DNS issue with OpenWRT powered AP

Installing and Using OpenWrt
1

I have the following setup for my home internet.
1x Xiaomi AX6S AX3200 as Router.
2x Xiaomi RB06 AX6000 as AP.
1x OrangePI 3 LTS running DietPI.

I am able to run opkg update just fine on all devices above when using router default DNS. The issue start when I try to configure/force the DNS to use PiHole that is running on DietPI. I can run okpg update just fine on the router, but not on the AP. The changes that I have made are as follow:

  1. Login to router. Go to Network > Interfaces > lan > Click on Edit button. Go to DHCP server > Advanced Settings tab > Go to DHCP-Options and enter “6,PiHole Ip address”.

  2. Edit /etc/config/firewall to force the traffic to go to Pi-Hole DNS server as per screenshot attached.

    port_forward
    port_forward1015Ă—711 45.4 KB

Error that I am getting as follow:

Executing package manager

opkg update 

Downloading https://downloads.openwrt.org/releases/24.10.4/targets/mediatek/filogic/packages/Packages.gz
*** Failed to download the package list from https://downloads.openwrt.org/releases/24.10.4/targets/mediatek/filogic/packages/Packages.gz

Downloading https://downloads.openwrt.org/releases/24.10.4/packages/aarch64_cortex-a53/base/Packages.gz
*** Failed to download the package list from https://downloads.openwrt.org/releases/24.10.4/packages/aarch64_cortex-a53/base/Packages.gz

Downloading https://downloads.openwrt.org/releases/24.10.4/targets/mediatek/filogic/kmods/6.6.110-1-6a9e125268c43e0bae8cecb014c8ab03/Packages.gz
*** Failed to download the package list from https://downloads.openwrt.org/releases/24.10.4/targets/mediatek/filogic/kmods/6.6.110-1-6a9e125268c43e0bae8cecb014c8ab03/Packages.gz

Downloading https://downloads.openwrt.org/releases/24.10.4/packages/aarch64_cortex-a53/luci/Packages.gz
*** Failed to download the package list from https://downloads.openwrt.org/releases/24.10.4/packages/aarch64_cortex-a53/luci/Packages.gz

Downloading https://downloads.openwrt.org/releases/24.10.4/packages/aarch64_cortex-a53/packages/Packages.gz
*** Failed to download the package list from https://downloads.openwrt.org/releases/24.10.4/packages/aarch64_cortex-a53/packages/Packages.gz

Downloading https://downloads.openwrt.org/releases/24.10.4/packages/aarch64_cortex-a53/routing/Packages.gz
*** Failed to download the package list from https://downloads.openwrt.org/releases/24.10.4/packages/aarch64_cortex-a53/routing/Packages.gz

Downloading https://downloads.openwrt.org/releases/24.10.4/packages/aarch64_cortex-a53/telephony/Packages.gz
*** Failed to download the package list from https://downloads.openwrt.org/releases/24.10.4/packages/aarch64_cortex-a53/telephony/Packages.gz
Errors
Failed to send request: Operation not permitted
Failed to send request: Operation not permitted
Failed to send request: Operation not permitted
Failed to send request: Operation not permitted
Failed to send request: Operation not permitted
Failed to send request: Operation not permitted
Failed to send request: Operation not permitted
Collected errors:
 * opkg_download: Failed to download https://downloads.openwrt.org/releases/24.10.4/targets/mediatek/filogic/packages/Packages.gz, wget returned 4.
 * opkg_download: Check your network settings and connectivity.

 * opkg_download: Failed to download https://downloads.openwrt.org/releases/24.10.4/packages/aarch64_cortex-a53/base/Packages.gz, wget returned 4.
 * opkg_download: Check your network settings and connectivity.

 * opkg_download: Failed to download https://downloads.openwrt.org/releases/24.10.4/targets/mediatek/filogic/kmods/6.6.110-1-6a9e125268c43e0bae8cecb014c8ab03/Packages.gz, wget returned 4.
 * opkg_download: Check your network settings and connectivity.

 * opkg_download: Failed to download https://downloads.openwrt.org/releases/24.10.4/packages/aarch64_cortex-a53/luci/Packages.gz, wget returned 4.
 * opkg_download: Check your network settings and connectivity.

 * opkg_download: Failed to download https://downloads.openwrt.org/releases/24.10.4/packages/aarch64_cortex-a53/packages/Packages.gz, wget returned 4.
 * opkg_download: Check your network settings and connectivity.

 * opkg_download: Failed to download https://downloads.openwrt.org/releases/24.10.4/packages/aarch64_cortex-a53/routing/Packages.gz, wget returned 4.
 * opkg_download: Check your network settings and connectivity.

 * opkg_download: Failed to download https://downloads.openwrt.org/releases/24.10.4/packages/aarch64_cortex-a53/telephony/Packages.gz, wget returned 4.
 * opkg_download: Check your network settings and connectivity.

