Devices with webserver connected to IOT interface can no longer be accessed via hostname

NovaViper · March 9, 2021, 5:25pm

Hey guys, I followed this tutorial in order to get my IOT and guest networks setup (However what I did differently was setup the IOT interface exactly like how the guest interface is setup, expect using a different different ip address for the interface). Everything is working fine expect for accessing my devices connected to it through their hostname, I get a DNS_PROBE_FINISHED_NXDOMAIN error when I try to access my raspberry pi's web server. Any fix for this?

I have a Archer A7 v5 running Openwrt v19.07.7. Here's what my settings look like as of now (removed some settings to show only the changes I've made).

Network

config interface 'guest'
        option type 'bridge'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '10.23.36.0'

config interface 'iot'
        option type 'bridge'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.4.1'

config interface 'tun0'
        option proto 'none'
        option ifname 'tun0'
        option auto '0'

Firewall

config zone
        option name 'iot'
        option output 'ACCEPT'
        option input 'ACCEPT'
        option network 'iot'
        option forward 'REJECT'

config forwarding
        option dest 'iot'
        option src 'lan'

config forwarding
        option dest 'wan'
        option src 'iot'

config zone
        option forward 'REJECT'
        option name 'guest'
        option output 'ACCEPT'
        option input 'REJECT'
        option network 'guest'

config forwarding
        option dest 'wan'
        option src 'guest'

config rule
        option src 'guest'
        option name 'Guest DHCP and DNS'
        option target 'ACCEPT'
        option dest_port '53 67-68'

config rule
        option src 'iot'
        option name 'IOT DHCP and DNS'
        option dest_port '53 67-68'
        option target 'ACCEPT'

config rule 'ovpn'
        option name 'Allow-OpenVPN'
        option dest_port '1194'
        option proto 'udp'
        option target 'ACCEPT'
        option src 'wan'

config zone
        option input 'ACCEPT'
        option forward 'ACCEPT'
        option name 'VPNZone'
        option output 'ACCEPT'
        option network 'tun0'

config forwarding
        option dest 'iot'
        option src 'VPNZone'

config forwarding
        option dest 'wan'
        option src 'VPNZone'

DHCP

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option localservice '1'
        option confdir '/tmp/dnsmasq.d'
        option domain 'local'
        option local '/local/'
        option rebind_localhost '1'
        option rebind_protection '1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv6 'server'
        option ra 'server'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'iot'
        option start '100'
        option leasetime '12h'
        option limit '150'
        option interface 'iot'

config dhcp 'guest'
        option start '100'
        option limit '150'
        option interface 'guest'
        option leasetime '1h'

config domain
        option ip '192.168.4.120'
        option name 'xxxxxxxxxx'

vgaetera · March 9, 2021, 5:48pm

mDNS is typically limited to a single broadcast domain, so it's problematic to traverse subnets.

NovaViper · March 9, 2021, 6:39pm

How do I set it up for different subnets then? I can't switch the domain to lan because my computers' file explorer does not recognize .lan for some reason, they by default use .local and I can't change them to use .lan

vgaetera · March 9, 2021, 6:53pm

In any case, you should not mix mDNS and DNS as they are completely different technologies.
It is not trivial to pass/resolve mDNS across subnets, instead you can set up static leases.
The hostnames configured with active static leases can be resolved from any downstream subnet.
If you also need to resolve inactive leases/hostnames, set up hostnames as well.

NovaViper · March 9, 2021, 7:41pm

I do have hostnames setup for the devices on the router's side, but they still do not work. And the interface also has a static DHCP setup for it aswell, and that didn't fix the issues at all

vgaetera · March 9, 2021, 8:44pm

Enable DNS query logging for diagnostics and perform a DNS lookup from the client.

NovaViper · March 9, 2021, 8:58pm

When I restart dnsmasq, I get this

root@Archer-A7:~# /etc/init.d/dnsmasq restart
udhcpc: started, v1.30.1
udhcpc: sending discover
udhcpc: no lease, failing
udhcpc: started, v1.30.1
udhcpc: sending discover
udhcpc: no lease, failing
udhcpc: started, v1.30.1
udhcpc: sending discover
udhcpc: no lease, failing

And this is what I get when I do `nslookup openwrt.org' from my raspberry pi

Tue Mar  9 14:57:14 2021 daemon.info dnsmasq[8941]: 249 192.168.4.120/36662 query[A] openwrt.org from 192.168.4.120
Tue Mar  9 14:57:14 2021 daemon.info dnsmasq[8941]: 249 192.168.4.120/36662 cached openwrt.org is 139.59.209.225
Tue Mar  9 14:57:14 2021 daemon.info dnsmasq[8941]: 250 192.168.4.120/35180 query[AAAA] openwrt.org from 192.168.4.120
Tue Mar  9 14:57:14 2021 daemon.info dnsmasq[8941]: 250 192.168.4.120/35180 cached openwrt.org is 2a03:b0c0:3:d0::1af1:1

vgaetera · March 9, 2021, 9:00pm

Now try to query some of the locally configured hostnames.

