Exclude local DNSCRYPT server from DNS interception firewall rules

Nimrod666 · September 7, 2023, 8:22am

Hi, my environment is:

Openwrt 22.03.05 installed on Linksys EA8300. ISP Router connected to WAN Port of my openwrt device and configured as default gateway.

IPs:
Openwrt - 10.11.12.1
LAN net - 10.11.12.0/24
GUEST net - 10.11.13.0/24
IPv4 Gateway 192.168.178.1
IP Adress on WAN Net: 192.168.178.20

Problem:

I'm running a dnscrypt server on openwrt, all that works fine. Now i found this wiki article and i like to set up the recommendations for DNS interception: https://openwrt.org/docs/guide-user/firewall/fw3_configurations/intercept_dns
Now i'm stuck on the point "DNS forwarding" -> " Set up DNS forwarding to your local DNS server with Dnsmasq. Configure firewall to exclude the local DNS server from the interception rule." with this example snippet:

# Configure firewall
uci set firewall.dns_int.src_mac="!00:11:22:33:44:55"
uci commit firewall
/etc/init.d/firewall restart

Question is: What mac of which interface is ment here to exclude my local running dnscrypt from the interception rule? Is it the mac of the wan interface or the lan interface?

Here's the output of "ip a" on my device:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br-lan state UP group default qlen 1000
    link/ether XX:XX:XX:06:5a:c6 brd ff:ff:ff:ff:ff:ff permaddr 00:03:7f:ba:db:ad
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc cake state UP group default qlen 1000
    link/ether XX:XX:XX:06:5a:c7 brd ff:ff:ff:ff:ff:ff permaddr 3e:6c:a7:51:03:1c
    inet 192.168.178.20/24 brd 192.168.178.255 scope global eth1
       valid_lft forever preferred_lft forever
    inet6 fe80::26f5:a2ff:fe06:5ac7/64 scope link
       valid_lft forever preferred_lft forever
13: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether XX:XX:XX:06:5a:c6 brd ff:ff:ff:ff:ff:ff
    inet 10.11.12.1/24 brd 10.11.12.255 scope global br-lan
       valid_lft forever preferred_lft forever
14: br-guest: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether XX:XX:XX:06:5a:c8 brd ff:ff:ff:ff:ff:ff
    inet 10.11.13.1/24 brd 10.11.13.255 scope global br-guest
       valid_lft forever preferred_lft forever
    inet6 fe80::26f5:a2ff:fe06:5ac8/64 scope link
       valid_lft forever preferred_lft forever
18: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-guest state UP group default qlen 1000
    link/ether XX:XX:XX:06:5a:c8 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::26f5:a2ff:fe06:5ac8/64 scope link
       valid_lft forever preferred_lft forever
19: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-guest state UP group default qlen 1000
    link/ether 26:f5:a2:06:5a:ca brd ff:ff:ff:ff:ff:ff
    inet6 fe80::24f5:a2ff:fe06:5aca/64 scope link
       valid_lft forever preferred_lft forever
20: wlan2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-guest state UP group default qlen 1000
    link/ether XX:XX:XX:06:5a:c9 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::26f5:a2ff:fe06:5ac9/64 scope link
       valid_lft forever preferred_lft forever
21: wlan1-1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP group default qlen 1000
    link/ether 26:f5:a2:06:5a:c8 brd ff:ff:ff:ff:ff:ff permaddr XX:XX:XX:06:5a:c8
    inet6 fe80::24f5:a2ff:fe06:5ac8/64 scope link
       valid_lft forever preferred_lft forever
22: wlan2-1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP group default qlen 1000
    link/ether 26:f5:a2:06:5a:c9 brd ff:ff:ff:ff:ff:ff permaddr XX:XX:XX:06:5a:c9
    inet6 fe80::24f5:a2ff:fe06:5ac9/64 scope link
       valid_lft forever preferred_lft forever
27: wlan0-1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP group default qlen 1000
    link/ether 22:f5:a2:06:5a:ca brd ff:ff:ff:ff:ff:ff permaddr 26:f5:a2:06:5a:ca
    inet6 fe80::20f5:a2ff:fe06:5aca/64 scope link
       valid_lft forever preferred_lft forever
34: ifb4eth1: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc cake state UNKNOWN group default qlen 32
    link/ether 86:72:f5:f3:18:27 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::8472:f5ff:fef3:1827/64 scope link
       valid_lft forever preferred_lft forever

vgaetera · September 7, 2023, 8:44am

If you run a DNS server on a separate host, that should be its MAC.
Ignore this option if your DNS server is running on the same router.

Nimrod666 · September 7, 2023, 8:53am

Oh ok i see, i thought that would be the routers mac because i thought that with this rule:

uci set firewall.doh4_fwd_lan="rule"
uci set firewall.doh4_fwd_lan.name="Deny-DoH Lan"
uci set firewall.doh4_fwd_lan.src="lan"
uci set firewall.doh4_fwd_lan.dest="wan"
uci set firewall.doh4_fwd_lan.dest_port="443"
uci set firewall.doh4_fwd_lan.proto="tcp udp"
uci set firewall.doh4_fwd_lan.family="ipv4"
uci set firewall.doh4_fwd_lan.ipset="doh4"
uci set firewall.doh4_fwd_lan.target="REJECT"

my local dnscrypt server would not reach the public dnssec hosts because my router is in src "lan" and the public dnssec hosts are part of the ipset "doh4", coming from the public git list.

But do i understand right, that even when my router is part of the "lan" net it can reach the IPs blocked by ipset "doh4" without the mac address exclusion?

vgaetera · September 7, 2023, 8:58am

That firewall rule only applies to transit traffic.
It doesn't restrict the router's own outgoing traffic.

Nimrod666 · September 7, 2023, 9:04am

ok got it, thank you!

system · September 17, 2023, 9:04am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.