Different DNS servers on different interfaces

Installing and Using OpenWrt Network and Wireless Configuration
1

Hello. As i set the wireguard on different SSID The OpenWRT Forum Link. Now i want to take this step more further. If is possible to get the different DNS servers on different interfaces? AFAIK IT IS. But i do not know how to, It would be hard NGL. As i have four interfaces for each SSID, their names is: "Wireless Freedom", "Wireless Freedom Home", "Wireless Freedom WireGuard" and "Wireless Freedom FREE". The last one is disabled right now. But i want to set the nextdns https dns for "Wireless Freedom", And the Cloudflare family dns for the "Wireless Freedom Home". ProtonVPN DNS which is still in "Wireless Freedom WireGuard" is just fine right now if it does not leak the dns. And again lastly "Wireless Freedom FREE" will use the Quad9DNS.

NETWORK CONFIG

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd7f:6d76:74be::/48'

config interface 'wan'
        option device 'eth0.1'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth0.1'
        option proto 'dhcpv6'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.2'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '10.0.0.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 6t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '2 4 6t'

config interface 'wf_home'
        option proto 'static'
        option ipaddr '10.0.3.1'
        option netmask '255.255.255.0'

config interface 'wf_wireguard'
        option proto 'static'
        option ipaddr '10.0.5.1'
        option netmask '255.255.255.0'

config interface 'wireguard_jp'
        option proto 'wireguard'
        option private_key '+='
        list dns '10.2.0.1'
        list addresses '10.2.0.2/24'

config wireguard_wireguard_jp
        option description 'ProtonVPN WireGuard Japan FREE-218011'
        option public_key '/='
        list allowed_ips '0.0.0.0/0'
        option endpoint_host '37.19.205.145'
        option endpoint_port '51820'

config route
        option interface 'wireguard_jp'
        option target '0.0.0.0/0'
        option table '102'
        option source '10.2.0.1/24'

config route
        option interface 'wireguard_jp'
        option target '0.0.0.0/0'
        option table '102'
        option source '10.2.0.2'

config rule
        option in 'wf_wireguard'
        option lookup '102'

config interface 'wf_free'
        option proto 'static'
        option ipaddr '10.0.7.1'
        option netmask '255.255.255.0'

FIREWALL

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option drop_invalid '1'
        option flow_offloading '1'
        option flow_offloading_hw '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config zone
        option name 'wf_free'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'wf_free'

config zone
        option name 'wf_home'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'wf_home'

config zone
        option name 'wf_wg'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'wf_wireguard'

config zone
        option name 'wg_jp'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'wireguard_jp'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'WF_Home DNS'
        option src 'wf_home'
        option dest_port '53'
        option target 'ACCEPT'

config rule
        option name 'WF_Home DHCP'
        list proto 'udp'
        option src 'wf_home'
        option dest_port '67'
        option target 'ACCEPT'

config forwarding
        option src 'wf_home'
        option dest 'wan'

config rule
        option name 'WF_WireGuard DNS'
        option src 'wf_wg'
        option dest_port '53'
        option target 'ACCEPT'

config rule
        option name 'WF_WireGuard DHCP'
        list proto 'udp'
        option src 'wf_wg'
        option dest_port '67'
        option target 'ACCEPT'

config forwarding
        option src 'wf_wg'
        option dest 'wg_jp'

config rule
        option name 'WF_FREE DNS'
        option src 'wf_free'
        option dest_port '53'
        option target 'ACCEPT'

config rule
        option name 'WF_FREE DHCP'
        list proto 'udp'
        option src 'wf_free'
        option dest_port '67'
        option target 'ACCEPT'

DHCP

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'wf_home'
        option interface 'wf_home'
        option start '100'
        option limit '150'
        option leasetime '12h'

config dhcp 'wf_wireguard'
        option interface 'wf_wireguard'
        option start '100'
        option limit '150'
        option leasetime '12h'

config dhcp 'wf_free'
        option interface 'wf_free'
        option start '100'
        option limit '150'
        option leasetime '12h'

Also the nextdns package on stable is broken, when i installed it blocked the other interfaces internet, So i do not want to use the official package for now.

2

FYI, Wireguard interfaces do not "assign" DNS servers to clients. You place the DNS servers into the client's config.

  • Do you want the router to use a different DNS?
  • or clients?
3

I want to use the Different DNS servers from Different SSID's for my devices.

