Attempting to make a second subnet for NordVPN

Ok, so after significant amount of pain, I got my OpenWRT router from 19.07 to the latest, 23.05.2 (not pleasant).

After all of this, my goal is to have 2 subnets:

The first subnet, which is a DMZ of sorts, which is essentially the network I have outside the VPN, primarily for access into my servers I have available through port forwarding.

The second subnet, which is running under NordVPN, where I place the other systems on my network, forcing them to be in a secure mode.

I have routes set up to have the two subnets be able to talk to each other as well (so I can do things like SSH into my servers from my desktop).

The first subnet works. However, the second subnet does not. Even if I have it run to WAN rather than the VPN, it isn't working right.

I duplicated the bridge (br-lan) with a second bridge (br-vpnlan). The only difference is the ports assigned to it (br-lan has lan 1-4, while br-vpnlan doesnt have any ports assigned.

I have an interface (vpnlan) which uses the bridge as its device. This is like the lan interface, the only differences being ip configuration. as its a different ip range this subnet uses.

I have a Wireless configuration which is connected to the bridge as well, linked to the vpnlan interface.

I have a firewall zone set up for the vpnlan, and currently have it going to WAN, just like the default lan does.

From what I can tell, this should work, but it doesn't. Whenever I connect to the wireless SSID, I get nowhere. It will connect, I get an IP address assigned, but I can't see anything, not even the router.

As I said, the goal is to have this run through NordVPN, and then I can set up multiple wireless SSIDs as needed (for 5Ghz, 2Ghz, and then whether they are in isolation mode or not) running through NordVPN, while I have my DMZ "original" subnet available to handle things like port forwarding.

I can provide configs as requested.

You'll need to use policy based routing to achieve the general goal, but let's first make sure the overall config is correct.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

Ok, here's everything, I think I scrubbed all the problematic stuff.

root@xlorep  
  ~  ubus call system board
{
	"kernel": "5.15.137",
	"hostname": "xlorep",
	"system": "ARMv7 Processor rev 1 (v7l)",
	"model": "Linksys WRT3200ACM",
	"board_name": "linksys,wrt3200acm",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.2",
		"revision": "r23630-842932a63d",
		"target": "mvebu/cortexa9",
		"description": "OpenWrt 23.05.2 r23630-842932a63d"
	}
}
root@xlorep  
  ~  cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd00:7714:0214:2009::/64'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config device
	option type 'bridge'
	option name 'br-vpnlan'
	option ipv6 '0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '10.18.75.1'
	option netmask '255.255.255.0'
	option ip6assign '32'
	option ip6ifaceid '::1'
	list ip6class 'local'
	list dns '10.18.75.1'
	list dns_search 'darkhelm.lan'

config interface 'vpnlan'
	option device 'br-vpnlan'
	option proto 'static'
	option ipaddr '10.2.18.1'
	option netmask '255.255.255.0'
	option ip6assign '32'
	option ip6ifaceid '::1'
	list ip6class 'local'
	list dns '10.2.18.1'
	list dns_search 'darkhelm2.lan'

config device
	option name 'wan'
	option macaddr ***

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config interface 'nordvpntun'
	option proto 'none'
	option device 'tun0'

config route
	option interface 'lan'
	option target '10.2.18.0/24'
	option gateway '10.2.18.1'

config route
	option interface 'vpnlan'
	option target '10.18.75.0/24'
	option gateway '10.18.75.1'

root@xlorep  
  ~  cat /etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'soc/soc:pcie/pci0000:00/0000:00:01.0/0000:01:00.0'
	option channel '48'
	option band '5g'
	option htmode 'VHT80'
	option country 'US'
	option cell_density '0'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'Sorlina'
	option encryption 'psk2'
	option macaddr ***
	option key ***

config wifi-iface 'wifinet3'
	option device 'radio0'
	option network 'vpnlan'
	option mode 'ap'
	option ssid 'Nibenay'
	option encryption 'psk2'
	option macaddr ***
	option key ***

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'soc/soc:pcie/pci0000:00/0000:00:02.0/0000:02:00.0'
	option channel '9'
	option band '2g'
	option country 'US'
	option legacy_rates '1'
	option cell_density '0'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'Oguler'
	option encryption 'psk'
	option macaddr ***
	option key ***

config wifi-device 'radio2'
	option type 'mac80211'
	option path 'platform/soc/soc:internal-regs/f10d8000.sdhci/mmc_host/mmc0/mmc0:0001/mmc0:0001:1'
	option channel '34'
	option band '5g'
	option htmode 'VHT80'
	option disabled '1'

config wifi-iface 'default_radio2'
	option device 'radio2'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'

root@xlorep  
  ~  cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '0'
	option local '/darkhelm.lan/'
	option domain 'darkhelm.lan'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option localservice '1'
	option ednspacket_max '1232'
	option port '54'
	option noresolv '1'
	option expandhosts '1'
	list server '10.18.75.1'
	list server ***

