --comment "!fw3" -j zone_guest_dest_ACCEPT
-A zone_guest_src_ACCEPT -i br-guest -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to guest forwarding policy" -j zone_guest_dest_ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o eth1.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o eth1.2 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o vpn -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o vpn -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_REJECT -o eth1.2 -m comment --comment "!fw3" -j reject
-A zone_wan_dest_REJECT -o vpn -m comment --comment "!fw3" -j reject
-A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
-A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m comment --comment "!fw3: Zone wan to lan forwarding policy" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
-A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
-A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
-A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_src_REJECT -i eth1.2 -m comment --comment "!fw3" -j reject
-A zone_wan_src_REJECT -i vpn -m comment --comment "!fw3" -j reject
Redirect All Outbound DNS Traffic to Internal IP and onward.
Don't forget to make an exception rule for the DNS IP itself in the fw, or you'll and up in a loop ,)
Or let tour own DNS make DNS request on another port, like DoH.