DNS resolving not working

Knogle · November 5, 2021, 9:03pm

Ahoy friends.
Currently i'm experiencing some issue.
I have set up my router running on a Raspberry Pi 4.
DNS resolving on the OpenWrt device itself works fine, but when i try to resolv FQDNs there is no response at all from LAN connected devices.
What might be the issue?

Here i got a tcpdump of port 53 on the router during the request.
Thanks in advance!

nslookup google.de 172.20.32.3
;; connection timed out; no servers could be reached

22:00:51.831000 ethertype IPv4, IP 172.20.32.253.47214 > 172.20.32.3.53: 22595+ A? google.de. (27)
22:00:51.831000 IP 172.20.32.253.47214 > 172.20.32.3.53: 22595+ A? google.de. (27)
22:00:56.831082 ethertype IPv4, IP 172.20.32.253.47214 > 172.20.32.3.53: 22595+ A? google.de. (27)
22:00:56.831082 IP 172.20.32.253.47214 > 172.20.32.3.53: 22595+ A? google.de. (27)
22:01:08.130747 ethertype IPv4, IP 172.20.32.253.51760 > 172.20.32.3.53: 5695+ A? google.de. (27)
22:01:08.130747 IP 172.20.32.253.51760 > 172.20.32.3.53: 5695+ A? google.de. (27)
22:01:13.127303 ethertype IPv4, IP 172.20.32.253.51760 > 172.20.32.3.53: 5695+ A? google.de. (27)
22:01:13.127303 IP 172.20.32.253.51760 > 172.20.32.3.53: 5695+ A? google.de. (27)
22:01:18.127340 ethertype IPv4, IP 172.20.32.253.51760 > 172.20.32.3.53: 5695+ A? google.de. (27)
22:01:18.127340 IP 172.20.32.253.51760 > 172.20.32.3.53: 5695+ A? google.de. (27)

trendy · November 5, 2021, 9:25pm

Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*

Knogle · November 5, 2021, 9:28pm

Thanks a lot

That's the whole block.

root@OpenWrt:~# ubus call system board; \
> uci export network; uci export dhcp; uci export firewall; \
> head -n -0 /etc/firewall.user; \
> ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
> ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
{
	"kernel": "5.4.150",
	"hostname": "OpenWrt",
	"system": "ARMv8 Processor rev 3",
	"model": "Raspberry Pi 4 Model B Rev 1.2",
	"board_name": "raspberrypi,4-model-b",
	"release": {
		"distribution": "OpenWrt",
		"version": "21.02-SNAPSHOT",
		"revision": "r16306-c43a5921fa",
		"target": "bcm27xx/bcm2711",
		"description": "OpenWrt 21.02-SNAPSHOT r16306-c43a5921fa"
	}
}
package network

config interface 'loopback'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'
	option device 'lo'

config globals 'globals'
	option ula_prefix 'fdfb:9584:eb33::/48'
	option packet_steering '1'

config interface 'Management'
	option proto 'static'
	option delegate '0'
	option netmask '255.255.224.0'
	option stp '1'
	option device 'eth0.110'
	option ipaddr '172.20.32.3'

config interface 'Lab'
	option stp '1'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '64'
	option ipaddr '192.168.2.3'
	option device 'eth0.2'

config interface 'VMs'
	option proto 'static'
	option stp '1'
	option netmask '255.255.255.0'
	option ip6assign '64'
	option device 'eth0.200'
	option ipaddr '192.168.200.3'

config interface 'Guest'
	option proto 'static'
	option netmask '255.255.224.0'
	option ip6assign '64'
	option device 'eth0.320'
	option ipaddr '172.20.192.3'

config interface 'CCTV'
	option proto 'static'
	option netmask '255.255.224.0'
	option delegate '0'
	option device 'eth0.340'
	option ipaddr '172.20.224.3'

config interface 'trusted'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '64'
	option device 'eth0.3'
	option ipaddr '192.168.3.3'

