How to DNAT on LuCI? No option to rewrite Destination IP

I want to rewrite destination IP of DNS-over-53.

[Portforward Tab] doesn't have option for "Destination IP rewrite" in DNAT


But SNAT does


In redirects (DNATs) the internal IP address is the destination rewrite address.

2 Likes

"Redirect matched incoming traffic to the specified internal host"
@jow

This is not working-



  1. What is that Rule
  2. Doesn't that allow the incoming network

Also still not able to redirect DNS-over-53 to enforce DNS.
@jow

If I understand correctly that you want to forward all DNS requests from local clients to 1.1.1.1:

uci add firewall redirect
uci set firewall.@redirect[-1]=redirect
uci set firewall.@redirect[-1].target='DNAT'
uci set firewall.@redirect[-1].name='DNS-Redirect'
uci set firewall.@redirect[-1].src='lan'
uci set firewall.@redirect[-1].src_dport='53'
uci set firewall.@redirect[-1].dest_ip='1.1.1.1'
uci set firewall.@redirect[-1].dest_port='53'
uci set firewall.@redirect[-1].reflection='0'
uci add_list firewall.@redirect[-1].proto='tcp' 
uci add_list firewall.@redirect[-1].proto='udp'
uci commit firewall
/etc/init.d/firewall restart

or

image

1 Like

Not Working. Tested using dnsleaktest.com. I set my phone to use 1.1.1.1 and router to forward it to 8.8.8.8 but dnsleaktest.com shows 1.1.1.1

Also My traffic rules are not able to block it DNS53

To Allow my DNS (censored IP aren't 1.1.1.1 or 8.8.8.8)


and below it is this

It is highly unlikely that you will see 1.1.1.1 or 8.8.8.8 during a DNS leak test.
Look for the ISP name (Cloudflare or Google).

Check the DNS traffic on the wan interface using tcpdump.

opkg update; opkg install tcpdump; \
if=$(ifstatus wan | grep \"device | awk '{ print $2 }' | sed 's/[",]//g'); \
tcpdump -ennqti "$if" port 53
1 Like

It is highly unlikely that you will see 1.1.1.1 or 8.8.8.8 during a DNS leak test.

I understand.

dnsleaktest.com shows "Cloudflare"
RE:I set my phone to use 1.1.1.1 and router to forward it to 8.8.8.8 but dnsleaktest.com shows 1.1.1.1

Hi RSHARM,
open Network => DHCP and DNS.

Under "DNS forwardings" enter your DNS server(s). Save settings.

After that create a firewall rule to route all dns traffic to your local dns server (dnsmasq) like this:

# This will thwart manual DNS client settings and hardcoded DNS servers like in Google devices
config redirect
    option name 'Divert-DNS, port 53'
    option src 'lan'
    option proto 'tcp udp'
    option src_dport '53'
    option dest_port '53'
    option target 'DNAT'

Optional disable all DNS server from your ISP in /etc/config/network

config interface 'wan'    # or 'wan6'
    option peerdns '0'

Restart device or all related services.

(from wiki of dnscrypt-proxy ) which provides more useful information about dns.

hth

@pavelgl I think it worked because now my internet doesn't work when using that rule.
Also why doesn't the DNS redirect ?

Hard to say w/o any information. Maybe you're missing a IPv6 server for DNS?

Go to "Network => Diagnostics"
Run IPv4Ping, IPv6Ping and dnslookup and see what works.

If it's still not working we might need the config files:

/etc/config/network
/etc/config/dhcp
/etc/config/firewall

Hard to say w/o any information.

What info you want I will give

Maybe you're missing a IPv6 server for DNS?

I need IPv6 DNS ? My ISP doesn't support IPv6 so I have block and disabled where possible.

Go to "Network => Diagnostics"
Run IPv4Ping, IPv6Ping and dnslookup and see what works.

Ping and DNSLooUp to what server?

If it's still not working we might need the config files:
/etc/config/network
/etc/config/dhcp
/etc/config/firewall

How to extract configs? Here are Screenshots anyways-






Ummm...open the files and copy/paste.

(BTW, they would be in your backup file if you don't know how to use SSH/CLI.)

Providing your config as asked would be very helpful. Your screenshots do not have all information needed.

This is unnecessary.

On the Internet.

