MV_wrt
December 3, 2020, 12:59am
1
Hi all,
I followed the guide:
trying to force all devices on my LAN to use OpenWRT for all DNS queries, but couple of things still not clear. The guide instructs to create this redirect rule:
config redirect
option dest_port '53'
option src 'wan'
option name 'Hijack DNS'
option src_dport '53'
option target 'DNAT'
option dest 'lan'
but, shouldn't src and dest be the other way around?
Also, this does not hijacks ipv6 DNS queries, does it?
I would appreciate any pointers on how to force all LAN to go to the router for their DNS queries
2 Likes
The page is last edited by @gollyjer .
It's problematic to configure using just web interface.
There's a tested and working CLI how-to:
https://openwrt.org/docs/guide-user/firewall/fw3_configurations/intercept_dns
4 Likes
MV_wrt
December 3, 2020, 4:27pm
3
Question about the CLI solution, it requires installation of
opkg install kmod-ipt-nat6
does this mean ipv6 will be NATed? I thought ipv6 operates without NAT.
The script skips DNAT, SNAT and MASQUERADE rules and clones only REDIRECT rules.
So, it applies NAT6 for DNSv6 traffic only.
1 Like
Hi,
I'm new here and I'm having a problem with the NAT6 configuration above.
I get the following warnings when I restart the firewall:
* Populating IPv6 nat table
Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_lan_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_lan_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_wan_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_wan_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_rule'
I researched a lot before posting here, including, I tried the configuration described in: https://openwrt.org/docs/guide-user/network/ipv6/ipv6.nat6 , but the warnings continue.
I've read reports that there is a bug with NAT6: https://bugs.openwrt.org/index.php?do=details&task_id=500&order=id&sort=desc
So, is there a way to get around this?
My concern is: Are the DNS6 settings working? I don't have enough experience to test this.
I appreciate any help or clarification.
It's problematic to avoid the warnings until the bug is fixed.
But you can safely ignore them.
Use the NAT6 script .
Yes, it is tested on OpenWrt 19.07.*.
2 Likes
MV_wrt
December 14, 2020, 4:58pm
8
These errors are what stopped me from implementing this solution. I was researching to see how severe these errors are or how they impact router operation. Thanks for following up on these.
MV_wrt
December 14, 2020, 5:10pm
9
@vgaetera , how do you "undo" this implementation? I understand that how-to creates a port forward, which is easy to delete if one decides to roll back, but how to remove whatever this does:
# Enable NAT6
opkg update
opkg install kmod-ipt-nat6
cat << "EOF" > /etc/firewall.nat6
iptables-save -t nat \
| sed -e "/\s[DS]NAT\s/d;/\sMASQUERADE$/d;/\s--match-set\s\S*/s//\06/" \
| ip6tables-restore -T nat
EOF
uci -q delete firewall.nat6
uci set firewall.nat6="include"
uci set firewall.nat6.path="/etc/firewall.nat6"
uci set firewall.nat6.reload="1"
uci commit firewall
/etc/init.d/firewall restart
Finally, can the above script be substituted by adding it as a custom rule (which would be easy to remove when needed):
iptables-save -t nat \| sed -e "/\s[DS]NAT\s/d;/\sMASQUERADE$/d;/\s--match-set\s\S*/s//\06/" \| ip6tables-restore -T nat
opkg --autoremove remove kmod-ipt-nat6
uci -q delete firewall.nat6
uci commit firewall
/etc/init.d/firewall restart
reboot
Yep, but you should use |
instead of \|
and it still requires to install kmod-ipt-nat6
which is the cause of warnings.
Anyway, you may need it only when your clients have dual-stack connectivity.
1 Like
MV_wrt
December 14, 2020, 6:02pm
11
Is there a way to monitor this issue to see when the bug get fixed?
1 Like
Register & subscribe.
Wow, grateful for your support!
MV_wrt
December 16, 2020, 4:48pm
13
Just wanted to express my appreciation for your support helping us amateurs. Спасибо и с наступающим новым годом
1 Like
system
Closed
December 26, 2020, 4:49pm
14
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.