Direct traffic from my lan to a specific ISP vlan?

Vodaforn Greece uses 2 VLANs:

  1. 835 for Internet and used PPPoe
  2. 837 as VOIP applications. Only asterisk will consume this interface for outgoing traffic

I managed to make my router connect into internet via VDSL via:


config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'wan'
        option device 'dsl0.835'
        option proto 'pppoe'
        option username '^USERNAME^'
        option password '^PASSWORD^'
        option ipv6 'none'
        option keepalive '10'
        option mtu '1492'

config interface voip
	option device 'dsl0.837'
	option proto 'dhcp'

But I am afaid that all my outgoing traffic from lan does not get redirected to wan interface. Therefore, I want to force any traffic comming from lan to use the wan interface for outgoint traffic. The wan interface uses pppoe and dynamic IP thereforer I cannot know apriori what ip ISP gives to me.

Do you know how I can achieve this?

1 Like
uci set network.lan.ip4table="1"
uci set network.voip.ip4table="2"
uci -q delete network.lan_voip
uci set network.lan_voip="rule"
uci set network.lan_voip.in="lan"
uci set network.lan_voip.dest="VOIP_DOMAIN_IP/32"
uci set network.lan_voip.lookup="2"
uci set network.lan_voip.priority="30000"
uci commit network
/etc/init.d/network restart
1 Like

I tried that and I got the following error:

uci: Parse error (invalid command) at line 53, byte 21

Fix syntax errors in your network config at the reported line number.

Post your full network and firewall configuration files.

I messed up with wan's dns settings

In these settings you provided, is the ^ASTERISK_IP^ is the vlan's IP range (the one that dsl0.837 retrieves from)?

Also, how I can use dns resolution for a specific address via using the dsl0.837 as well the address that I want to be resolved via this network interface is the ngn.hol.net one.

I assumed that Asterisk is running on a separate host inside your LAN.
So that is supposed to be its IP in CIDR notation.

There are a couple of methods to use custom DNS for specific domains/clients:

Note:

  1. I am not running asterisk, VOIP is offered by the ISP in a sepoerate VLAN.
  2. I want to connect a softphone to ISP's VOIP servers using that specific VLAN.

What I have is credentials and a connection domain and I want any connection from softphone/device such as https://www.ebay.com/itm/332802056514 to use the VLAN 837 from my LAN.

Both Vlans 835 and 837 are the ones that ISP uses.

1 Like

Try to resolve that domain using the ISP DNS and post the results.

I try to resolve it but I failed. I have to resolve it via the 837 vlan.

dig @ns0.hol.gr. ngn.hol.net

; <<>> DiG 9.17.13 <<>> @ns0.hol.gr. ngn.hol.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 23051
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ngn.hol.net.			IN	A

;; AUTHORITY SECTION:
hol.net.		300	IN	SOA	ns0.hol.gr. hostmaster.hol.gr. 2018022101 28800 7200 604800 86400

;; Query time: 0 msec
;; SERVER: 194.30.220.110#53(ns0.hol.gr.) (UDP)
;; WHEN: Mon Aug 16 23:02:16 UTC 2021
;; MSG SIZE  rcvd: 97

How I can query a dns record via a specific VLAN?

1 Like
ifstatus voip
nslookup DOMAIN_NAME DNS_IP

I tried that but I failed the request itself has to be performed by the vlan itself. Anythong outside of it will fail.

ifstat shows

{
	"up": true,
	"pending": false,
	"available": true,
	"autostart": true,
	"dynamic": false,
	"uptime": 59,
	"l3_device": "dsl0.837",
	"proto": "dhcp",
	"device": "dsl0.837",
	"updated": [
		"addresses",
		"routes",
		"data"
	],
	"ip4table": 2,
	"metric": 0,
	"dns_metric": 0,
	"delegation": true,
	"ipv4-address": [
		{
			"address": "10.222.62.213",
			"mask": 19
		}
	],
	"ipv6-address": [
		