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	list dhcp_option '6,10.18.75.1'
	list dhcp_option '3,10.18.75.1'
	list dns ***

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config host
	option name 'kankali'
	option ip '10.18.75.2'
	option leasetime '12h'
	option duid ***
	option hostid '02'
	list mac ***

config host
	option name 'zhokq'
	option ip '10.18.75.3'
	option leasetime '12h'
	option duid ***
	option hostid '03'
	list mac ***

config host
	option name 'urtzul'
	option ip '10.18.75.4'
	option duid ***
	option hostid '04'
	list mac ***

config host
	option name 'printer'
	option ip '10.18.75.10'
	option leasetime '12h'
	option hostid '10'
	list mac ***

config host
	option name 'printer2'
	option ip '10.18.75.11'
	option leasetime '12h'
	option hostid '11'
	list mac ***

config host
	option name 'darkhome'
	option ip '10.18.75.20'
	option leasetime '12h'
	option hostid '20'
	list mac ***

config host
	option name 'pi-desktop'
	option ip '10.18.75.25'
	option leasetime '12h'
	option hostid '25'
	list mac ***

config host
	option name 'family-laptop'
	option ip '10.18.75.26'
	option leasetime '12h'
	option duid ***
	option hostid '26'
	list mac ***

config host
	option name 'chromebook'
	option ip '10.18.75.27'
	option leasetime '12h'
	option hostid '27'
	list mac ***

config domain
	option name 'adrae.darkhelm.org'
	option ip '10.18.75.1'

config domain
	option name 'boffo.darkhelm.org'
	option ip '10.18.75.1'

config domain
	option name 'borys.darkhelm.org'
	option ip '10.18.75.1'

config domain
	option name 'budget.darkhelm.org'
	option ip '10.18.75.1'

config domain
	option name 'code.darkhelm.org'
	option ip '10.18.75.1'

config domain
	option name 'darkhelm.org'
	option ip '10.18.75.1'

config domain
	option name 'diani.darkhelm.org'
	option ip '10.18.75.1'

config domain
	option name 'dogar.darkhelm.org'
	option ip '10.18.75.1'

config domain
	option name 'drive.darkhelm.org'
	option ip '10.18.75.1'

config domain
	option name 'elrena.darkhelm.org'
	option ip '10.18.75.1'

config domain
	option name 'fairyflections.darkhelm.org'
	option ip '10.18.75.1'

config domain
	option name 'finance.darkhelm.org'
	option ip '10.18.75.1'

config domain
	option name 'fwiffo.darkhelm.org'
	option ip '10.18.75.1'

config domain
	option name 'games.darkhelm.org'
	option ip '10.18.75.1'

config domain
	option name 'git.darkhelm.org'
	option ip '10.18.75.1'

config domain
	option name 'home.darkhelm.org'
	option ip '10.18.75.1'

config domain
	option name 'ide.darkhelm.org'
	option ip '10.18.75.1'

config domain
	option name 'ilp.darkhelm.org'
	option ip '10.18.75.1'

config domain
	option name 'irikos.darkhelm.org'
	option ip '10.18.75.1'

config domain
	option name 'keltis.darkhelm.org'
	option ip '10.18.75.1'

config domain
	option name 'links.darkhelm.org'
	option ip '10.18.75.1'

config domain
	option name 'manu.darkhelm.org'
	option ip '10.18.75.1'

config domain
	option name 'movies.darkhelm.org'
	option ip '10.18.75.1'

config domain
	option name 'music.darkhelm.org'
	option ip '10.18.75.1'

config domain
	option name 'plex.darkhelm.org'
	option ip '10.18.75.1'

config domain
	option name 'pw.darkhelm.org'
	option ip '10.18.75.1'

config domain
	option name 'rolthen.darkhelm.org'
	option ip '10.18.75.1'

config domain
	option name 'search.darkhelm.org'
	option ip '10.18.75.1'

config domain
	option name 'shell.darkhelm.org'
	option ip '10.18.75.1'

config domain
	option name 'talana.darkhelm.org'
	option ip '10.18.75.1'

config domain
	option name 'uyness.darkhelm.org'
	option ip '10.18.75.1'

config domain
	option name 'vault.darkhelm.org'
	option ip '10.18.75.1'

config domain
	option name 'video.darkhelm.org'
	option ip '10.18.75.1'

config domain
	option name 'www.darkhelm.org'
	option ip '10.18.75.1'

config domain
	option name 'xlorep.darkhelm.org'
	option ip '10.18.75.1'

config dhcp 'vpnlan'
	option interface 'vpnlan'
	option start '100'
	option limit '150'
	option leasetime '12h'

