I currently have a blanket redirect rule setup for my home network running on OpenWrt, and am trying to stay within OpenWrt rather than integrating an additional firewall such as OpnSense or pfSense.
My current generic Port Forwards for DNS --> router:
My current firewall rules:
followed by, "rogue-dns-block" rules:
As per the Netgate docs for pfSense (using for general reference):
A quick poke about online I was using these sites for some hopeful references:
https://wiki.nftables.org/wiki-nftables/index.php/Quick_reference-nftables_in_10_minutes#Ip
https://www.netfilter.org/projects/nftables/manpage.html
https://openwrt.org/docs/guide-user/firewall/misc/nftables
So far I have tried the adding the following (repeated for each VLAN) to /etc/firewall.user with no luck when restarting the firewall service:
nft add rule inet fw4 prerouting iifname "BR-VLAN.10" ip daddr != 10.10.50.5 udp dport 53 dnat to 10.10.50.5:53
nft add rule inet fw4 prerouting iifname "BR-VLAN.10" ip protocol tcp tcp dport 53 ip daddr != 10.10.50.5 dnat to 10.10.50.5
nft add rule inet fw4 prerouting iifname "BR-VLAN.10" ip protocol udp udp dport 53 ip daddr != 10.10.50.5 dnat to 10.10.50.5
My question is:
How big of a deal is it redirecting all traffic versus only traffic not already heading toward my AGH for DNS resolution?
Seems to me like the Netgate docs are for optimal performance and latency, but that my current setup should also function adequately?
Obviously I want to avoid any DNS loops, but I am looking to capture and redirect and was trying to build the equivalent NFT rule to achieve what the Netgate docs specify, but have not yet been successful in OpenWrt accepting such a rule due to errors...
