Direct traffic from my lan to a specific ISP vlan?

pc_magas · August 10, 2021, 6:35pm

Vodaforn Greece uses 2 VLANs:

835 for Internet and used PPPoe
837 as VOIP applications. Only asterisk will consume this interface for outgoing traffic

I managed to make my router connect into internet via VDSL via:


config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'wan'
        option device 'dsl0.835'
        option proto 'pppoe'
        option username '^USERNAME^'
        option password '^PASSWORD^'
        option ipv6 'none'
        option keepalive '10'
        option mtu '1492'

config interface voip
	option device 'dsl0.837'
	option proto 'dhcp'

But I am afaid that all my outgoing traffic from lan does not get redirected to wan interface. Therefore, I want to force any traffic comming from lan to use the wan interface for outgoint traffic. The wan interface uses pppoe and dynamic IP thereforer I cannot know apriori what ip ISP gives to me.

Do you know how I can achieve this?

vgaetera · August 10, 2021, 7:06pm

uci set network.lan.ip4table="1"
uci set network.voip.ip4table="2"
uci -q delete network.lan_voip
uci set network.lan_voip="rule"
uci set network.lan_voip.in="lan"
uci set network.lan_voip.dest="VOIP_DOMAIN_IP/32"
uci set network.lan_voip.lookup="2"
uci set network.lan_voip.priority="30000"
uci commit network
/etc/init.d/network restart

pc_magas · August 10, 2021, 7:15pm

I tried that and I got the following error:

uci: Parse error (invalid command) at line 53, byte 21

vgaetera · August 10, 2021, 7:21pm

Fix syntax errors in your network config at the reported line number.

eduperez · August 10, 2021, 9:41pm

Post your full network and firewall configuration files.

pc_magas · August 11, 2021, 6:10pm

I messed up with wan's dns settings

pc_magas · August 16, 2021, 10:21pm

In these settings you provided, is the ^ASTERISK_IP^ is the vlan's IP range (the one that dsl0.837 retrieves from)?

Also, how I can use dns resolution for a specific address via using the dsl0.837 as well the address that I want to be resolved via this network interface is the ngn.hol.net one.

vgaetera · August 16, 2021, 10:43pm

I assumed that Asterisk is running on a separate host inside your LAN.
So that is supposed to be its IP in CIDR notation.

There are a couple of methods to use custom DNS for specific domains/clients:

pc_magas · August 16, 2021, 10:51pm

Note:

I am not running asterisk, VOIP is offered by the ISP in a sepoerate VLAN.
I want to connect a softphone to ISP's VOIP servers using that specific VLAN.

What I have is credentials and a connection domain and I want any connection from softphone/device such as https://www.ebay.com/itm/332802056514 to use the VLAN 837 from my LAN.

Both Vlans 835 and 837 are the ones that ISP uses.

vgaetera · August 16, 2021, 11:01pm

Try to resolve that domain using the ISP DNS and post the results.

pc_magas · August 16, 2021, 11:04pm

I try to resolve it but I failed. I have to resolve it via the 837 vlan.

dig @ns0.hol.gr. ngn.hol.net

; <<>> DiG 9.17.13 <<>> @ns0.hol.gr. ngn.hol.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 23051
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ngn.hol.net.			IN	A

;; AUTHORITY SECTION:
hol.net.		300	IN	SOA	ns0.hol.gr. hostmaster.hol.gr. 2018022101 28800 7200 604800 86400

;; Query time: 0 msec
;; SERVER: 194.30.220.110#53(ns0.hol.gr.) (UDP)
;; WHEN: Mon Aug 16 23:02:16 UTC 2021
;; MSG SIZE  rcvd: 97

How I can query a dns record via a specific VLAN?

vgaetera · August 16, 2021, 11:08pm

ifstatus voip
nslookup DOMAIN_NAME DNS_IP

pc_magas · August 18, 2021, 5:09pm

I tried that but I failed the request itself has to be performed by the vlan itself. Anythong outside of it will fail.

ifstat shows

{
	"up": true,
	"pending": false,
	"available": true,
	"autostart": true,
	"dynamic": false,
	"uptime": 59,
	"l3_device": "dsl0.837",
	"proto": "dhcp",
	"device": "dsl0.837",
	"updated": [
		"addresses",
		"routes",
		"data"
	],
	"ip4table": 2,
	"metric": 0,
	"dns_metric": 0,
	"delegation": true,
	"ipv4-address": [
		{
			"address": "10.222.62.213",
			"mask": 19
		}
	],
	"ipv6-address": [
		
