I recently upgraded to the latest openwrt version and nftables.
I had some iptables rules in /etc/firewall.users that stopped working after the update, so I used iptables-translate to use the same rules for nftables, but I am having some problems and I am just figuring out what the problem might be.
Basically, I want to achieve that every connection must use the local DNS server.
nft add rule ip nat PREROUTING iifname "br-GUEST" udp dport 53 counter dnat to 192.168.50.1:5353
nft add rule ip nat PREROUTING iifname "br-GUEST" tcp dport 53 counter dnat to 192.168.50.1:5353
nft add rule ip nat PREROUTING iifname "br-lan.1" udp dport 53 counter dnat to 192.168.50.1:5353
nft add rule ip nat PREROUTING iifname "br-lan.1" tcp dport 53 counter dnat to 192.168.50.1:5353
nft add rule ip nat PREROUTING iifname "br-lan.2" udp dport 53 counter dnat to 192.168.50.1:5353
nft add rule ip nat PREROUTING iifname "br-lan.2" tcp dport 53 counter dnat to 192.168.50.1:5353
nft add rule ip nat PREROUTING iifname "wg0" udp dport 53 counter dnat to 192.168.50.1:5353
nft add rule ip nat PREROUTING iifname "wg0" tcp dport 53 counter dnat to 192.168.50.1:5353
or just:
nft add rule nat pre udp dport 53 ip saddr 192.168.50.0/24 dnat 192.168.50.1:5353
nft add rule nat pre tcp dport 53 ip saddr 192.168.50.0/24 dnat 192.168.50.1:5353
The problem I face is this:
Error: Could not process rule: No such file or directory
add rule ip nat PREROUTING iifname br-GUEST udp dport 53 counter dnat to 192.168.50.1:5353
^^^
Do you know where the error is? Why it does not work?
Error: Could not process rule: No such file or directory
add rule ip nat PREROUTING iifname br-GUEST udp dport 53 counter dnat to 192.168.50.1:5353
^^^
Is it possible with your solution to add multiple option src? like:
br-lan.1 is for 192.168.50.1 (zone proxmox) and br-lan.2 192.168.1.1 (zone lan). wg0 (zone wireguard) and br-guest isn't enabled anyway. So I just created zones to keep them separate. Especially wifi access for guests which I don't have ;D. Nah, they use mostly the phone anyway and I turned the wifi ap off.
So actually I just wanna make sure that every device is using the dns server, actually adguardhome ("upstream DNS servers" to dnscrypt).
I used to use the firewall box in the GUI which is gone since the latest update/version but I read in the docs that /etc/firewall.user is still usable. I have also DNS forwardings set under DHCP and DNS which should do the trick anyway but this was always a 100% solution and I try to understand nftables atm in general to move on also for other servers with nftables and/or firewalld running.
Duplicate the entire redirect rule for each zone. Let firewall4 create the nftables rules.
Add the translated nft statements using nft add rule inet fw4 dstnat instead of ip nat PREROUTING.
Use a firewall4 include file at /usr/share/nftables.d/chain-pre/dstnat/ that contains valid nftables syntax (not nft add statements). See the README in the nftables.d directory.
And there are probably more options that I’m not familiar with since I don’t use multiple LAN zones on my router.