Blocking IPs based on their domain-names - doesn't work for all my ipsets

jayschauer · July 21, 2020, 12:57am

Hello! I followed the guide on openwrt.org on Blocking IPs based on their Domainnames (FQDN, Hostnames). It successfully worked for the ipset I created to block reddit, but it doesn't work for my instagram/facebook ipset. When I try to browse to reddit.com, I am not able to, but I can still browse instagram.com just fine. I am not sure why, the configurations are nearly identical. Here is my configuration in /etc/config/dhcp:

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option localservice '1'
	option confdir '/tmp/dnsmasq.d'
	list server '127.0.0.1#5453'
	list server '0::1#5453'
	option noresolv '1'
	option cachesize '10000'
	list ipset '/reddit.com/Reddit_v4,Reddit_v6'
	list ipset '/fbcdn.net/instagram.com/facebook.com/snapchat.com/feelinsonice.appspot.com/Social_v4,Social_v6'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

Here is the output of ipset list:

Name: Reddit_v4
Type: hash:ip
Revision: 4
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 216
References: 2
Number of entries: 4
Members:
151.101.129.140
151.101.65.140
151.101.1.140
151.101.193.140

Name: Social_v4
Type: hash:ip
Revision: 4
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 656
References: 1
Number of entries: 16
Members:
3.230.9.94
52.45.116.207
157.240.18.63
31.13.71.52
157.240.130.32
157.240.135.32
157.240.18.15
35.173.166.200
3.223.74.156
3.212.179.212
3.209.182.35
35.170.138.55
157.240.130.17
157.240.18.174
52.22.169.228
69.171.250.20

Name: Reddit_v6
Type: hash:ip
Revision: 4
Header: family inet6 hashsize 1024 maxelem 65536
Size in memory: 68
References: 2
Number of entries: 0
Members:

Name: Social_v6
Type: hash:ip
Revision: 4
Header: family inet6 hashsize 1024 maxelem 65536
Size in memory: 1476
References: 1
Number of entries: 16
Members:
2001:559:809e:0:face:b00c:0:a7
2406:da00:ff00::3e5:8b9
2001:559:809e:0:face:b00c:3333:a3f
2406:da00:ff00::23a8:2ac2
2406:da00:ff00::3e2:633c
2a03:2880:f212:c4:face:b00c:0:43fe
2001:559:80ac:0:face:b00c:3333:a3f
2a03:2880:f027:20e:face:b00c:0:2
2a03:2880:f227:2e5:face:b00c:0:4420
2406:da00:ff00::3402:961c
2406:da00:ff00::36d2:852d
2a03:2880:f227:2c4:face:b00c:0:43fe
2406:da00:ff00::34c8:c9b9
2406:da00:ff00::22c7:8eeb
2a03:2880:f0ff:13:face:b00c:0:8e
2406:da00:ff00::3447:df22

And here are the iptables rules I am using to block these ipsets (put in /etc/firewall.user)

# Block reddit on Jay's phone
iptables -A forwarding_lan_rule -m mac --mac-source $JAY_PHONE -m set --match-set Reddit_v4 dst -j REJECT
ip6tables -A forwarding_lan_rule -m mac --mac-source $JAY_PHONE -m set --match-set Reddit_v6 dst -j REJECT

# Block social on Jay's phone
iptables -A forwarding_lan_rule -m mac --mac-source $JAY_PHONE -m set --match-set Social_v4 dst -j REJECT
ip6tables -A forwarding_lan_rule -m mac --mac-source $JAY_PHONE -m set --match-set Social_v6 dst -j REJECT

Here is /etc/config/firewall, the only non-default rules are the ipsets and the rules to intercept dns traffic for adblocking:

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config redirect 'adblock_dns_53'
	option name 'Adblock DNS, port 53'
	option src 'lan'
	option proto 'tcp udp'
	option src_dport '53'
	option dest_port '53'
	option target 'DNAT'

config redirect 'adblock_dns_853'
	option name 'Adblock DNS, port 853'
	option src 'lan'
	option proto 'tcp udp'
	option src_dport '853'
	option dest_port '853'
	option target 'DNAT'

config redirect 'adblock_dns_5353'
	option name 'Adblock DNS, port 5353'
	option src 'lan'
	option proto 'tcp udp'
	option src_dport '5353'
	option dest_port '5353'
	option target 'DNAT'

config ipset
	option enabled '1'
	option name 'Reddit_v4'
	option match 'ip'
	option storage 'hash'
	option family 'ipv4'

config ipset
	option enabled '1'
	option name 'Reddit_v6'
	option match 'ip'
	option storage 'hash'
	option family 'ipv6'

config ipset
	option enabled '1'
	option name 'Social_v4'
	option match 'ip'
	option storage 'hash'
	option family 'ipv4'

config ipset
	option enabled '1'
	option name 'Social_v6'
	option match 'ip'
	option storage 'hash'
	option family 'ipv6'

Here is the output of iptables -L:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             /* !fw3 */
input_rule  all  --  anywhere             anywhere             /* !fw3: Custom input rule chain */
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED /* !fw3 */
syn_flood  tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/SYN /* !fw3 */
zone_lan_input  all  --  anywhere             anywhere             /* !fw3 */
zone_wan_input  all  --  anywhere             anywhere             /* !fw3 */

Chain FORWARD (policy DROP)
target     prot opt source               destination         
forwarding_rule  all  --  anywhere             anywhere             /* !fw3: Custom forwarding rule chain */
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED /* !fw3 */
zone_lan_forward  all  --  anywhere             anywhere             /* !fw3 */
zone_wan_forward  all  --  anywhere             anywhere             /* !fw3 */
reject     all  --  anywhere             anywhere             /* !fw3 */

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             /* !fw3 */
output_rule  all  --  anywhere             anywhere             /* !fw3: Custom output rule chain */
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED /* !fw3 */
zone_lan_output  all  --  anywhere             anywhere             /* !fw3 */
zone_wan_output  all  --  anywhere             anywhere             /* !fw3 */

Chain forwarding_lan_rule (1 references)
target     prot opt source               destination         
REJECT     all  --  anywhere             anywhere             MAC 50:7A:C5:73:10:24 match-set Reddit_v4 dst reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere             MAC 50:7A:C5:73:10:24 match-set Social_v4 dst reject-with icmp-port-unreachable

Chain forwarding_rule (1 references)
target     prot opt source               destination         

Chain forwarding_wan_rule (1 references)
target     prot opt source               destination         

Chain input_lan_rule (1 references)
target     prot opt source               destination         

Chain input_rule (1 references)
target     prot opt source               destination         

Chain input_wan_rule (1 references)
target     prot opt source               destination         

Chain output_lan_rule (1 references)
target     prot opt source               destination         

Chain output_rule (1 references)
target     prot opt source               destination         

Chain output_wan_rule (1 references)
target     prot opt source               destination         

Chain reject (3 references)
target     prot opt source               destination         
REJECT     tcp  --  anywhere             anywhere             /* !fw3 */ reject-with tcp-reset
REJECT     all  --  anywhere             anywhere             /* !fw3 */ reject-with icmp-port-unreachable

Chain syn_flood (1 references)
target     prot opt source               destination         
RETURN     tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 25/sec burst 50 /* !fw3 */
DROP       all  --  anywhere             anywhere             /* !fw3 */

Chain zone_lan_dest_ACCEPT (4 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             /* !fw3 */

Chain zone_lan_forward (1 references)
target     prot opt source               destination         
forwarding_lan_rule  all  --  anywhere             anywhere             /* !fw3: Custom lan forwarding rule chain */
zone_wan_dest_ACCEPT  all  --  anywhere             anywhere             /* !fw3: Zone lan to wan forwarding policy */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT /* !fw3: Accept port forwards */
zone_lan_dest_ACCEPT  all  --  anywhere             anywhere             /* !fw3 */