@pavelgl @lleachii @jow @ChanL


dhcp


config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config host
	option name ''
	option mac ''
	option ip '192.168.1.2'

config host
	option mac ''
	option ip '192.168.1.3'
	option name ''
	option dns '1'

config host
	option name ''
	option mac ''
	option ip '192.168.1.4'

config host
	option name ''
	option dns '1'
	option ip '192.168.1.5'
	option mac ''

config host
	option name ''
	option dns '1'
	option mac ''
	option ip '192.168.1.6'

config host
	option name ''
	option dns '1'
	option mac ''
	option ip '192.168.1.7'

config host
	option name ''
	option mac ''
	option ip '192.168.1.8'

config host
	option name ''
	option mac ''
	option ip '192.168.1.9'

config host
	option mac ''
	option ip ''
	option dns '1'
	option name ''

config host
	option ip '192.168.1.11'
	option mac ''
	option name ''
	option dns '1'

config host
	option mac '00:00:00:00:00:12'
	option ip '192.168.1.12'

config host
	option mac '00:00:00:00:00:13'
	option ip '192.168.1.13'

config dhcp 'Guest'
	option interface 'Guest'
	option start '100'
	option limit '150'
	option leasetime '12h'

config dhcp 'Private'
	option interface 'Private'
	option start '100'
	option limit '150'
	option leasetime '12h'

firewall


config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
	option drop_invalid '1'
	option flow_offloading '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option input 'DROP'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option target 'ACCEPT'
	option family 'ipv4'
	option dest_port '68'
	list src_ip '192.168.100.1'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'
	option enabled '0'

config zone
	option name 'Guest'
	option output 'ACCEPT'
	option forward 'REJECT'
	option input 'DROP'
	list network 'Guest'

config rule
	option name 'Router Extender Allow'
	option target 'ACCEPT'
	option src '*'
	option dest '*'
	list src_ip '192.168.1.2'
	list src_ip '192.168.2.1'

config rule
	option direction 'in'
	option device 'eth0.2'
	option target 'DROP'
	option src 'wan'
	option name 'Block Inbound'
	list proto 'all'

config rule
	option name 'IPv6 Block'
	option src 'lan'
	option dest 'wan'
	option target 'REJECT'
	option family 'ipv6'
	list proto 'all'

config rule
	option name 'QUIC'
	option dest 'wan'
	option target 'REJECT'
	list proto 'udp'
	option src 'lan'
	option dest_port '80 443'

config rule
	option name 'Private DHCP'
	option dest_port '67 68'
	option target 'ACCEPT'
	option src 'Private'

config rule
	option src 'Guest'
	option target 'ACCEPT'
	option family 'ipv4'
	option dest_port '67 68'
	option name 'Guest DHCP'

config rule
	list dest_ip '10.0.0.1'
	list dest_ip '192.168.1.1'
	option dest_port '53'
	option target 'ACCEPT'
	option name 'Guest DNS'
	option src 'Guest'

config rule
	option src 'Guest'
	option dest 'wan'
	option target 'ACCEPT'
	option dest_port '80 443'
	option name 'Guest Port Allow'
	list proto 'tcp'

config rule
	option src 'Guest'
	option dest 'wan'
	option target 'REJECT'
	option name 'Guest Block All'
	list proto 'all'

config rule
	option name 'ICMP'
	list proto 'icmp'
	option src 'lan'
	option dest 'wan'
	option target 'ACCEPT'

config rule
	option target 'ACCEPT'
	option dest 'wan'
	option src 'lan'
	option name 'Allow My DNS'
	list dest_ip '45.*.*.*'
	list dest_ip '45.*.*.*'
	list dest_ip '192.168.1.1'
	list dest_ip '45.*.*.*'
	list dest_ip '45.*.*.*'
	option dest_port '53'

config rule
	option name 'DNS Block Other'
	option src 'lan'
	option dest 'wan'
	option dest_port '53'
	option target 'REJECT'

config rule
	option name 'NTP'
	list proto 'udp'
	option src 'lan'
	option dest 'wan'
	option dest_port '123 '
	option target 'ACCEPT'
	option limit '10/second'

config rule
	option name 'Allow Ports'
	option dest 'wan'
	option target 'ACCEPT'
	option src 'lan'
	list proto 'tcp'
	option dest_port '80 443 853'

config rule
	list src_ip '192.168.1.3'
	list src_ip '192.168.1.4'
	list src_ip '192.168.1.5'
	list src_ip '192.168.1.6'
	list src_ip '192.168.1.7'
	option dest_port '51820'
	option name 'PortAllow Exception Wireguard'
	option target 'ACCEPT'
	option src 'lan'
	option dest 'wan'