config interface 'OSPF'
	option proto 'static'
	option ip6assign '64'
	option ipaddr '192.168.252.1'
	option netmask '255.255.255.0'
	option device 'eth0.360'
	option auto '0'

config interface 'loop'
	option proto 'static'
	list ipaddr '10.10.10.10/32'
	option device 'lo'

config interface 'wan'
	option device 'eth0.2100'
	option proto 'static'
	option ipaddr '192.168.178.3'
	option netmask '255.255.255.0'
	option gateway '192.168.178.1'
	list dns '192.168.178.1'
	option metric '1'

config interface 'wan6'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option metric '1'
	option reqprefix '56'
	option device 'eth0.2100'
	option auto '0'

config interface 'wanb'
	option device 'eth0.1100'
	option proto 'static'
	option ipaddr '192.168.154.3'
	option netmask '255.255.255.0'
	option gateway '192.168.154.1'
	list dns '192.168.154.1'
	option metric '2'

config interface 'wanb6'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option metric '2'
	option device 'eth0.1100'
	option reqprefix '48'
	option auto '0'


package dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option localservice '1'
	option confdir '/tmp/dnsmasq.d'
	option sequential_ip '1'
	list server '127.0.0.1#5054'
	list server '127.0.0.1#5053'
	option noresolv '1'
	option doh_backup_noresolv '-1'
	list doh_backup_server '127.0.0.1#5054'
	list doh_backup_server '127.0.0.1#5053'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv6 'server'
	option ra 'server'
	option ra_slaac '1'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option ignore '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list ra_flags 'none'

config dhcp 'trusted'
	option interface 'trusted'
	option limit '150'
	option leasetime '12h'
	option ra 'server'
	option dhcpv6 'server'
	option ra_default '1'
	option ra_management '1'
	option start '155'
	option force '1'
	list dhcp_option '3,192.168.3.1'
	list dhcp_option '6,192.168.3.1'

config dhcp 'VMs'
	option interface 'VMs'
	option limit '150'
	option leasetime '12h'
	option start '25'
	option ra 'server'
	option dhcpv6 'server'
	option ra_management '1'
	option ra_default '1'
	option force '1'
	list dhcp_option '3,192.168.200.1'
	list dhcp_option '6,192.168.200.1'

config dhcp 'Lab'
	option interface 'Lab'
	option limit '150'
	option leasetime '12h'
	option ra 'server'
	option dhcpv6 'server'
	option ra_management '1'
	option start '25'
	option force '1'
	list dhcp_option '3,192.168.2.1'
	list dhcp_option '6,192.168.2.1'

config dhcp 'Guest'
	option interface 'Guest'
	option limit '150'
	option leasetime '12h'
	option start '25'
	option ra 'server'
	option dhcpv6 'server'
	option ra_management '1'
	option ra_maxinterval '600'
	option ra_mininterval '200'
	option ra_lifetime '1800'
	option ra_default '1'
	option force '1'
	list dhcp_option '3,172.20.192.1'
	list dhcp_option '6,172.20.192.1'

config dhcp 'CCTV'
	option interface 'CCTV'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option ra 'server'
	option dhcpv6 'server'
	option ra_management '1'
	option force '1'
	list dhcp_option '3,172.20.224.1'
	list dhcp_option '6,172.20.224.1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'wanb'
	option interface 'wanb'
	option ignore '1'
	option ra 'relay'
	option dhcpv6 'relay'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list ra_flags 'none'

config dhcp 'OSPF'
	option interface 'OSPF'
	option ra 'server'
	option dhcpv6 'server'
	option ra_management '1'
	option start '2'
	option limit '150'
	option leasetime '12h'
	option ra_default '1'
	option force '1'

config domain
	option ip '192.168.178.1'
	option name 'fritz'

config domain
	option name 'syslog'
	option ip '172.20.32.45'

config domain
	option name 'wireguard-alternative'
	option ip '192.168.165.3'

config domain
	option ip 'fd48:48:48:48::2'
	option name 'wireguard-alternative'

config domain
	option name 'millenium-fbe48'
	option ip '172.20.32.20'

package firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone 'lan'
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list device 'tun+'
	list network 'VMs'
	list network 'Storage'
	list network 'Management'
	list network 'CCTV'
	list network 'trusted_main'
	list network 'trusted'
	list network 'OSPF'
	list network 'Hub'
	list network 'bond0'

config zone 'wan'
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'
	list network 'wanb'
	list network 'wanb6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled '0'

config include
	option path '/etc/firewall.user'

config zone 'guest'
	option name 'guest'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'guest'
	list network 'Guest'
	list network 'Hub'

config forwarding 'guest_wan'
	option src 'guest'
	option dest 'wan'

config rule 'guest_dns'
	option name 'Allow-DNS-Guest'
	option src 'guest'
	option dest_port '53'
	option proto 'tcp udp'
	option target 'ACCEPT'

config rule 'guest_dhcp'
	option name 'Allow-DHCP-Guest'
	option src 'guest'
	option dest_port '67'
	option family 'ipv4'
	option proto 'udp'
	option target 'ACCEPT'

config zone 'lab'
	option name 'lab'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'lab'
	list network 'Lab'

config forwarding 'lab_wan'
	option src 'lab'
	option dest 'wan'

config rule 'lab_dns'
	option name 'Allow-DNS-lab'
	option src 'lab'
	option dest_port '53'
	option proto 'tcp udp'
	option target 'ACCEPT'

config rule 'lab_dhcp'
	option name 'Allow-DHCP-lab'
	option src 'lab'
	option dest_port '67'
	option family 'ipv4'
	option proto 'udp'
	option target 'ACCEPT'

config zone 'cctv'
	option name 'cctv'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'cctv'

config forwarding 'cctv_wan'
	option src 'cctv'
	option dest 'wan'

config rule 'cctv_dns'
	option name 'Allow-DNS-cctv'
	option src 'cctv'
	option dest_port '53'
	option proto 'tcp udp'
	option target 'ACCEPT'

config rule 'cctv_dhcp'
	option name 'Allow-DHCP-cctv'
	option src 'cctv'
	option dest_port '67'
	option family 'ipv4'
	option proto 'udp'
	option target 'ACCEPT'

config redirect
	option target 'DNAT'
	option name 'Teamspeak (Default)'
	list proto 'udp'
	option src 'wan'
	option dest 'lan'
	option src_dport '9987'
	option dest_port '9987'
	option dest_ip '192.168.200.31'

config redirect
	option target 'DNAT'
	option name 'Teamspeak (Filetransfer)'
	list proto 'tcp'
	option src 'wan'
	option src_dport '30033'
	option dest 'lan'
	option dest_port '30033'
	option dest_ip '192.168.200.31'

config redirect
	option target 'DNAT'
	option name 'Teamspeak (Serverquery)'
	list proto 'tcp'
	option src 'wan'
	option src_dport '10011'
	option dest 'lan'
	option dest_port '10011'
	option dest_ip '192.168.200.31'

config redirect
	option target 'DNAT'
	option name 'Teamspeak (DNS)'
	list proto 'tcp'
	option src 'wan'
	option src_dport '41144'
	option dest 'lan'
	option dest_port '41144'
	option dest_ip '192.168.200.31'

config redirect
	option target 'DNAT'
	option name 'FreeNAS'
	list proto 'tcp'
	option src 'wan'
	option src_dport '2343'
	option dest 'lan'
	option dest_port '2343'
	option dest_ip '192.168.200.79'
	option enabled '0'

config redirect
	option target 'DNAT'
	option name 'HTTP'
	list proto 'tcp'
	option src 'wan'
	option src_dport '80'
	option dest 'lan'
	option dest_port '80'
	option dest_ip '192.168.200.113'

config redirect
	option target 'DNAT'
	option name 'HTTPS'
	list proto 'tcp'
	option src 'wan'
	option src_dport '443'
	option dest 'lan'
	option dest_port '443'
	option dest_ip '192.168.200.113'

