Firewall add an exception to DNS hijacking rule on src_mac src_dip

Hi,

is there a way to filter this rule:

config redirect 'adblock_lan53'
        option name 'Adblock DNS (lan, 53)'
        option src 'lan'
        option proto 'tcp udp'
        option src_dport '53'
        option dest_port '53'
        option target 'DNAT'
        option family 'any'

i need to allow the traffic on a single host based on the src_mac
And only for a specific src_dip.

The rule block the acme certificat for Trafiek proxy.
So i need to allow a specific dns only for the certificate renewal.

Add option src_ip '!xxx.xxx.xxx.xxx' to the rule (replacing xxx.xxx.xxx.xxx with the IP of the device you want to bypass the rule.

Or you could use src_mac. Again using ! at the start to allow the device to bypass the rule.

Thanks for your help.
In this case this host will be exclude for all.
Is there a way to add a second condition?

I need to exclude only when two condition:

1. The destination is 8.8.8.8
2. When the source is the mac adresse of the host

i have found the solution.

config rule
        option name 'mark Traefik acme'
        option src 'lan'
        list src_mac '25:F3:F2:F4:40:13'
        list dest_ip '8.8.8.8'
        option target 'MARK'
        option set_mark '0x1'
        option dest '*'
config redirect 'adblock_lan53'
        option name 'Adblock DNS (lan, 53)'
        option src 'lan'
        option proto 'tcp udp'
        option src_dport '53'
        option dest_port '53'
        option target 'DNAT'
        option family 'any'
        option mark '!0x1'

I add a mark to the packet having as source the mac address of the host,
and the dns as destination
Then i filter the packet having this mark on the the dns hijack rule

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.