As i said here, This SSID will used by the my family members so i do not want some adult sites showing here or any malware sties which Cloudflare family dns will block.

4

Assign your alternate DNS IP accordingly on the appropriate DHCP network config.

5

image
image1475×239 21.2 KB

Like this? This DNS is from nextdns but i do no see it changed when i applied here, All i see somehow the "Wireless Freedom" is using the protonvpn's dns server. BTW i set the dhcp dns on lan setting, and i do not have the dhcp enabled on "Wireless Freedom WireGuard". Here is the config.

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        list dhcp_option '6,45.90.30.0,45.90.28.0'
1 Like
6

Yes.

You have disconnect/connect to get a new DHCP Lease on all of your clients - that contains the new DNS server infomration.

7

I did, I even rebooted the router, and the result is Didn't worked. the "Wireless Freedom" SSID is using the protonvpn's dns server, even tho it is connected to the lan not the "WireGuard".

no-resolv
bogus-priv
strict-order
server=2a07:a8c1::
server=45.90.30.0
server=2a07:a8c0::
server=45.90.28.0
add-cpe-id=*********

Now this config, I got them from the nextdns website, Now how do i set them with DHCP on openwrt?

8

Are the clients you desire to have the Alternate DNS on LAN or another network?

You have to edit the correct network's DHCP setting.

9

The "Wireless Freedom" SSID uses the lan as it was in default OpenWRT settings but other SSID's work differently and not use the lan there. AFAIK to set the DNS i have to change lan or wan settings to give the proper dns for "Wireless Freedom" but DHCP DNS is not working here. When i did set the DNS which was Quad9 i had to change the wan settings and turn of the Use DNS servers advertised by peer and set the dns there.

image
image1154×197 17.1 KB

Like this which worked before. Also my devices uses either DNS auto or turned off.

10

You should set the DHCP Option No. 6 for the network you desire Alternate DNS servers. From your description I understand that's not LAN, but one of the wf_ networks, correct?

config dhcp 'wf_free'
        option interface 'wf_free' #<---HERE
        option start '100'
        option limit '150'
        option leasetime '12h'
        list dhcp_option '6,45.90.30.0,45.90.28.0'
  • Do you have your config from befor*e?
  • Can you show your /etc/config/wireless file (redact keys and MACs)
11

It is 6,45.90.30.0,45.90.28.0 on DHCP on Lan option there.

It was old config as many users enable the dns, i didn't tried that with like different dns on different ssid, it was just normal config.

sure.

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/10300000.wmac'
        option channel '13'
        option band '2g'
        option htmode 'HT20'
        option country 'KR'
        option cell_density '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'Wireless Freedom'
        option encryption 'psk2'
        option key '$'

config wifi-iface 'wifinet1'
        option device 'radio0'
        option mode 'ap'
        option ssid 'Wireless Freedom Home'
        option encryption 'psk2'
        option key '@'
        option network 'wf_home'

config wifi-iface 'wifinet2'
        option device 'radio0'
        option mode 'ap'
        option ssid 'Wireless Freedom WireGuard'
        option encryption 'psk2'
        option key '@'
        option network 'wf_wireguard'

config wifi-iface 'wifinet3'
        option device 'radio0'
        option mode 'ap'
        option ssid 'Wireless Freedom FREE'
        option encryption 'none'
        option network 'wf_free'
        option disabled '1'

You can see here option ssid 'Wireless Freedom' uses the lan network here.

12

Well, then I'm not sure how you used alternate DNS Servers for certain clients.

Did you create custom leases for the individual machines?

So, no?

13

I am not sure about your qus here, It is one router with many AP+SSID.

I can create one if you want. Here which is working for nextdns dns but without any ID.