config redirect
	option target 'DNAT'
	option name 'Minecraft'
	list proto 'tcp'
	option src 'wan'
	option src_dport '25565'
	option dest 'lan'
	option dest_port '25565'
	option dest_ip '192.168.200.136'

config redirect
	option target 'DNAT'
	option name 'OpenVPN'
	list proto 'udp'
	option src 'wan'
	option src_dport '1194'
	option dest 'lan'
	option dest_port '1194'
	option dest_ip '192.168.200.147'
	option enabled '0'

config redirect
	option target 'DNAT'
	option name 'Minecraft (Lyxx)'
	list proto 'tcp'
	option src 'wan'
	option src_dport '25566'
	option dest 'lan'
	option dest_port '25566'
	option dest_ip '192.168.200.136'

config redirect
	option target 'DNAT'
	option name 'Minecraft'
	list proto 'tcp'
	option src 'wan'
	option src_dport '25566'
	option dest 'lan'
	option dest_port '25566'
	option dest_ip '192.168.200.60'

config redirect
	option target 'DNAT'
	option name 'MTA Serverport'
	list proto 'udp'
	option src 'wan'
	option src_dport '22003'
	option dest 'lan'
	option dest_ip '192.168.3.54'
	option dest_port '22003'

config redirect
	option target 'DNAT'
	option name 'MTA HTTP'
	list proto 'tcp'
	option src 'wan'
	option src_dport '22005'
	option dest 'lan'
	option dest_ip '192.168.3.54'
	option dest_port '22005'

config redirect
	option target 'DNAT'
	option name 'MTA Serverlist'
	list proto 'udp'
	option src 'wan'
	option src_dport '22126'
	option dest 'lan'
	option dest_ip '192.168.3.54'
	option dest_port '22126'

config redirect
	option target 'DNAT'
	option name 'SA-MP (Server Test)'
	option src 'wan'
	option src_dport '7780'
	option dest 'lan'
	option dest_ip '192.168.3.84'
	option dest_port '7780'

config redirect
	option target 'DNAT'
	option name 'Olympia (SSH)'
	list proto 'tcp'
	option src 'wan'
	option src_dport '31006'
	option dest 'lan'
	option dest_ip '192.168.200.56'
	option dest_port '31006'
	option enabled '0'

config redirect
	option target 'DNAT'
	option name 'Olympia (Minecraft)'
	list proto 'tcp'
	option src 'wan'
	option src_dport '31007'
	option dest 'lan'
	option dest_port '31007'
	option dest_ip '172.20.64.135'

config redirect
	option target 'DNAT'
	option name 'Olympia (Varo)'
	list proto 'tcp'
	option src 'wan'
	option src_dport '31008'
	option dest 'lan'
	option dest_port '31008'
	option dest_ip '172.20.64.135'

config redirect
	option target 'DNAT'
	option name 'Minecraft ATM3 (Olympia)'
	list proto 'tcp'
	option src 'wan'
	option src_dport '25568'
	option dest 'lan'
	option dest_port '25568'
	option dest_ip '192.168.200.136'

config include 'nat6'
	option path '/etc/firewall.nat6'
	option reload '1'

config redirect
	option target 'DNAT'
	list proto 'tcp'
	option src 'wan'
	option src_dport '25569'
	option dest 'lan'
	option dest_port '25569'
	option name 'Minecraft (ATM6)'
	option dest_ip '192.168.200.32'

config rule
	option name 'Hurricane Electric'
	option family 'ipv4'
	option src 'wan'
	option target 'ACCEPT'
	list src_ip '216.66.80.30'

config rule
	option name 'Allow-protocol-59'
	option src 'wan'
	option proto '59'
	option target 'ACCEPT'
	option extra '-m length --length 40'

config rule
	option name 'Allow-protocol-41'
	option src 'wan'
	option proto '41'
	option target 'ACCEPT'

config redirect
	option target 'DNAT'
	option name 'Minecraft (Modded)'
	list proto 'tcp'
	option src 'wan'
	option src_dport '25570'
	option dest 'lan'
	option dest_port '25570'
	option dest_ip '192.168.200.136'

