Do not use ISP DNS Servers

If i understand correctly your could do something like this: If your main router (TP link modem) supports static routes you could connect LAN port of Modem to WAN port of TP Link C6, enable firewall on Archer C6, disable masquerading and intercept DNS request there. There is no double NAT-ing.

I do this for many networks i administrate. You need to intercept DNS request and send them to desired servers. You also need a DNAT rule to rewrite source IP address for client that do not want to use your advertised DNS servers. You can even block port 853 to stop clients using DoH. So your client have to use your DNS. For me it works like a charm. If you need more explaination i could write you some instructions.

Best regards!

1 Like

So there is only one subnet ( and you have DHCP on all 3 routers. You need only one DHCP (and you should have only one) server per subnet.

Can you put your modem in Bridge mode?

You assume that his ISP doesn't give him a unique IP on his wan port. There's plenty who still do, mine included.

He's already using his router as a router so he's already NAT'ing his own network, so it doesn't really matter if he's NAT'ing or double NAT'ing.

You could have just answered "intercept the requests."

Feel free to explain how it's done, when your don't have control over your main router.

Thanks for all the replies!

When I initially set up this infrastructure, for some reason I thought it was a good idea to have everything on one subnet to make it easier for local routing and accessing my ISP router's configuration page. Seems like there were quite a few issues with my setup...

I now configured the OpenWrt routers to be on a different subnet and I connected the upstream router via WAN which now allows me to ignore upstream DNS servers.
On the ISP router I still have my DNS server set to OpenWrt, so I can still resolve local domains even when connected (by wire) to my ISP router. This might not be the most elegant solution, but it works for me!

Thanks again everybody for helping me out and eventually pointing me in the right direction :grinning:

this shouldn't work, unless you've punched a hole in the firewall of the main openwrt router.

Hmm for some reason it is working.

I actually reinstalled OpenWrt today, so all firewall settings are untouched.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.