How to config firewall for vlan works with dnsproxy pure DoQ?

Installing and Using OpenWrt
1

I have configed dnscrypt-proxy 2.1.15 work on kernel 6.12.66 for both br-LAN.

There is one VLAN 192.168.4.x,

if my /etc/config/dhcp

config dhcp 'VLAN_int'
option interface 'VLAN_int'
option start '3'
option leasetime '12h'
option dhcpv4 'server'
list dhcp_option_force '6, 1.1.1.1'

It works for vlan client. I had also install dnsproxy which I hope it can work only cover the VLAN.

type or paste code here

list dhcp_option_force '6, 192.168.4.1'

type or paste code here

But the client cannot work normal.

I tried

type or paste code here

root@openwrt:/tmp# cat /etc/dnsmasq.conf
interface=br-lan,br-VLAN
server=/192.168.4.in-addr.arpa/127.0.0.1#5354

type or paste code here

and

type or paste code here

/usr/bin/dnsproxy -l 127.0.0.1 -p 5354 -v --cache --cache-size=65536 --cache-optimistic --ipv6-disabled -u quic://dns.adguard-dns.com -b tls://1.1.1.1:853 &

type or paste code here

and I confirmed that dnsproxy can really work

type or paste code here

/tmp# nslookup yahoo.com 127.0.0.1:5354
2026/01/23 21:22:28.759381 DEBUG handling new udp packet prefix=dnsproxy raddr=127.0.0.1:49465
2026/01/23 21:22:28.759738 DEBUG in prefix=dnsproxy line_num=1 line=";; opcode: QUERY, status: NOERROR, id: 31600"
2026/01/23 21:22:28.759780 DEBUG in prefix=dnsproxy line_num=2 line=";; flags: rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0"
2026/01/23 21:22:28.759802 DEBUG in prefix=dnsproxy line_num=3 line=""
2026/01/23 21:22:28.759822 DEBUG in prefix=dnsproxy line_num=4 line=";; QUESTION SECTION:"
2026/01/23 21:22:28.759842 DEBUG in prefix=dnsproxy line_num=5 line=";yahoo.com.\tIN\t AAAA"
2026/01/23 21:22:28.759860 DEBUG in prefix=dnsproxy line_num=6 line=""
2026/01/23 21:22:28.759920 DEBUG handling request prefix=default_handler req=";yahoo.com.\tIN\t AAAA"
2026/01/23 21:22:28.759943 DEBUG ipv6 is disabled; replying with empty response prefix=default_handler req=yahoo.com.
2026/01/23 21:22:28.760012 DEBUG out prefix=dnsproxy line_num=1 line=";; opcode: QUERY, status: NOERROR, id: 31600"
2026/01/23 21:22:28.760037 DEBUG out prefix=dnsproxy line_num=2 line=";; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0"
2026/01/23 21:22:28.760057 DEBUG out prefix=dnsproxy line_num=3 line=""
2026/01/23 21:22:28.760076 DEBUG out prefix=dnsproxy line_num=4 line=";; QUESTION SECTION:"
2026/01/23 21:22:28.760096 DEBUG out prefix=dnsproxy line_num=5 line=";yahoo.com.\tIN\t AAAA"
2026/01/23 21:22:28.760115 DEBUG out prefix=dnsproxy line_num=6 line=""
2026/01/23 21:22:28.760135 DEBUG out prefix=dnsproxy line_num=7 line=";; AUTHORITY SECTION:"
2026/01/23 21:22:28.760159 DEBUG out prefix=dnsproxy line_num=8 line="yahoo.com.\t10\tIN\tSOA\tfake-for-negative-caching.adguard.com. hostmaster.yahoo.com. 100500 1800 60 604800 86400"
2026/01/23 21:22:28.760178 DEBUG out prefix=dnsproxy line_num=9 line=""
2026/01/23 21:22:28.759462 DEBUG handling new udp packet prefix=dnsproxy raddr=127.0.0.1:49465
Server: 127.0.0.1:5354
Address: 127.0.0.1:5354

Non-authoritative answer:

2026/01/23 21:22:28.760377 DEBUG in prefix=dnsproxy line_num=1 line=";; opcode: QUERY, status: NOERROR, id: 31599"
2026/01/23 21:22:28.760407 DEBUG in prefix=dnsproxy line_num=2 line=";; flags: rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0"
2026/01/23 21:22:28.760427 DEBUG in prefix=dnsproxy line_num=3 line=""
2026/01/23 21:22:28.760446 DEBUG in prefix=dnsproxy line_num=4 line=";; QUESTION SECTION:"
2026/01/23 21:22:28.760465 DEBUG in prefix=dnsproxy line_num=5 line=";yahoo.com.\tIN\t A"
2026/01/23 21:22:28.760483 DEBUG in prefix=dnsproxy line_num=6 line=""

2026/01/23 21:22:28.760518 DEBUG handling request prefix=default_handler req=";yahoo.com.\tIN\t A"
2026/01/23 21:22:28.760547 DEBUG no hosts records found prefix=default_handler name=yahoo.com qtype=1
2026/01/23 21:22:28.760783 DEBUG dialing prefix=bootstrap addr=1.1.1.1:853 idx=1 total=1
2026/01/23 21:22:28.761120 DEBUG dialing prefix=bootstrap addr=1.1.1.1:853 idx=1 total=1
2026/01/23 21:22:28.843357 DEBUG connection succeeded prefix=bootstrap addr=1.1.1.1:853 elapsed=82.526545ms
2026/01/23 21:22:28.850935 DEBUG connection succeeded prefix=bootstrap addr=1.1.1.1:853 elapsed=89.769559ms
2026/01/23 21:22:29.260412 DEBUG sending request addr=tls://1.1.1.1:853 proto=tcp qtype=A qname=dns.adguard-dns.com.
2026/01/23 21:22:29.264182 DEBUG sending request addr=tls://1.1.1.1:853 proto=tcp qtype=AAAA qname=dns.adguard-dns.com.
2026/01/23 21:22:29.343811 DEBUG response received addr=tls://1.1.1.1:853 proto=tcp status=ok
2026/01/23 21:22:29.350713 DEBUG response received addr=tls://1.1.1.1:853 proto=tcp status=ok
2026/01/23 21:22:29.350979 DEBUG dialing prefix=bootstrap addr=94.140.14.14:853 idx=1 total=4
2026/01/23 21:22:29.351172 DEBUG connection succeeded prefix=bootstrap addr=94.140.14.14:853 elapsed=142.013µs
2026/01/23 21:22:29.495583 DEBUG sending request addr=quic://dns.adguard-dns.com:853 proto=udp qtype=A qname=yahoo.com.
2026/01/23 21:22:29.521227 DEBUG response received addr=quic://dns.adguard-dns.com:853 proto=udp status=ok
2026/01/23 21:22:29.521433 DEBUG exchange successfully finished prefix=dnsproxy upstream=quic://dns.adguard-dns.com:853 question=";yahoo.com.\tIN\t A" duration=760.78401ms
2026/01/23 21:22:29.521567 DEBUG resolved prefix=dnsproxy upstream=quic://dns.adguard-dns.com:853 src=upstream
2026/01/23 21:22:29.521836 DEBUG out prefix=dnsproxy line_num=1 line=";; opcode: QUERY, status: NOERROR, id: 31599"
2026/01/23 21:22:29.521964 DEBUG out prefix=dnsproxy line_num=2 line=";; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 0"
2026/01/23 21:22:29.522080 DEBUG out prefix=dnsproxy line_num=3 line=""
2026/01/23 21:22:29.522192 DEBUG out prefix=dnsproxy line_num=4 line=";; QUESTION SECTION:"
2026/01/23 21:22:29.522308 DEBUG out prefix=dnsproxy line_num=5 line=";yahoo.com.\tIN\t A"
2026/01/23 21:22:29.522419 DEBUG out prefix=dnsproxy line_num=6 line=""
2026/01/23 21:22:29.522521 DEBUG out prefix=dnsproxy line_num=7 line=";; ANSWER SECTION:"
2026/01/23 21:22:29.522554 DEBUG out prefix=dnsproxy line_num=8 line="yahoo.com.\t592\tIN\tA\t74.6.231.21"
2026/01/23 21:22:29.522576 DEBUG out prefix=dnsproxy line_num=9 line="yahoo.com.\t592\tIN\tA\t74.6.143.25"
2026/01/23 21:22:29.522597 DEBUG out prefix=dnsproxy line_num=10 line="yahoo.com.\t592\tIN\tA\t98.137.11.164"
2026/01/23 21:22:29.522617 DEBUG out prefix=dnsproxy line_num=11 line="yahoo.com.\t592\tIN\tA\t74.6.231.20"
2026/01/23 21:22:29.522638 DEBUG out prefix=dnsproxy line_num=12 line="yahoo.com.\t592\tIN\tA\t74.6.143.26"
2026/01/23 21:22:29.522658 DEBUG out prefix=dnsproxy line_num=13 line="yahoo.com.\t592\tIN\tA\t98.137.11.163"
2026/01/23 21:22:29.522676 DEBUG out prefix=dnsproxy line_num=14 line=""
Non-authoritative answer:
Name: yahoo.com
Address: 74.6.231.21
Name: yahoo.com
Address: 74.6.143.25
Name: yahoo.com
Address: 98.137.11.164
Name: yahoo.com
Address: 74.6.231.20
Name: yahoo.com
Address: 74.6.143.26
Name: yahoo.com
Address: 98.137.11.163