config redirect
	option target 'DNAT'
	option name 'Wireguard'
	list proto 'udp'
	option src 'wan'
	option src_dport '51820'
	option dest 'lan'
	option dest_ip '192.168.252.58'
	option dest_port '51820'
	option enabled '0'

config redirect
	option target 'DNAT'
	option name 'GTA Online'
	list proto 'udp'
	option src 'wan'
	option src_dport '6672'
	option dest 'lan'
	option dest_ip '192.168.3.166'
	option dest_port '6672'
	option enabled '0'

config redirect
	option target 'DNAT'
	option name 'GTA Online'
	list proto 'udp'
	option src 'wan'
	option dest 'lan'
	option dest_ip '192.168.3.166'
	option src_dport '61455-61458'
	option dest_port '61455-61458'
	option enabled '0'

config redirect
	option target 'DNAT'
	option name 'Jerrez (ARK)'
	option src 'wan'
	option src_dport '61009'
	option dest 'lan'
	option dest_port '61009'
	option dest_ip '192.168.200.30'

config redirect
	option target 'DNAT'
	option name 'Ark'
	list proto 'tcp'
	option src 'wan'
	option src_dport '25147'
	option dest 'lan'
	option dest_port '25147'
	option dest_ip '192.168.200.30'

config redirect
	option target 'DNAT'
	option name 'Ark'
	list proto 'tcp'
	option src 'wan'
	option src_dport '27015-27030'
	option dest 'lan'
	option dest_port '27015-27030'
	option dest_ip '192.168.200.30'

config redirect
	option target 'DNAT'
	option name 'Ark'
	list proto 'tcp'
	option src 'wan'
	option src_dport '27036-27037'
	option dest 'lan'
	option dest_port '27036-27037'
	option dest_ip '192.168.200.30'

config redirect
	option target 'DNAT'
	option name 'Ark'
	list proto 'udp'
	option src 'wan'
	option src_dport '4380'
	option dest 'lan'
	option dest_port '4380'
	option dest_ip '192.168.200.30'

config redirect
	option target 'DNAT'
	option name 'Ark'
	list proto 'udp'
	option src 'wan'
	option src_dport '7777-7778'
	option dest 'lan'
	option dest_port '7777-7778'
	option dest_ip '192.168.200.30'

config redirect
	option target 'DNAT'
	option name 'Ark'
	list proto 'udp'
	option src 'wan'
	option src_dport '25147'
	option dest 'lan'
	option dest_port '25147'
	option dest_ip '192.168.200.30'

config redirect
	option target 'DNAT'
	option name 'Ark'
	list proto 'udp'
	option src 'wan'
	option src_dport '27000-27031'
	option dest 'lan'
	option dest_port '27000-27031'
	option dest_ip '192.168.200.30'

config redirect
	option target 'DNAT'
	option name 'Ark'
	list proto 'udp'
	option src 'wan'
	option src_dport '27036'
	option dest 'lan'
	option dest_port '27036'
	option dest_ip '192.168.200.30'

config rule 'wg'
	option name 'Allow-WireGuard'
	option src 'wan'
	option dest_port '51820'
	option proto 'udp'
	option target 'ACCEPT'

config redirect
	option target 'DNAT'
	option name 'Jerrez (Cockpit)'
	list proto 'tcp'
	option src 'wan'
	option src_dport '61010'
	option dest 'lan'
	option dest_port '9090'
	option dest_ip '192.168.200.30'

config redirect
	option target 'DNAT'
	option name 'Ark (RCON)'
	option src 'wan'
	option src_dport '32330'
	option dest 'lan'
	option dest_port '32330'
	option dest_ip '192.168.200.30'

config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'
	option family 'any'
	option reload '1'

config redirect
	option target 'DNAT'
	option name 'Minecraft (Debian)'
	list proto 'tcp'
	option src 'wan'
	option src_dport '25571'
	option dest 'lan'
	option dest_ip '192.168.3.166'
	option dest_port '25571'