root@xlorep  
  ~  cat /etc/config/firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
	option drop_invalid '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Phone Block Outgoing'
	option src 'lan'
	list src_mac ***
	option dest 'wan'
	option dest_port '2000-65535'
	option target 'REJECT'

config rule 'dot_fwd'
	option name 'Deny-DoT'
	option src 'lan'
	option dest 'wan'
	option dest_port '853'
	option proto 'tcp udp'
	option target 'REJECT'

config rule
	option name 'Block external DNS'
	option src 'wan'
	option dest_port '53'
	option target 'REJECT'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'SSH (ipv4)'
	list proto 'tcp'
	option src 'wan'
	option src_dport '22'
	option dest_ip '10.18.75.20'

config redirect
	option target 'DNAT'
	option name 'Intercept-DNS (ip4/ip6)'
	option family 'any'
	option src 'lan'
	option src_dport '53'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'HTTP (ip4)'
	list proto 'tcp'
	option src 'wan'
	option src_dport '80'
	option dest_ip '10.18.75.1'
	option dest_port '80'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'HTTPS (ip4)'
	option family 'ipv4'
	option src 'wan'
	option src_dport '443'
	option dest_ip '10.18.75.1'
	option dest_port '443'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'Eternal Terminal (ipv4)'
	option src 'wan'
	option src_dport '2022'
	option dest_ip '10.18.75.20'
	option dest_port '2022'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'Gitea (ipv4) [WAN]'
	option src 'wan'
	option src_dport '2222'
	option dest_ip '10.18.75.3'
	option dest_port '22'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'Gitea (ipv4) [LAN]'
	option src 'lan'
	option src_dport '2222'
	option dest_ip '10.18.75.3'
	option dest_port '22'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'EmulatorJS IPFS (ipv4)'
	option src 'wan'
	option src_dport '4001'
	option dest_ip '10.18.75.20'
	option dest_port '4001'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'Collabora Online (ipv4)'
	option src 'wan'
	option src_dport '9980'
	option dest_ip '10.18.75.2'
	option dest_port '9980'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'Plex (ipv4)'
	option src 'wan'
	option src_dport '32400'
	option dest_ip '10.18.75.3'
	option dest_port '32400'

config rule
	option name 'Filter-Parental-Controls-Chromebook'
	list src_mac ***
	option dest 'wan'
	option target 'REJECT'
	option src 'lan'
	option enabled '0'

config rule
	option name 'Filter-Parental-Controls-Kindle'
	option src 'lan'
	list src_mac ***
	option target 'REJECT'
	option dest 'wan'
	option enabled '0'

config rule
	option name 'Filter-Parental-Controls-Family-Laptop'
	option src 'lan'
	list src_mac ***
	option target 'REJECT'
	option dest 'wan'
	option enabled '0'

config rule
	option name 'Filter-Parental-Controls-Pi-Desktop'
	option src 'lan'
	list src_mac ***
	option dest 'wan'
	option target 'REJECT'
	option enabled '0'

config rule
	option name 'Filter-Parental-Controls-Rokus'
	option src 'lan'
	list src_mac ***
	list src_mac ***
	option dest 'wan'
	option target 'REJECT'
	option enabled '0'

config include 'pbr'
	option fw4_compatible '1'
	option type 'script'
	option path '/usr/share/pbr/pbr.firewall.include'

config zone
	option name 'vpnwan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'nordvpntun'

config zone
	option name 'vpnlan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'vpnlan'

config forwarding
	option src 'vpnlan'
	option dest 'wan'

I do have the pbr app set up, right now the config for that is:

the "route vpnan to wan" is active, but I've tried with it on or off, and no success.

@xlorep  
  ~  cat /etc/config/pbr

config pbr 'config'
	option enabled '1'
	option verbosity '2'
	option strict_enforcement '1'
	option resolver_set 'none'
	option ipv6_enabled '0'
	list ignored_interface 'vpnserver'
	list ignored_interface 'wgserver'
	option boot_timeout '30'
	option rule_create_option 'add'
	option procd_reload_delay '1'
	option webui_show_ignore_target '1'
	list webui_supported_protocol 'all'
	list webui_supported_protocol 'tcp'
	list webui_supported_protocol 'udp'
	list webui_supported_protocol 'tcp udp'
	list webui_supported_protocol 'icmp'
	list supported_interface 'nordvpntun'

config policy
	option dest_addr '10.18.75.0/24 10.2.18.0/24'
	option interface 'ignore'
	option name 'Prioritize subnets'

config include
	option path '/usr/share/pbr/pbr.user.aws'
	option enabled '0'

config include
	option path '/usr/share/pbr/pbr.user.netflix'
	option enabled '0'

config policy
	option name 'Plex/Emby Local Server'
	option interface 'wan'
	option src_port '8096 8920 32400'

config policy
	option name 'Plex/Emby Remote Servers'
	option interface 'wan'
	option dest_addr 'plex.tv my.plexapp.com emby.media app.emby.media tv.emby.media'

config policy
	option name 'Route vpnlan to nordvpntun'
	option src_addr '10.2.18.0/24'
	option interface 'nordvpntun'
	option enabled '0'

config policy
	option name 'Route vpnlan to wan'
	option src_addr '10.2.18.0/24'
	option interface 'wan'