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd7f:6d76:74be::/48'

config interface 'wan'
        option device 'eth0.1'
        option proto 'dhcp'
        option peerdns '0'
        list dns '45.90.28.229'
        list dns '45.90.30.229'

config interface 'wan6'
        option device 'eth0.1'
        option proto 'dhcpv6'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.2'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '10.0.0.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 6t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '2 4 6t'

config interface 'wf_home'
        option proto 'static'
        option ipaddr '10.0.3.1'
        option netmask '255.255.255.0'

config interface 'wf_wireguard'
        option proto 'static'
        option ipaddr '10.0.5.1'
        option netmask '255.255.255.0'

config interface 'wireguard_jp'
        option proto 'wireguard'
        option private_key '+='
        list dns '10.2.0.1'
        list addresses '10.2.0.2/24'

config wireguard_wireguard_jp
        option description 'ProtonVPN WireGuard Japan FREE-218011'
        option public_key '/='
        list allowed_ips '0.0.0.0/0'
        option endpoint_host '37.19.205.145'
        option endpoint_port '51820'

config route
        option interface 'wireguard_jp'
        option target '0.0.0.0/0'
        option table '102'
        option source '10.2.0.1/24'

config route
        option interface 'wireguard_jp'
        option target '0.0.0.0/0'
        option table '102'
        option source '10.2.0.2'

config rule
        option in 'wf_wireguard'
        option lookup '102'

config interface 'wf_free'
        option proto 'static'
        option ipaddr '10.0.7.1'
        option netmask '255.255.255.0'

check the wan here. This is how i did that with Quad9.

14

OK that's the NextDNS servers...where did you set the other DNS servers?

Or are you saying that when you change WAN DNS, it doesn't work somehow?

That didn't answer the question. I'm trying to understand how you previously configured different DNS servers for clients on different interfaces.

As of now, you have only said you want to change come clients on LAN to NextDNS; but showed me the WAN DNS setting with those server IPs.

If you want to do so, I showed you, but you haven't set the WF networks (i.e. I don't understand why you added the DHCP Option to LAN and not WF as you noted)?

Not LAN.

15

That's why i came here. i want to set the Different dns for different AP or SSID which i will able to do so with DHCP IMO, but i do not know how.

First of all WAN DNS work, but nextdns website is saying This device is using NextDNS with no profile. Make sure to link your IP address in the Linked IP section below. On ethernet cable which is connected to the router, And also testing the DNS from my phone which is connected to the "Wireless Freedom" And i am getting the nextdns servers there too.

It is working.

As because the "Wireless Freedom" SSID is using the lan network i have not created another interface for that i think i do have to.

got it hold let me try on another interlaces.

16

Tested them here is the config.

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'wf_home'
        option interface 'wf_home'
        option start '100'
        option limit '150'
        option leasetime '12h'
        list dhcp_option '6,45.90.30.0,45.90.28.0'

config dhcp 'wf_wireguard'
        option interface 'wf_wireguard'
        option start '100'
        option limit '150'
        option leasetime '12h'

config dhcp 'wf_free'
        option interface 'wf_free'
        option start '100'
        option limit '150'
        option leasetime '12h'
        list dhcp_option '6,9.9.9.9,149.112.112.112'

But the weird fact starts here, When i connect device to the wf_free I see Quad9 DNS is not being used here, Same happens when i connect the device to the wf_home for the NextDNS i see it is not connected as the their website test said. Now when i connect the device with the ethernet port i see NextDNS is being used here, but not on WIFI SSID.

17

@lleachii Hey? Yes you were right. I made it work now, i was doing it wrong.

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'wf_home'
        option interface 'wf_home'
        option start '100'
        option limit '150'
        option leasetime '12h'
        list dhcp_option '6,1.1.1.3,1.0.0.3'

config dhcp 'wf_wireguard'
        option interface 'wf_wireguard'
        option start '100'
        option limit '150'
        option leasetime '12h'
        list dhcp_option '6,10.2.0.1'

config dhcp 'wf_free'
        option interface 'wf_free'
        option start '100'
        option limit '150'
        option leasetime '12h'
        list dhcp_option '6,9.9.9.9,149.112.112.112'

config dhcp 'wf_main'
        option interface 'wf_main'
        option start '100'
        option limit '150'
        option leasetime '12h'
        list dhcp_option '6,45.90.28.229,45.90.30.229'

i had to made another interface for the wireless freedom dhcp otherwise it was using the lan. Now Any clue of accessing the luci web from the new interface that i made? IK i do have to add the rule to Firewall - Traffic Rules but what's the port? tried with 80 which didnt worked here.
Now the wf_main Is using the NextDNS but i still do not know to set the nextdns id for it, But the wf_home using the family dns from cloudflare as i wanted.

18

Port 80 (HTTP) or 443 (HTTPS).

1 Like
19

Thank you. But now the mobile devices works just fine with different DNS servers but for some reasons my computer is not working with the different DNS, Any clue what's wrong here?