config rule
	option dest_port '5000'
	option target 'ACCEPT'
	option dest 'wan'
	option name 'PortAllow Exception * Website'
	list src_mac ''
	option src 'lan'

config rule
	option target 'ACCEPT'
	option dest 'wan'
	option dest_port '5551'
	option name 'PortAllow Exception * Mobile'
	list src_mac ''
	option src 'lan'

config rule
	option name 'VoWiFi'
	list proto 'udp'
	option src 'lan'
	list src_ip '192.168.1.8'
	list src_ip '192.168.1.9'
	list src_ip '192.168.1.10'
	list src_ip '192.168.1.11'
	list src_ip '192.168.1.12'
	option dest 'wan'
	option dest_port '500 4500'
	option target 'ACCEPT'

config rule
	option name 'VoWiFi'
	list proto 'tcp'
	option src 'lan'
	option dest 'wan'
	option dest_port '143'
	option target 'ACCEPT'
	list src_ip '192.168.1.8'
	list src_ip '192.168.1.9'
	list src_ip '192.168.1.10'
	list src_ip '192.168.1.11'
	list src_ip '192.168.1.12'

config forwarding
	option src 'Guest'
	option dest 'wan'

config zone
	option name 'Private'
	option output 'ACCEPT'
	option forward 'REJECT'
	option input 'REJECT'
	list network 'Private'

config rule
	option name 'WhatsApp'
	option src 'lan'
	option dest 'wan'
	option target 'ACCEPT'
	list src_ip '192.168.1.8'
	list src_ip '192.168.1.9'
	list src_ip '192.168.1.10'
	list src_ip '192.168.1.11'
	list src_ip '192.168.1.12'
	list src_ip '192.168.1.13'
	list proto 'tcp'
	option dest_port '4244 5222 5223 5228 5242'

config rule
	option name 'WhatsApp'
	option dest_port '50318 59234'
	option target 'ACCEPT'
	option src 'lan'
	option dest 'wan'

config rule
	option name 'WhatsApp'
	list proto 'udp'
	option dest_port '3478 45395'
	option target 'ACCEPT'
	option src 'lan'
	option dest 'wan'

config rule
	option name 'ALL'
	option target 'REJECT'
	list proto 'all'
	option src 'lan'
	option dest 'wan'

config redirect
	option target 'DNAT'
	option name 'DNS Rewrite'
	option src 'lan'
	option src_dport '53'
	option dest_ip '8.8.8.8'
	option dest_port '53'
	option enabled '0'

Network


config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdb1:be1c:1ca6::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'
	option macaddr '*'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option ip6assign '60'
	option netmask '255.255.255.240'
	list dns '45.*.*.*'

config device
	option name 'eth0.2'
	option macaddr '*'

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'
	option peerdns '0'
	list dns '45.*'
	list dns '45.*'
	option hostname '*'

config interface 'wan6'
	option device 'eth0.2'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix 'auto'
	option peerdns '0'
	option clientid '1F'
	list dns '45.*'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '0 6t'

config interface 'Guest'
	option proto 'static'
	option ipaddr '10.0.0.1'
	option netmask '255.255.255.248'

config interface 'Private'
	option proto 'static'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.248'

@Kamikater @darksky @grrr2 @dave14305
Help. What am I doing wrong here

have you read this https://openwrt.org/docs/guide-user/firewall/fw3_configurations/intercept_dns ?

1 Like

Yes
Sometime it works sometimes it doesn't. Mostly it doesn't.

@jow @pavelgl @lleachii @ChanL

It works when I redirect to gateway (192.168.1.1) but not when I redirect to 9.9.9.9 or 8.8.8.8 or 1.1.1.1

It's not appropriate to mark everyone here to gather attention. One time might be ok, not twice. If I can contribute something useful, I will do so.

3 Likes

that's a strange observation.

as you did not share what you configured not sure what is not working for you. if i apply the following firewall rules

1)
config redirect
        option target 'DNAT'
        option src 'lan'
        option src_dport '53'
        option dest_port '53'
        option name 'hijack DNS lan'
        option dest 'wan'
        option dest_ip '8.8.8.8'

2)
config redirect
        option target 'DNAT'
        option src 'lan'
        option src_dport '53'
        option dest_port '53'
        option name 'hijack DNS lan'
        option dest 'lan'
        option dest_ip '192.168.1.1'

they do the work. rule 1) redirects DNS traffic to 8.8.8.8; rule 2) redirects DNS traffic to local resolver listening on 192.168.1.1. only one of them is needed.