Chain zone_lan_input (1 references)
target     prot opt source               destination         
input_lan_rule  all  --  anywhere             anywhere             /* !fw3: Custom lan input rule chain */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT /* !fw3: Accept port redirections */
zone_lan_src_ACCEPT  all  --  anywhere             anywhere             /* !fw3 */

Chain zone_lan_output (1 references)
target     prot opt source               destination         
output_lan_rule  all  --  anywhere             anywhere             /* !fw3: Custom lan output rule chain */
zone_lan_dest_ACCEPT  all  --  anywhere             anywhere             /* !fw3 */

Chain zone_lan_src_ACCEPT (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             ctstate NEW,UNTRACKED /* !fw3 */

Chain zone_wan_dest_ACCEPT (2 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere             ctstate INVALID /* !fw3: Prevent NAT leakage */
ACCEPT     all  --  anywhere             anywhere             /* !fw3 */

Chain zone_wan_dest_REJECT (1 references)
target     prot opt source               destination         
reject     all  --  anywhere             anywhere             /* !fw3 */

Chain zone_wan_forward (1 references)
target     prot opt source               destination         
forwarding_wan_rule  all  --  anywhere             anywhere             /* !fw3: Custom wan forwarding rule chain */
zone_lan_dest_ACCEPT  esp  --  anywhere             anywhere             /* !fw3: Allow-IPSec-ESP */
zone_lan_dest_ACCEPT  udp  --  anywhere             anywhere             udp dpt:isakmp /* !fw3: Allow-ISAKMP */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT /* !fw3: Accept port forwards */
zone_wan_dest_REJECT  all  --  anywhere             anywhere             /* !fw3 */

Chain zone_wan_input (1 references)
target     prot opt source               destination         
input_wan_rule  all  --  anywhere             anywhere             /* !fw3: Custom wan input rule chain */
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootpc /* !fw3: Allow-DHCP-Renew */
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request /* !fw3: Allow-Ping */
ACCEPT     igmp --  anywhere             anywhere             /* !fw3: Allow-IGMP */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT /* !fw3: Accept port redirections */
zone_wan_src_REJECT  all  --  anywhere             anywhere             /* !fw3 */

Chain zone_wan_output (1 references)
target     prot opt source               destination         
output_wan_rule  all  --  anywhere             anywhere             /* !fw3: Custom wan output rule chain */
zone_wan_dest_ACCEPT  all  --  anywhere             anywhere             /* !fw3 */

Chain zone_wan_src_REJECT (1 references)
target     prot opt source               destination         
reject     all  --  anywhere             anywhere             /* !fw3 */

Here is the output of ip6tables -L:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all      anywhere             anywhere             /* !fw3 */
input_rule  all      anywhere             anywhere             /* !fw3: Custom input rule chain */
ACCEPT     all      anywhere             anywhere             ctstate RELATED,ESTABLISHED /* !fw3 */
syn_flood  tcp      anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/SYN /* !fw3 */
zone_lan_input  all      anywhere             anywhere             /* !fw3 */
zone_wan_input  all      anywhere             anywhere             /* !fw3 */

Chain FORWARD (policy DROP)
target     prot opt source               destination
forwarding_rule  all      anywhere             anywhere             /* !fw3: Custom forwarding rule chain */
ACCEPT     all      anywhere             anywhere             ctstate RELATED,ESTABLISHED /* !fw3 */
zone_lan_forward  all      anywhere             anywhere             /* !fw3 */
zone_wan_forward  all      anywhere             anywhere             /* !fw3 */
reject     all      anywhere             anywhere             /* !fw3 */

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all      anywhere             anywhere             /* !fw3 */
output_rule  all      anywhere             anywhere             /* !fw3: Custom output rule chain */
ACCEPT     all      anywhere             anywhere             ctstate RELATED,ESTABLISHED /* !fw3 */
zone_lan_output  all      anywhere             anywhere             /* !fw3 */
zone_wan_output  all      anywhere             anywhere             /* !fw3 */