	],
	"ipv6-prefix": [
		
	],
	"ipv6-prefix-assignment": [
		
	],
	"route": [
		{
			"target": "10.13.36.128",
			"mask": 28,
			"nexthop": "10.222.32.1",
			"source": "10.222.62.213/32"
		},
		{
			"target": "10.14.35.128",
			"mask": 28,
			"nexthop": "10.222.32.1",
			"source": "10.222.62.213/32"
		},
		{
			"target": "10.16.36.128",
			"mask": 28,
			"nexthop": "10.222.32.1",
			"source": "10.222.62.213/32"
		},
		{
			"target": "10.120.25.48",
			"mask": 28,
			"nexthop": "10.222.32.1",
			"source": "10.222.62.213/32"
		},
		{
			"target": "10.120.65.0",
			"mask": 28,
			"nexthop": "10.222.32.1",
			"source": "10.222.62.213/32"
		},
		{
			"target": "10.120.28.64",
			"mask": 27,
			"nexthop": "10.222.32.1",
			"source": "10.222.62.213/32"
		},
		{
			"target": "10.120.58.0",
			"mask": 27,
			"nexthop": "10.222.32.1",
			"source": "10.222.62.213/32"
		},
		{
			"target": "62.38.82.0",
			"mask": 24,
			"nexthop": "10.222.32.1",
			"source": "10.222.62.213/32"
		},
		{
			"target": "62.38.85.0",
			"mask": 24,
			"nexthop": "10.222.32.1",
			"source": "10.222.62.213/32"
		},
		{
			"target": "62.38.86.0",
			"mask": 24,
			"nexthop": "10.222.32.1",
			"source": "10.222.62.213/32"
		},
		{
			"target": "62.38.87.0",
			"mask": 24,
			"nexthop": "10.222.32.1",
			"source": "10.222.62.213/32"
		},
		{
			"target": "62.38.88.0",
			"mask": 24,
			"nexthop": "10.222.32.1",
			"source": "10.222.62.213/32"
		},
		{
			"target": "10.120.60.0",
			"mask": 23,
			"nexthop": "10.222.32.1",
			"source": "10.222.62.213/32"
		}
	],
	"dns-server": [
		"62.38.86.40",
		"62.38.86.50"
	],
	"dns-search": [
		
	],
	"neighbors": [
		
	],
	"inactive": {
		"ipv4-address": [
			
		],
		"ipv6-address": [
			
		],
		"route": [
			{
				"target": "0.0.0.0",
				"mask": 0,
				"nexthop": "10.222.32.1",
				"source": "10.222.62.213/32"
			}
		],
		"dns-server": [
			
		],
		"dns-search": [
			
		],
		"neighbors": [
			
		]
	},
	"data": {
		"leasetime": 86400
	}
}

And nslookup shows:

nslookup ngn.hol.net 62.38.86.40
;; connection timed out; no servers could be reached

Is there a way to tell nslookup to use specific network connection?

I also did the following:

ip route add 62.38.86.40/32 via 10.222.62.213
ip route add 62.38.86.50/32 via 10.222.62.213

Then I performed yet another nslookup and failed as well:

nslookup ngn.hol.net 62.38.86.40
Server:		62.38.86.40
Address:	62.38.86.40:53

*** Can't find ngn.hol.net: No answer

*** Can't find ngn.hol.net: No answer

Also tried:

nslookup ngn.hol.net 62.38.86.50
Server:		62.38.86.50
Address:	62.38.86.50:53

*** Can't find ngn.hol.net: No answer

*** Can't find ngn.hol.net: No answer

1 Like

Probably it needs to query subdomains, so set up selective forwarding and logging:

Also I tried to resolve google's domain as well using the offered domain and did not work either:

nslookup google.com 62.38.86.50
Server:		62.38.86.50
Address:	62.38.86.50:53

** server can't find google.com: REFUSED

** server can't find google.com: REFUSED

Whilst without dns servers works like a charm:

nslookup google.com
Server:		127.0.0.1
Address:	127.0.0.1:53

Non-authoritative answer:
Name:	google.com
Address: 216.58.214.142

Non-authoritative answer:
Name:	google.com
Address: 2a00:1450:4017:803::200e
1 Like

Also does dns queries being logged via dns mas if happen via nslookup at external 3rd party dns server?

Why is this inactive?
Enable the default route and use the custom routing table:

uci set network.lan.ip4table="1"
uci set network.voip.ip4table="2"
uci set network.voip.defaultroute="1"
uci commit network
/etc/init.d/network restart

Replace those custom routes with the rules:

uci -q delete network.voip_dns1
uci set network.voip_dns1="rule"
uci set network.voip_dns1.in="lan"
uci set network.voip_dns1.dest="62.38.86.40/32"
uci set network.voip_dns1.lookup="2"
uci set network.voip_dns1.priority="30000"
uci -q delete network.voip_dns2
uci set network.voip_dns2="rule"
uci set network.voip_dns2.in="lan"
uci set network.voip_dns2.dest="62.38.86.50/32"
uci set network.voip_dns2.lookup="2"
uci set network.voip_dns2.priority="30000"
uci commit network
/etc/init.d/network restart

Dnsmasq only logs queries to itself unless you enable DNS hijacking:
https://openwrt.org/docs/guide-user/firewall/fw3_configurations/intercept_dns

What is the purproce of this command?
Actually, I try to find the rationale behind the commands as well. Can you explain the logic to me?

It makes possible to selectively lookup the VoIP-specific routing table.
Then the respective default gateway should make the routing decision.

You may also need to install the relevant nathelper modules:
[SOLVED] Incoming calls not reaching hosts on the network - #2 by vgaetera

I meant the reason why we select tables. What's the logic behind routing tables. I've looked upon https://openwrt.org/docs/guide-user/network/ip_rules and I fail to understand the rationale behind your settings.

I am looking more like the philosophy behind each line of configuration.