config redirect
	option target 'DNAT'
	option name 'Minecraft-Alt'
	list proto 'tcp'
	option src 'wan'
	option src_dport '31010'
	option dest 'lan'
	option dest_ip '192.168.200.32'
	option dest_port '22'

config redirect
	option target 'DNAT'
	option name 'Minecraft-Alt (Apache2)'
	list proto 'tcp'
	option src 'wan'
	option src_dport '31011'
	option dest 'lan'
	option dest_ip '192.168.200.32'
	option dest_port '80'

config rule 'ovpn'
	option name 'Allow-OpenVPN'
	option src 'wan'
	option dest_port '1194'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Allow-OpenVPN-Alt'
	list proto 'udp'
	option src 'wan'
	option dest_port '1195'
	option target 'ACCEPT'

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet 10.10.10.10/32 brd 255.255.255.255 scope global lo
       valid_lft forever preferred_lft forever
10: eth0.340@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 172.20.224.3/19 brd 172.20.255.255 scope global eth0.340
       valid_lft forever preferred_lft forever
11: eth0.320@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 172.20.192.3/19 brd 172.20.223.255 scope global eth0.320
       valid_lft forever preferred_lft forever
12: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.2.3/24 brd 192.168.2.255 scope global eth0.2
       valid_lft forever preferred_lft forever
13: eth0.110@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 172.20.32.3/19 brd 172.20.63.255 scope global eth0.110
       valid_lft forever preferred_lft forever
14: eth0.200@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.200.3/24 brd 192.168.200.255 scope global eth0.200
       valid_lft forever preferred_lft forever
15: eth0.3@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.3.3/24 brd 192.168.3.255 scope global eth0.3
       valid_lft forever preferred_lft forever
16: eth0.2100@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.178.3/24 brd 192.168.178.255 scope global eth0.2100
       valid_lft forever preferred_lft forever
17: eth0.1100@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.154.3/24 brd 192.168.154.255 scope global eth0.1100
       valid_lft forever preferred_lft forever
18: Hub: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 10.0.0.1/24 brd 10.0.0.255 scope global Hub
       valid_lft forever preferred_lft forever
default via 192.168.178.1 dev eth0.2100 table 1 proto static metric 1 
10.0.0.0/24 dev Hub table 1 proto kernel scope link src 10.0.0.1 
172.20.32.0/19 dev eth0.110 table 1 proto kernel scope link src 172.20.32.3 
172.20.192.0/19 dev eth0.320 table 1 proto kernel scope link src 172.20.192.3 
172.20.224.0/19 dev eth0.340 table 1 proto kernel scope link src 172.20.224.3 
192.168.2.0/24 dev eth0.2 table 1 proto kernel scope link src 192.168.2.3 
192.168.3.0/24 dev eth0.3 table 1 proto kernel scope link src 192.168.3.3 
192.168.178.0/24 dev eth0.2100 table 1 proto static scope link metric 1 
192.168.200.0/24 dev eth0.200 table 1 proto kernel scope link src 192.168.200.3 
default via 192.168.154.1 dev eth0.1100 table 3 proto static metric 2 
10.0.0.0/24 dev Hub table 3 proto kernel scope link src 10.0.0.1 
172.20.32.0/19 dev eth0.110 table 3 proto kernel scope link src 172.20.32.3 
172.20.192.0/19 dev eth0.320 table 3 proto kernel scope link src 172.20.192.3 
172.20.224.0/19 dev eth0.340 table 3 proto kernel scope link src 172.20.224.3 
192.168.2.0/24 dev eth0.2 table 3 proto kernel scope link src 192.168.2.3 
192.168.3.0/24 dev eth0.3 table 3 proto kernel scope link src 192.168.3.3 
192.168.154.0/24 dev eth0.1100 table 3 proto static scope link metric 2 
192.168.200.0/24 dev eth0.200 table 3 proto kernel scope link src 192.168.200.3 
default via 192.168.178.1 dev eth0.2100 proto static metric 1 
default via 192.168.154.1 dev eth0.1100 proto static metric 2 
10.0.0.0/24 dev Hub proto kernel scope link src 10.0.0.1 