These can both be deleted:

Delete the last 3 lines here:

Exposing the router's admin interface (especially LuCI) is not recommended. I'd remove this entirely. Beyond that, these should be rules not port-forward/redirects. But remove them... it's not safe.

You have vpnlan > wan forwarding allowed... seems like this should be vpnlan > vpnwan.

Those port 80 and 443 forwards are to nginx, which does multiple virtual hosts. The luci mapping is strictly local addresses only within that.

Also, I am intentionally mapping over to wan rather than vpnwan for now, to see if I can get the second subnet working.

I don't need the routes between the two subnets for them to see each other?

Ok... so what happens when you try to access the internet from the vpnlan network?

Ok, so interesting, things seem to be working a little better. The first ping works, the second doesn't. Which tells me that the nameserver isn't being forwarded to my client. It should be set to give 10.2.18.1 as the nameserver, but it isn't coming through.

What does the client host have for it's IP information (including DNS, subnet mask, and router)?

wlp2s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.2.18.179  netmask 255.255.255.0  broadcast 10.2.18.255
        inet6 fe80::4f94:a19e:bf4c:5bc1  prefixlen 64  scopeid 0x20<link>
        ether 44:af:28:13:a3:12  txqueuelen 1000  (Ethernet)
        RX packets 4488989  bytes 4325812453 (4.3 GB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 2361425  bytes 736813478 (736.8 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
darkhelm@darkhome   ( 3.10.5) ( v21.0.0)
  ~ $ nmcli device show wlp2s0                                                                                                    13:41:58
GENERAL.DEVICE:                         wlp2s0
GENERAL.TYPE:                           wifi
GENERAL.HWADDR:                         ***
GENERAL.MTU:                            1500
GENERAL.STATE:                          100 (connected)
GENERAL.CONNECTION:                     Nibenay
GENERAL.CON-PATH:                       /org/freedesktop/NetworkManager/ActiveConnection/34
IP4.ADDRESS[1]:                         10.2.18.179/24
IP4.GATEWAY:                            10.2.18.1
IP4.ROUTE[1]:                           dst = 10.2.18.0/24, nh = 0.0.0.0, mt = 600
IP4.ROUTE[2]:                           dst = 0.0.0.0/0, nh = 10.2.18.1, mt = 20600
IP4.ROUTE[3]:                           dst = 169.254.0.0/16, nh = 0.0.0.0, mt = 1000
IP4.DOMAIN[1]:                          darkhelm.lan
IP6.ADDRESS[1]:                         fe80::4f94:a19e:bf4c:5bc1/64
IP6.GATEWAY:                            --
IP6.ROUTE[1]:                           dst = fe80::/64, nh = ::, mt = 1024

what happens if you do

nslookup openwrt.org

(on the client device)

darkhelm@darkhome   ( 3.10.5) ( v21.0.0)
  ~ $ nslookup openwrt.org                                                                                                        14:03:02
Server:		127.0.0.53
Address:	127.0.0.53#53

** server can't find openwrt.org: SERVFAIL

It looks like you've added some DNS related stuff (filtering, etc.) to your system...

Try removing the last 2 lines. The restart the router and force the client to get a new lease.

Ok, I did, I am using adguardhome as my DNS server, and it works fine for lan. Its just not being used with vpnlan.

If I set the nameserver manually on the client with its wireless connection it all works.

I did those changes, and it hasn't changed anything.

When I connect my client to the main lan, it also doesn't have an IP4 DNS server defined from nmcli. (no IP4.DNS entry) - but it does have an IP6 one. The connection for vpnlan, I see no DNS server defined for IP4 or IP6 (not that I would need to worry about IP6 once it is switched to the VPN anyway).

Since you said you're not actually using AGH, maybe undo all the changes and make sure that dnsmasq is operating normally on port 53.

Also, it shouldn't matter because it doesn't actually have any effect, but remove the last 2 lines here:

I am actually using AGH.

When I said it wasn't being used, I mean that the vpnlan isn't pushing the nameserver to the clients.

oh... sorry, I misunderstood.

I'm not sure why it wouldn't be pushing the DNS to the clients... it should by default send option 6 with the router's address. But you could manually specify this and see if it helps.

Sorry, not really following. What is "option 6"? How would I manually set this?