	],
	"ipv6-prefix": [
		
	],
	"ipv6-prefix-assignment": [
		
	],
	"route": [
		{
			"target": "10.13.36.128",
			"mask": 28,
			"nexthop": "10.222.32.1",
			"source": "10.222.62.213/32"
		},
		{
			"target": "10.14.35.128",
			"mask": 28,
			"nexthop": "10.222.32.1",
			"source": "10.222.62.213/32"
		},
		{
			"target": "10.16.36.128",
			"mask": 28,
			"nexthop": "10.222.32.1",
			"source": "10.222.62.213/32"
		},
		{
			"target": "10.120.25.48",
			"mask": 28,
			"nexthop": "10.222.32.1",
			"source": "10.222.62.213/32"
		},
		{
			"target": "10.120.65.0",
			"mask": 28,
			"nexthop": "10.222.32.1",
			"source": "10.222.62.213/32"
		},
		{
			"target": "10.120.28.64",
			"mask": 27,
			"nexthop": "10.222.32.1",
			"source": "10.222.62.213/32"
		},
		{
			"target": "10.120.58.0",
			"mask": 27,
			"nexthop": "10.222.32.1",
			"source": "10.222.62.213/32"
		},
		{
			"target": "62.38.82.0",
			"mask": 24,
			"nexthop": "10.222.32.1",
			"source": "10.222.62.213/32"
		},
		{
			"target": "62.38.85.0",
			"mask": 24,
			"nexthop": "10.222.32.1",
			"source": "10.222.62.213/32"
		},
		{
			"target": "62.38.86.0",
			"mask": 24,
			"nexthop": "10.222.32.1",
			"source": "10.222.62.213/32"
		},
		{
			"target": "62.38.87.0",
			"mask": 24,
			"nexthop": "10.222.32.1",
			"source": "10.222.62.213/32"
		},
		{
			"target": "62.38.88.0",
			"mask": 24,
			"nexthop": "10.222.32.1",
			"source": "10.222.62.213/32"
		},
		{
			"target": "10.120.60.0",
			"mask": 23,
			"nexthop": "10.222.32.1",
			"source": "10.222.62.213/32"
		}
	],
	"dns-server": [
		"62.38.86.40",
		"62.38.86.50"
	],
	"dns-search": [
		
	],
	"neighbors": [
		
	],
	"inactive": {
		"ipv4-address": [
			
		],
		"ipv6-address": [
			
		],
		"route": [
			{
				"target": "0.0.0.0",
				"mask": 0,
				"nexthop": "10.222.32.1",
				"source": "10.222.62.213/32"
			}
		],
		"dns-server": [
			
		],
		"dns-search": [
			
		],
		"neighbors": [
			
		]
	},
	"data": {
		"leasetime": 86400
	}
}

And nslookup shows:

nslookup ngn.hol.net 62.38.86.40
;; connection timed out; no servers could be reached

Is there a way to tell nslookup to use specific network connection?

I also did the following:

ip route add 62.38.86.40/32 via 10.222.62.213
ip route add 62.38.86.50/32 via 10.222.62.213

Then I performed yet another nslookup and failed as well:

nslookup ngn.hol.net 62.38.86.40
Server:		62.38.86.40
Address:	62.38.86.40:53

*** Can't find ngn.hol.net: No answer

*** Can't find ngn.hol.net: No answer

Also tried:

nslookup ngn.hol.net 62.38.86.50
Server:		62.38.86.50
Address:	62.38.86.50:53

*** Can't find ngn.hol.net: No answer

*** Can't find ngn.hol.net: No answer

vgaetera · August 18, 2021, 5:32pm

Probably it needs to query subdomains, so set up selective forwarding and logging:

pc_magas · August 19, 2021, 6:57pm

Also I tried to resolve google's domain as well using the offered domain and did not work either:

nslookup google.com 62.38.86.50
Server:		62.38.86.50
Address:	62.38.86.50:53

** server can't find google.com: REFUSED

** server can't find google.com: REFUSED

Whilst without dns servers works like a charm:

nslookup google.com
Server:		127.0.0.1
Address:	127.0.0.1:53

Non-authoritative answer:
Name:	google.com
Address: 216.58.214.142

Non-authoritative answer:
Name:	google.com
Address: 2a00:1450:4017:803::200e

pc_magas · August 19, 2021, 7:04pm

Also does dns queries being logged via dns mas if happen via nslookup at external 3rd party dns server?

vgaetera · August 19, 2021, 7:30pm

Use custom routing tables and replace static routes with the rules:

uci -q delete network.voip.defaultroute
uci set network.lan.ip4table="1"
uci set network.voip.ip4table="2"
uci -q delete network.voip_dns
uci set network.voip_dns="rule"
uci set network.voip_dns.in="lan"
uci set network.voip_dns.dest="62.38.86.0/24"
uci set network.voip_dns.lookup="2"
uci set network.voip_dns.priority="30000"
uci commit network
/etc/init.d/network restart

Dnsmasq only logs queries to itself unless you enable DNS hijacking:
https://openwrt.org/docs/guide-user/firewall/fw3_configurations/intercept_dns

pc_magas · August 31, 2021, 12:55pm

What is the purproce of this command?
Actually, I try to find the rationale behind the commands as well. Can you explain the logic to me?

vgaetera · August 31, 2021, 7:22pm

It makes possible to selectively lookup the VoIP-specific routing table.
Then the respective default gateway should make the routing decision.

You may also need to install the relevant nathelper modules:
[SOLVED] Incoming calls not reaching hosts on the network - #2 by vgaetera

pc_magas · September 7, 2021, 3:24pm

I meant the reason why we select tables. What's the logic behind routing tables. I've looked upon https://openwrt.org/docs/guide-user/network/ip_rules and I fail to understand the rationale behind your settings.

I am looking more like the philosophy behind each line of configuration.