172.20.32.0/19 dev eth0.110 proto kernel scope link src 172.20.32.3 
172.20.192.0/19 dev eth0.320 proto kernel scope link src 172.20.192.3 
172.20.224.0/19 dev eth0.340 proto kernel scope link src 172.20.224.3 
192.168.2.0/24 dev eth0.2 proto kernel scope link src 192.168.2.3 
192.168.3.0/24 dev eth0.3 proto kernel scope link src 192.168.3.3 
192.168.154.0/24 dev eth0.1100 proto static scope link metric 2 
192.168.178.0/24 dev eth0.2100 proto static scope link metric 1 
192.168.200.0/24 dev eth0.200 proto kernel scope link src 192.168.200.3 
broadcast 10.0.0.0 dev Hub table local proto kernel scope link src 10.0.0.1 
local 10.0.0.1 dev Hub table local proto kernel scope host src 10.0.0.1 
broadcast 10.0.0.255 dev Hub table local proto kernel scope link src 10.0.0.1 
local 10.10.10.10 dev lo table local proto kernel scope host src 10.10.10.10 
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 
broadcast 172.20.32.0 dev eth0.110 table local proto kernel scope link src 172.20.32.3 
local 172.20.32.3 dev eth0.110 table local proto kernel scope host src 172.20.32.3 
broadcast 172.20.63.255 dev eth0.110 table local proto kernel scope link src 172.20.32.3 
broadcast 172.20.192.0 dev eth0.320 table local proto kernel scope link src 172.20.192.3 
local 172.20.192.3 dev eth0.320 table local proto kernel scope host src 172.20.192.3 
broadcast 172.20.223.255 dev eth0.320 table local proto kernel scope link src 172.20.192.3 
broadcast 172.20.224.0 dev eth0.340 table local proto kernel scope link src 172.20.224.3 
local 172.20.224.3 dev eth0.340 table local proto kernel scope host src 172.20.224.3 
broadcast 172.20.255.255 dev eth0.340 table local proto kernel scope link src 172.20.224.3 
broadcast 192.168.2.0 dev eth0.2 table local proto kernel scope link src 192.168.2.3 
local 192.168.2.3 dev eth0.2 table local proto kernel scope host src 192.168.2.3 
broadcast 192.168.2.255 dev eth0.2 table local proto kernel scope link src 192.168.2.3 
broadcast 192.168.3.0 dev eth0.3 table local proto kernel scope link src 192.168.3.3 
local 192.168.3.3 dev eth0.3 table local proto kernel scope host src 192.168.3.3 
broadcast 192.168.3.255 dev eth0.3 table local proto kernel scope link src 192.168.3.3 
broadcast 192.168.154.0 dev eth0.1100 table local proto kernel scope link src 192.168.154.3 
local 192.168.154.3 dev eth0.1100 table local proto kernel scope host src 192.168.154.3 
broadcast 192.168.154.255 dev eth0.1100 table local proto kernel scope link src 192.168.154.3 
broadcast 192.168.178.0 dev eth0.2100 table local proto kernel scope link src 192.168.178.3 
local 192.168.178.3 dev eth0.2100 table local proto kernel scope host src 192.168.178.3 
broadcast 192.168.178.255 dev eth0.2100 table local proto kernel scope link src 192.168.178.3 
broadcast 192.168.200.0 dev eth0.200 table local proto kernel scope link src 192.168.200.3 
local 192.168.200.3 dev eth0.200 table local proto kernel scope host src 192.168.200.3 
broadcast 192.168.200.255 dev eth0.200 table local proto kernel scope link src 192.168.200.3 
0:	from all lookup local
1001:	from all iif eth0.2100 lookup 1
1003:	from all iif eth0.1100 lookup 3
2001:	from all fwmark 0x100/0x3f00 lookup 1
2003:	from all fwmark 0x300/0x3f00 lookup 3
2061:	from all fwmark 0x3d00/0x3f00 blackhole
2062:	from all fwmark 0x3e00/0x3f00 unreachable
3001:	from all fwmark 0x100/0x3f00 unreachable
3003:	from all fwmark 0x300/0x3f00 unreachable
32766:	from all lookup main
32767:	from all lookup default
lrwxrwxrwx    1 root     root            16 Oct 14 14:09 /etc/resolv.conf -> /tmp/resolv.conf
lrwxrwxrwx    1 root     root            35 Nov  5 00:25 /tmp/resolv.conf -> /tmp/resolv.conf.d/resolv.conf.auto
-rw-r--r--    1 root     root            83 Nov  5 00:25 /tmp/resolv.conf.d/resolv.conf.auto