NovaViper · March 9, 2021, 9:01pm

nslookup omvpi

Tue Mar  9 15:00:50 2021 daemon.info dnsmasq[8941]: 464 192.168.4.120/43756 query[A] omvpi from 192.168.4.120
Tue Mar  9 15:00:50 2021 daemon.info dnsmasq[8941]: 464 192.168.4.120/43756 DHCP omvpi is 192.168.4.120
Tue Mar  9 15:00:50 2021 daemon.info dnsmasq[8941]: 465 192.168.4.120/39655 query[AAAA] omvpi from 192.168.4.120
Tue Mar  9 15:00:50 2021 daemon.info dnsmasq[8941]: 465 192.168.4.120/39655 config omvpi is NODATA-IPv6

and nslookup omvpi.local

Tue Mar  9 15:02:12 2021 daemon.info dnsmasq[8941]: 531 192.168.4.120/51475 query[A] omvpi.local from 192.168.4.120
Tue Mar  9 15:02:12 2021 daemon.info dnsmasq[8941]: 531 192.168.4.120/51475 /tmp/hosts/dhcp.cfg01411c omvpi.local is 192.168.4.120
Tue Mar  9 15:02:12 2021 daemon.info dnsmasq[8941]: 532 192.168.4.120/40763 query[AAAA] omvpi.local from 192.168.4.120
Tue Mar  9 15:02:12 2021 daemon.info dnsmasq[8941]: 532 192.168.4.120/40763 config omvpi.local is NODATA-IPv6

vgaetera · March 9, 2021, 9:09pm

DNS relies on the unicast traffic.
The .local domain uses mDNS which relies on the multicast traffic.
Dnsmasq cannot resolve multicast mDNS queries.
You must not use nslookup to check the .local domain records.
Change your domain and try again.

NovaViper · March 9, 2021, 9:53pm

But how do I make my computers not use .local? For some reason with Windows 10 in particular it forces .local in the beginning of all of the hostname urls, even when I specifiy .lan. If that can't be changed, then what's an alternative to dnsmasq? Before I had Openwrt, the network was setup to use .local and it worked then, why is it impossible to set it up now that way?

vgaetera · March 9, 2021, 10:08pm

When you try to access a .local domain in a file manager, it sends a multicast query.
This query is answered by the neighbor hosts directly, bypassing all DNS servers.

Since you split the network to different subnets, it's becomes problematic.
The multicast traffic cannot reach hosts in a different subnet.

Either forget about mDNS and use plain DNS, or try to configure mDNS routing.
The relevant links for both cases are posted above.

dominick-han · March 9, 2021, 10:24pm

https://blog.christophersmart.com/2020/03/30/resolving-mdns-across-vlans-with-avahi-on-openwrt/

I followed this guide, added reflector on avahi daemon and HomeKit(mDNS) works across different openwrt firewall zones.

NovaViper · March 9, 2021, 10:25pm

How do I disable mDNS? I wasn't even aware that it was using mDNS (I just used the default settings that Openwrt had setup already)

NovaViper · March 15, 2021, 6:12pm

The guide's not working for me, followed everything but my devices on my lan network still can't ping to the devices on teh IOT network. And when I reload the firewall, it just says this

   * Rule 'Allow mDNS'
     ! Skipping due to different family of ip address

I enabled reflector in avahi and I also added allowed interfaces (br-lan and br-iot), but it's not working still

Config for Avahi firewall rules

config rule
        option src_port '5353'
        option src 'lan'
        option name 'Allow mDNS for LAN'
        option target 'ACCEPT'
        list dest_ip '224.0.0.251'
        option dest_port '5353'
        list proto 'udp'
        option dest 'iot'

config rule
        option src_port '5353'
        option src 'iot'
        option name 'Allow mDNS for IOT'
        option target 'ACCEPT'
        list dest_ip '224.0.0.251'
        option dest_port '5353'
        list proto 'udp'
        option dest 'lan'

config rule
        option src_port '5353'
        option src '*'
        option name 'Allow mDNS'
        option target 'ACCEPT'
        option dest_port '5353'
        list proto 'udp'
        list dest_ip '224.0.0.251'
        option enabled '0'