Chain forwarding_lan_rule (1 references)
target     prot opt source               destination         
REJECT     all      anywhere             anywhere             MAC 50:7A:C5:73:10:24 match-set Reddit_v6 dst reject-with icmp6-port-unreachable
REJECT     all      anywhere             anywhere             MAC 50:7A:C5:73:10:24 match-set Social_v6 dst reject-with icmp6-port-unreachable

Chain forwarding_rule (1 references)
target     prot opt source               destination         

Chain forwarding_wan_rule (1 references)
target     prot opt source               destination         

Chain input_lan_rule (1 references)
target     prot opt source               destination         

Chain input_rule (1 references)
target     prot opt source               destination         

Chain input_wan_rule (1 references)
target     prot opt source               destination         

Chain output_lan_rule (1 references)
target     prot opt source               destination         

Chain output_rule (1 references)
target     prot opt source               destination         

Chain output_wan_rule (1 references)
target     prot opt source               destination         

Chain reject (3 references)
target     prot opt source               destination         
REJECT     tcp      anywhere             anywhere             /* !fw3 */ reject-with tcp-reset
REJECT     all      anywhere             anywhere             /* !fw3 */ reject-with icmp6-port-unreachable

Chain syn_flood (1 references)
target     prot opt source               destination         
RETURN     tcp      anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 25/sec burst 50 /* !fw3 */
DROP       all      anywhere             anywhere             /* !fw3 */

Chain zone_lan_dest_ACCEPT (4 references)
target     prot opt source               destination         
ACCEPT     all      anywhere             anywhere             /* !fw3 */

Chain zone_lan_forward (1 references)
target     prot opt source               destination         
forwarding_lan_rule  all      anywhere             anywhere             /* !fw3: Custom lan forwarding rule chain */
zone_wan_dest_ACCEPT  all      anywhere             anywhere             /* !fw3: Zone lan to wan forwarding policy */
zone_lan_dest_ACCEPT  all      anywhere             anywhere             /* !fw3 */

Chain zone_lan_input (1 references)
target     prot opt source               destination         
input_lan_rule  all      anywhere             anywhere             /* !fw3: Custom lan input rule chain */
zone_lan_src_ACCEPT  all      anywhere             anywhere             /* !fw3 */

Chain zone_lan_output (1 references)
target     prot opt source               destination         
output_lan_rule  all      anywhere             anywhere             /* !fw3: Custom lan output rule chain */
zone_lan_dest_ACCEPT  all      anywhere             anywhere             /* !fw3 */

Chain zone_lan_src_ACCEPT (1 references)
target     prot opt source               destination         
ACCEPT     all      anywhere             anywhere             ctstate NEW,UNTRACKED /* !fw3 */

Chain zone_wan_dest_ACCEPT (2 references)
target     prot opt source               destination         
DROP       all      anywhere             anywhere             ctstate INVALID /* !fw3: Prevent NAT leakage */
ACCEPT     all      anywhere             anywhere             /* !fw3 */

Chain zone_wan_dest_REJECT (1 references)
target     prot opt source               destination         
reject     all      anywhere             anywhere             /* !fw3 */

Chain zone_wan_forward (1 references)
target     prot opt source               destination         
forwarding_wan_rule  all      anywhere             anywhere             /* !fw3: Custom wan forwarding rule chain */
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmp echo-request limit: avg 1000/sec burst 5 /* !fw3: Allow-ICMPv6-Forward */
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmp echo-reply limit: avg 1000/sec burst 5 /* !fw3: Allow-ICMPv6-Forward */
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmp destination-unreachable limit: avg 1000/sec burst 5 /* !fw3: Allow-ICMPv6-Forward */
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmp packet-too-big limit: avg 1000/sec burst 5 /* !fw3: Allow-ICMPv6-Forward */
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmp time-exceeded limit: avg 1000/sec burst 5 /* !fw3: Allow-ICMPv6-Forward */
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmp bad-header limit: avg 1000/sec burst 5 /* !fw3: Allow-ICMPv6-Forward */
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmp unknown-header-type limit: avg 1000/sec burst 5 /* !fw3: Allow-ICMPv6-Forward */
zone_lan_dest_ACCEPT  esp      anywhere             anywhere             /* !fw3: Allow-IPSec-ESP */
zone_lan_dest_ACCEPT  udp      anywhere             anywhere             udp dpt:isakmp /* !fw3: Allow-ISAKMP */
zone_wan_dest_REJECT  all      anywhere             anywhere             /* !fw3 */