The opkg update command failed with code 7.

2

delete the rule, and everything works ?

do you have a default gw and DNS IP (whichever) set on the AP ?

3

You need TWO rules - one for IP4 other for IP6.
and exclude pihole's IPs from forcing.

config redirect 'dns_int4'
        option name 'Intercept-DNS4'
        option src 'lan'
        option src_dport '53'
        option proto 'tcp udp'
        option family 'ipv4'
        option target 'DNAT'
        option enabled '0'

config redirect 'dns_int6'
        option name 'Intercept-DNS6'
        option src 'lan'
        option src_dport '53'
        option proto 'tcp udp'
        option family 'ipv6'
        option target 'DNAT'
        option enabled '0'
4

@frollic , if I remove PiHole related configuration everything will as normal again. One thing that I forgot to mention, AP is using DHCP client, I did not set the static ip.

5

for the AP itself you don't need any DNS catching, it'll honor the 6 option in DHCP.

you're not by any chance creating a DNS loop, because of missing
https://openwrt.org/docs/guide-user/firewall/fw3_configurations/intercept_dns#dns_redirection ?
or is it only the AP itself that got DNS issues ?

6

There are IoTs and android TVs using fixed upstreams, you need that interception to be in control.

7

I know, but that's not what I'm trying to say...

8

@frollic , only AP that having this issue. router can run the command just fine.

9

I mean clients of AP, not main router.

post your AP's /etc/config/network and /etc/config/firewall.

11

I'm surprised you have not asked why are they running opkg update

12

/etc/config/network

root@RB06:~# vi /etc/config/network
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'

config globals 'globals'
option ula_prefix 'fd2c:eee9:ae5d::/48'
option packet_steering '1'

config device
option name 'br-lan'
option type 'bridge'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
option macaddr 'XX:XX:XX:XX:CB:49'

config interface 'lan'
option device 'br-lan'
option proto 'dhcp'

config device
option name 'wan'
option macaddr 'XX:XX:XX:XX:d8:48'

config interface 'wan'
option device 'wan'
option proto 'dhcp'

config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'

config device
option name 'lan4'
option macaddr 'XX:XX:XX:XX:CB:4D'

config device
option name 'lan3'
option macaddr 'XX:XX:XX:XX:CB:4C'

config device
option name 'lan2'
option macaddr 'XX:XX:XX:XX:CB:4B'

/etc/config/firewall.

root@RB06:~# vi /etc/config/firewall
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'

config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'

13

provide the below, too

ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*

+

nslookup downloads.openwrt.org
14

root@RB06:~# ls -l /etc/resolv.* /tmp/resolv.* /tmp/resolv./ ; head -n -0 /et
c/resolv.* /tmp/resolv.* /tmp/resolv./
lrwxrwxrwx 1 root root 16 Oct 20 00:37 /etc/resolv.conf -> /tm p/resolv.conf
lrwxrwxrwx 1 root root 35 Nov 18 11:03 /tmp/resolv.conf -> /tm p/resolv.conf.d/resolv.conf.auto
-rw-r--r-- 1 root root 50 Nov 18 11:03 /tmp/resolv.conf.d/reso lv.conf.auto

/tmp/resolv.conf.d:
-rw-r--r-- 1 root root 50 Nov 18 11:03 resolv.conf.auto
==> /etc/resolv.conf <==

Interface lan

nameserver 192.168.1.4
search lan

==> /tmp/resolv.conf <==

Interface lan

nameserver 192.168.1.4
search lan

==> /tmp/resolv.conf.d <==
head: /tmp/resolv.conf.d: I/O error

==> /tmp/resolv.conf.d/resolv.conf.auto <==

Interface lan

nameserver 192.168.1.4
search lan
root@RB06:~#

root@RB06:~# nslookup downloads.openwrt.org
nslookup: write to '127.0.0.1': Connection refused
;; connection timed out; no servers could be reached

15

you've told your AP to use localhost as default DNS.

16

AP is set as DHCP client. Does that means if we are using PiHole as DNS server, I need to set the IP for AP as static?

17

the DNS IP from the DHCP is there, you override it in your settings.

18

@frollic is there a way for me to check that setting from LuCI? Is it on DHCP and DNS > Filter

19

I'm guessing

image
image866Ă—486 23.5 KB

but you could reset, and configure your AP to be a DHCP client again.

20

I think it might be this:

If DNSMasq is running (and usually it is) make sure you disable 'localuse'.

If DNSMasq localuse is enabled it will rewrite /etc/resolv.conf to use 127.0.0.1 (meaning using DNSMasq)

Of course you can add the main router as upstream resolver in DNSMasq which also should do the trick

22

@egc, DNSMasq and firewall are disabled on AP. They are just dump AP.