type or paste code here

Thank your kind guide.

2

Edit your post, get the cli outputs into the performated text windows you actually added.

3

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button (red circle; this works best in the 'Markdown' composer view in the blue oval):

Screenshot 2025-10-20 at 8.14.14 PM

Remember to redact passwords, VPN keys, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
4

Dear Brada4,

I have fixed it, not by gemini , but by perplexity.

in /etc/config/dhcp

type or paste code here

config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '0'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option cachesize '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '0'
option ednspacket_max '1232'
list addnmount '/var/cache-domains/uklans-cache-domains-170c090/scripts/output/dnsmasq'
option localuse '1'
list interface 'lan'
list server '127.0.0.53'
list server '/mask.icloud.com/'
list server '/mask-h2.icloud.com/'
list server '/use-application-dns.net/'

config dhcp 'VLAN_dns'
option interface 'VLAN_dns'
option start '3'
option leasetime '12h'
option dhcpv4 'server'
option limit '150'
list dhcp_option '6,192.168.4.1'
list server '127.0.0.1#5354'

5

Please use the "Preformatted text </>" button for logs, scripts, configs and general console output (red circle; this works best in the 'Markdown' composer view in the blue oval):

Screenshot 2025-10-20 at 8.14.14 PM

6

in /etc/config/firewall

`##

config zone
option name 'VLAN'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'VLAN_dns'

config forwarding
option src 'VLAN'
option dest 'wan'

config rule
option src 'VLAN'
option name 'Allow_DHCP_VLAN'
option dest_port '67-68'
option target 'ACCEPT'

config rule
option src 'VLAN'
option name 'Deny_VLAN@ssh'
option dest_port '22044'
option target 'DROP'
list dest_ip '192.168.1.1'
list dest_ip '192.168.4.1'

config rule
option src 'VLAN'
option name 'Deny_httpsAdmin'
option dest_port '443'
option target 'REJECT'
list dest_ip '192.168.1.1'
list dest_ip '192.168.4.1'

config redirect
option name 'Divert-VLAN-DNS-53'
option src 'VLAN'
option dest 'VLAN'
option src_dport '53'
option dest_port '5354'
option proto 'tcp udp'
option target 'DNAT'

config redirect
option name 'Divert-VLAN-DNS-853'
option src 'VLAN'
option dest 'wan'
option src_dport '853'
option dest_port '853'
option proto 'tcp'
option target 'DNAT'

config rule
option name 'Block-VLAN-to-LAN-DNS'
option src 'VLAN'
option dest 'lan'
option dest_port '53 5353'
option proto 'tcp udp'
option target 'REJECT'

config rule
option src 'lan'
option dest 'VLAN'
option name 'blocking-LAN2VLAN'
option target 'DROP'
list proto 'all'

##

`

7

in /etc/config/network

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'

config device
	option type '8021q'
	option ifname 'lan4'
	option vid '4'
	option name 'lan4.4'

config device
	option type 'bridge'
	option name 'br-VLAN'
	list ports 'lan4.4'
	option ipv6 '0'