/tmp/resolv.conf.d:
-rw-r--r--    1 root     root            83 Nov  5 00:25 resolv.conf.auto
==> /etc/resolv.conf <==
# Interface wan
nameserver 192.168.178.1
# Interface wanb
nameserver 192.168.154.1

==> /tmp/resolv.conf <==
# Interface wan
nameserver 192.168.178.1
# Interface wanb
nameserver 192.168.154.1

==> /tmp/resolv.conf.d <==
head: /tmp/resolv.conf.d: I/O error

==> /tmp/resolv.conf.d/resolv.conf.auto <==
# Interface wan
nameserver 192.168.178.1
# Interface wanb
nameserver 192.168.154.1

trendy · November 5, 2021, 9:44pm

Does that mean that you are able to resolve something on OpenWrt using the internet routers? Or that a lan host can resolve an internal hostname?

Knogle · November 5, 2021, 10:09pm

Yes I am able to resolve stuff on the OpenWrt device. But when I try to resolve addresses on the LAN side, using the OpenWrt device as nameserver, it doesn't respond.

psherman · November 5, 2021, 10:21pm

Is this true on all of your networks, or just one/some?

You are sending DHCP option 6 on most of your networks specifying the .1 address, but it seems that your router is actually .3 on all of the lan interfaces. Fix one or the other to make sure that it is consistent.

Also, if your DNS server is the same as the router address on each network, you don't need to send option 6 -- just remove those and the default dns will populate as the router's address.

Knogle · November 5, 2021, 10:38pm

Thanks a lot
This server is acting as a backup router in a VRRP cluster. So I'm specifying the virtual address of the cluster.
But I'm wondering because even if the master is down , the backup router won't answer DNS requests. Even not when specifying it as a nameserver in nslookup as shown above, when I tried to query Google.com.
It's affecting all connected networks to the backup router, the master is configured the same way and works fine.

I will give a little more insight.

Master Router: 172.20.32.2
Backup Router: 172.20.32.3
Virtual IP: 172.20.32.1

Querying 172.20.32.1 --> Works
Querying 172.20.32.2 --> Works
Querying 172.20.32.3 --> Fails (Affected router with the issue)

Switching over to the backup router works fine, in case of failure of the master. Even the connection do not break, but DNS is dead.

nslookup --> 172.20.32.3 (Backup Router)

nslookup google.de 172.20.32.3
;; connection timed out; no servers could be reached

nslookup --> 172.20.32.2 (Master Router)

slookup google.de 172.20.32.2
Server:		172.20.32.2
Address:	172.20.32.2#53

Non-authoritative answer:
Name:	google.de
Address: 142.250.179.195
Name:	google.de
Address: 2a00:1450:400e:803::2003

EDIT: Something interesting.

When i run diagnostics, nslookup on backup:

Server:		192.168.178.1
Address:	192.168.178.1#53

Name:      openwrt.org
Address 1: 139.59.209.225
Address 2: 2a03:b0c0:3:d0::1af1:1

And on master it says, the nameserver is 127.0.0.1, and not the upstream router.

Server:		127.0.0.1
Address:	127.0.0.1#53

Name:      openwrt.org
Address 1: 139.59.209.225
Address 2: 2a03:b0c0:3:d0::1af1:1