Chain zone_wan_input (1 references)
target     prot opt source               destination         
input_wan_rule  all      anywhere             anywhere             /* !fw3: Custom wan input rule chain */
ACCEPT     udp      fc00::/6             fc00::/6             udp dpt:dhcpv6-client /* !fw3: Allow-DHCPv6 */
ACCEPT     ipv6-icmp    fe80::/10            anywhere             ipv6-icmptype 130 code 0 /* !fw3: Allow-MLD */
ACCEPT     ipv6-icmp    fe80::/10            anywhere             ipv6-icmptype 131 code 0 /* !fw3: Allow-MLD */
ACCEPT     ipv6-icmp    fe80::/10            anywhere             ipv6-icmptype 132 code 0 /* !fw3: Allow-MLD */
ACCEPT     ipv6-icmp    fe80::/10            anywhere             ipv6-icmptype 143 code 0 /* !fw3: Allow-MLD */
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmp echo-request limit: avg 1000/sec burst 5 /* !fw3: Allow-ICMPv6-Input */
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmp echo-reply limit: avg 1000/sec burst 5 /* !fw3: Allow-ICMPv6-Input */
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmp destination-unreachable limit: avg 1000/sec burst 5 /* !fw3: Allow-ICMPv6-Input */
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmp packet-too-big limit: avg 1000/sec burst 5 /* !fw3: Allow-ICMPv6-Input */
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmp time-exceeded limit: avg 1000/sec burst 5 /* !fw3: Allow-ICMPv6-Input */
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmp bad-header limit: avg 1000/sec burst 5 /* !fw3: Allow-ICMPv6-Input */
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmp unknown-header-type limit: avg 1000/sec burst 5 /* !fw3: Allow-ICMPv6-Input */
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmp router-solicitation limit: avg 1000/sec burst 5 /* !fw3: Allow-ICMPv6-Input */
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmp neighbour-solicitation limit: avg 1000/sec burst 5 /* !fw3: Allow-ICMPv6-Input */
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmp router-advertisement limit: avg 1000/sec burst 5 /* !fw3: Allow-ICMPv6-Input */
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmp neighbour-advertisement limit: avg 1000/sec burst 5 /* !fw3: Allow-ICMPv6-Input */
zone_wan_src_REJECT  all      anywhere             anywhere             /* !fw3 */

Chain zone_wan_output (1 references)
target     prot opt source               destination         
output_wan_rule  all      anywhere             anywhere             /* !fw3: Custom wan output rule chain */
zone_wan_dest_ACCEPT  all      anywhere             anywhere             /* !fw3 */

Chain zone_wan_src_REJECT (1 references)
target     prot opt source               destination         
reject     all      anywhere             anywhere             /* !fw3 */

vgaetera · July 21, 2020, 3:21am

Make sure the clients do not use DoH, which may be enabled by default in modern browsers.
Restart Dnsmasq to force it drop the cache.
Clean DNS cache on the clients.
Set up NAT6 to intercept DNSv6.

jayschauer · July 21, 2020, 4:52am

What will intercepting DNS6 do? I read through the page you linked as well as this page https://openwrt.org/docs/guide-user/network/ipv6/ipv6.nat6 and I don't understand what NAT6 does or why it is necessary.

vgaetera · July 21, 2020, 8:46am

The same redirect, that you already have for DNS, will work for DNSv6 as well.

jayschauer · July 21, 2020, 3:11pm

Okay, sounds good. Also it must have been the DNS cache, today all the requests are being blocked as they should. I guess because I was hitting the cache, dnsmasq was not seeing the requests and adding the IPs to the blocked set.

system · July 31, 2020, 3:11pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.