#### NEXT 4 LINES ARE IMPORTANT OTHERWISE VLAN DNS STILL REFUSE TO WORK ####
config interface 'VLAN_dns'
    option proto 'static'
    option device 'br-VLAN'
    list ipaddr '192.168.4.1/27'  # Matches existing
8 
root@RT:/tmp# ubus call system board
{
	"kernel": "6.12.67",
	"hostname": "RT",
	"system": "ARMv7 Processor rev 1 (v7l)",
	"model": "Linksys WRT1900ACS",
	"board_name": "linksys,wrt1900acs",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "SNAPSHOT",
		"firmware_url": "https://downloads.openwrt.org/",
		"revision": "r32783-cf84e8ee86",
		"target": "mvebu/cortexa9",
		"description": "OpenWrt SNAPSHOT r32783-cf84e8ee86",
		"builddate": "1769294783"
	}
}
9

compiling online

tc-full ca-certificates dnsmasq-full
apk-mbedtls base-files ca-bundle dropbear firewall4 fstools kmod-gpio-button-hotplug kmod-nft-offload libc libgcc libustream-mbedtls logd mtd netifd nftables odhcp6c odhcpd-ipv6only ppp ppp-mod-pppoe procd-ujail uboot-envtools uci uclient-fetch urandom-seed urngd kmod-mwlwifi mwlwifi-firmware-88w8864 kmod-dsa-mv88e6xxx luci-ssl
luci-app-advanced-reboot
luci-app-ddns
luci-app-firewall
luci-app-nlbwmon
luci-app-package-manager
cache-domains-mbedtls
chrony-nts
coreutils-sort
curl
sed
htop
diffutils
lm-sensors
lsof
dnscrypt-proxy2
wpad-mbedtls
tcpdump
qrencode
kmod-wireguard
luci-proto-wireguard
wireguard-tools
openssh-sftp-server
ddns-scripts-services
ss
iperf3
ipset
irqbalance
speedtest-netperf
ip
iw
knot-host
mtr
dnsproxy

10

Your approach to vlans is semi-ancient or AI suggested. You have to configure vlans under br-lan then tag/untag vlans on physical ports, make a network on top of bridge-vlan device to use it in a firewall zone.

11

my big trouble is that I missed

config dnsmasq
	option localuse '1'
+	list interface 'lan'
	list server '127.0.0.53'

and mydnsproxy.sh 
dnsproxy -l 192.168.4.1 -p 5354 -v -o /dev/null --cache --cache-size=2097152 --cache-optimistic --ipv6-disabled -u quic://dns.adguard-dns.com -b tls://1.1.1.1:853 &

Yes, should be not 127.0.0.1 -p5354
12

And learn to understand what type or paste code here means.

1 Like
13

Thank you. It is not easy for my 1st paste

14

dnsmasq caches answers, if you want to serve 100+ clients consider unbound (and bigger device), the corner solutions that rhyme for chatbot are not right for mere mortals.

15

previously I used unbound on ddwrt, the performance is not enough. Now I cannot return ddwrt because of once bricking, and only openwrt can work.

16

And in dnsmasq is really slow than dnscrypt-proxy2.1.15 which cache=16M

17

my client is less than 15 indeed. If over 100 clients , I will choose pfsense or opnsense or ipfire or openwrt X86-64 with unbound

18

Now I realized all DNS is faster with DoQ (not H3) no smartdns.
Main dnscrypt-proxy2 is with easy controling by gthub/Hagezi and more (oDoH or HoTor), if someone still in trouble to access internet, then choose another WiFi with basic quic://dns.adguard.com:853

19

First you have to correct your vlans, after that whatever fits in the device memory to serve DNS.

20

I found a new bug:

service dnsproxy enable and start, is different with
dnsproxy -l 192.168.4.1 -p 5354 -v -o /dev/null --cache --cache-size=2097152 --cache-optimistic --ipv6-disabled -u quic://dns.adguard-dns.com -b tls://1.1.1.1:853 &

Because linksys wrt1900ACS boot 1st 2.4Ghz then later a few seconds 5Ghz.

Client on 2.4Ghz with service dnsproxy start is not available until dnscrypt-proxy2 normal.

But Client on 2.4Ghz with dnsproxy -l 192.168.4.1 -p 5354 -v -o /dev/null --cache --cache-size=2097152 --cache-optimistic --ipv6-disabled -u quic://dns.adguard-dns.com -b tls://1.1.1.1:853 &
Can immediately work normal no matter how dnscrypt-proxy2 works or not.

I dislike openssl3 inside. I checked unbound need it.