Hello everybody,
i have a strange problem.
A few days ago I replaced my pi-hole with adblock on the OpenWRT.
Before that, the Pi_Hole was acting as DHCP and DNS and it worked well.
Since the Pi-Hole only ran as a VM and I wanted to get rid of this konstellation, I had installed Adblock on the OpenWRT (APU.2E4). From then on I used that as DHCP and DNS.
I switched off pi-hole. Everything works except two servers ...
The curious thing is, that these two Servers can be reached from WAN, but no longer from LAN.
They are not resolved in the LAN. But other servers (where I only changed the DNS) work very well in WAN and LAN. Like a Minecraft Server.
Now I have temporarily set up a new Pi-Hole (ext. Mini-computer) that only does DNS and everything works well again.
This my config with Pi-Hole present. What will work to get rid of it?
dhcp:
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option local '/lan/'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option cachesize '10000'
option confdir '/tmp/dnsmasq.d'
option authoritative '1'
option expandhosts '1'
option localservice '1'
option domain 'lan'
option nonwildcard '0'
option rebind_protection '1'
option rebind_localhost '1'
option filterwin2k '1'
config dhcp 'lan'
option interface 'lan'
option start '160'
option leasetime '1h'
option limit '90'
option force '1'
list dhcp_option '6, <Pi-Hole>'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config host
option mac '<MAC>'
option name '<NAME>'
option dns '1'
option ip '<IP>'
option leasetime '1h'
firewall:
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan wg0'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option input 'REJECT'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp udp'
option src_dport '<PORT>'
option dest_port '<PORT>'
option name '<Name>'
option dest_ip '<IP>'
config rule
option dest_port '80'
option src 'wan'
option name 'HAProxy'
option target 'ACCEPT'
list proto 'tcp'
config rule
option dest_port '443'
option src 'wan'
option name 'HAProxy ssl'
option target 'ACCEPT'
list proto 'tcp'
config redirect
option dest_port '19132'
option src 'wan'
option name 'Minecraft Server'
option target 'DNAT'
option dest 'lan'
option src_dport '19132'
option dest_ip '<IP>'
config redirect
option src 'wan'
option name 'Minecraft Server 2'
option target 'DNAT'
option dest_ip '<IP>'
option dest 'lan'
option dest_port '59374'
option src_dport '59374'
option enabled '0'
haproxy.cfg:
# Example configuration file for HAProxy 2.0, refer to the url below for
# a full documentation and examples for configuration:
# https://cbonte.github.io/haproxy-dconv/2.0/configuration.html
# Global parameters
global
# Log events to a remote syslog server at given address using the
# specified facility and verbosity level. Multiple log options
# are allowed.
#log 10.0.0.1 daemon info
# Specifiy the maximum number of allowed connections.
maxconn 1000
# Raise the ulimit for the maximum allowed number of open socket
# descriptors per process. This is usually at least twice the
# number of allowed connections (maxconn * 2 + nb_servers + 1) .
ulimit-n 2100
# Drop privileges (setuid, setgid), default is "root" on OpenWrt.
uid 0
gid 0
# Perform chroot into the specified directory.
#chroot /var/run/haproxy/
# Daemonize on startup
daemon
nosplice
# Enable debugging
#debug
# Spawn given number of processes and distribute load among them,
# used for multi-core environments or to circumvent per-process
# limits like number of open file descriptors. Default is 1.
#nbproc 2
# Default parameters
defaults
# Default timeouts
timeout connect 5000ms
timeout client 50000ms
timeout server 50000ms
option httplog
#frontend http_in
frontend localhost
mode tcp
bind *:80
bind *:443
tcp-request inspect-delay 5s
acl sslv3 req.ssl_ver 3
tcp-request content reject if sslv3
tcp-request content accept if { req_ssl_hello_type 1 }
acl <Domain only from WAN>_http_1 hdr(host) -i <Domain only from WAN>
acl <Domain only from WAN>_https_1 req_ssl_sni -i <Domain only from WAN>
acl <Domain accessible in LAN and WAN>_http_1 hdr(host) -i <Domain accessible in LAN and WAN>
acl <Domain accessible in LAN and WAN>_https_1 req_ssl_sni -i <Domain accessible in LAN and WAN>
use_backend <Domain only from WAN>_http_1 if <Domain only from WAN>_http_1
use_backend <Domain only from WAN>_https_1 if <Domain only from WAN>_https_1
use_backend <Domain accessible in LAN and WAN>_http_1 if <Domain accessible in LAN and WAN>_http_1
use_backend <Domain accessible in LAN and WAN>_https_1 if <Domain accessible in LAN and WAN>_https_1
backend <Domain only from WAN>_http_1
mode tcp
server <Domain only from WAN>_http_1 <IP> send-proxy
backend <Domain only from WAN>_https_1
http-request set-header X-Forwarded-For %[src]
stick-table type binary len 32 size 30k expire 30m
acl clienthello req_ssl_hello_type 1
acl serverhello rep_ssl_hello_type 2
# use tcp content accepts to detects ssl client and server hello.
tcp-request inspect-delay 5s
tcp-request content accept if clienthello
# no timeout on response inspect delay by default.
tcp-response content accept if serverhello
stick on payload_lv(43,1) if clienthello
# Learn on response if server hello.
stick store-response payload_lv(43,1) if serverhello
option ssl-hello-chk
server <Domain only from WAN>_https_1 <IP>:443 check send-proxy
backend <Domain accessible in LAN and WAN>_http_1
mode tcp
server <Domain accessible in LAN and WAN>_http_1 <IP> send-proxy
backend <Domain accessible in LAN and WAN>_https_1
http-request set-header X-Forwarded-For %[src]
stick-table type binary len 32 size 30k expire 30m
acl clienthello req_ssl_hello_type 1
acl serverhello rep_ssl_hello_type 2
# use tcp content accepts to detects ssl client and server hello.
tcp-request inspect-delay 5s
tcp-request content accept if clienthello
# no timeout on response inspect delay by default.
tcp-response content accept if serverhello
stick on payload_lv(43,1) if clienthello
# Learn on response if server hello.
stick store-response payload_lv(43,1) if serverhello
option ssl-hello-chk
server <Domain accessible in LAN and WAN>_https_1 <IP>:443 check send-proxy
haproxy-tcp:
config general 'general'
option retries '1'
option timeout '1000'
option listen '0.0.0.0:6666'
option admin_stats '7777'
option startup_delay '5'
list upstreams '1.2.3.4:8388'
option enable '1'
network:
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'xxxx:xxxx:32ea::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth1 eth2'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.0.1'
list dns '<DNS IP>'
config interface 'wan'
option ifname 'eth0'
option proto 'dhcp'
config interface 'wan6'
option ifname 'eth0'
option proto 'dhcpv6'
config route
option netmask '255.255.255.0'
option interface 'lan'
option gateway '192.168.178.1'
option type 'anycast'
option onlink '1'
option source '192.168.0.1'
option target '192.168.178.0'