KidSafe (or Guest) WiFi, Forced SafeSearch and Adblock

KidSafe (or Guest) WiFi, Forced SafeSearch and Adblock

I had been experimenting for several weeks with creating a Guest wireless network with LEDE. Particularly of interest, I wanted multiple dnsmasq instances and thorough filtering options with @dibdot s phenomenal Adblock package.

Initially I had a lot of difficulty getting Adblock to filter multiple dnsmasq instances on separate zones. That is what took the majority of time to troubleshoot and solve. I've got Adblock filtering multiple dnsmasq instances on separate zones successfully now.

Then I thought about changing that Guest wireless network into a network safe for kids with Adblock filtering lists, but also OpenDNS Family Shield, forced Google SafeSearch, Bing Family Shield, and Strict Restricted YouTube access, etc. The main wireless network remains entirely unrestricted, though Adblock filtering is still active..

I have learned a lot via the LEDE Project forum and OpenWrt forum over the years and this is my way of giving back. I wanted to share this since it may be beneficial for some parents wanting to keep their kids safer online or some code benefits here for guest network and Adblock filtering in general.

I will try to update this thread as I continue to add more filtering options to keep kids safe online.

Highlights;

• forces network level protection on all kids iPads, iPhones, laptops, etc. within the home network

• makes use of multiple instances of dnsmasq and dhcp

• forced Google SafeSearch, Bing Family Filter, and Strict Restricted YouTube access

• utilizes OpenDNS Family Shield

• additional local filtration (ads, trackers, malware, etc.) with @dibdot s Adblock for multiple dnsmasq instances

• main wireless network remains entirely unrestricted, though Adblock filtering is still active

/etc/config/dhcp
(related dhcp/dnsmasq additions)

config dnsmasq 'main'
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option nonwildcard '1'
	list interface 'lan'
	option cachesize '1000'
	option logfacility '/dev/null'

config dnsmasq 'kidsafe'
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/kidsafe/'
	option domain 'kidsafe'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases.kidsafe'
	option resolvfile '/tmp/resolv.conf.kidsafe'
	option strictorder '1'
	option nonwildcard '1'
	list interface 'kidsafe'
	list notinterface 'lo'
	option cachesize '1000'
	option logfacility '/dev/null'
	list address '/google.com/216.239.38.120'
	list address '/google.ca/216.239.38.120'
	list address '/bing.com/204.79.197.220'
	list address '/bing.ca/204.79.197.219'
	list address '/youtube.com/216.239.38.120'
	list address '/m.youtube.com/216.239.38.120'
	list address '/youtubei.googleapis.com/216.239.38.120'
	list address '/youtube.googleapis.com/216.239.38.120'
	list address '/youtube-nocookie.com/216.239.38.120'
	list server '208.67.222.123'
	list server '208.67.220.123'

config dhcp 'lan'
	option instance 'main'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'

config dhcp 'kidsafe_private'
	option instance 'kidsafe'
	option interface 'kidsafe'
	option start '100'
	option limit '150'
	option leasetime '12h'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'

/etc/config/firewall
(related firewall additions)

config zone
	option name 'kidsafe'
	option input 'ACCEPT'
	option forward 'DROP'
	option output 'ACCEPT'
	option network 'kidsafe'

config rule
	option target 'ACCEPT'
	option proto 'tcp udp'
	option dest_port '53'
	option name 'KidSafe DNS'
	option src 'kidsafe'

config rule
	option enabled '1'
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '67-68'
	option name 'KidSafe DHCP'
	option src 'kidsafe'

config redirect 'adblock_dns'
	option name 'Adblock DNS'
	option src 'lan'
	option proto 'tcp udp'
	option src_dport '53'
	option dest_port '53'
	option target 'DNAT'

config redirect 'adblock_dns_kidsafe'
	option name 'Adblock DNS KidSafe'
	option src 'kidsafe'
	option proto 'tcp udp'
	option src_dport '53'
	option dest_port '53'
	option target 'DNAT'

config forwarding
	option dest 'wan'
	option src 'kidsafe'

/etc/config/network
(related network additions)

config interface 'kidsafe'
	option proto 'static'
	option ipaddr '192.168.3.1'
	option delegate '0'
	option dns '208.67.222.123 208.67.220.123'
	option netmask '255.255.255.0'

/etc/config/wireless
(related wireless additions / radio settings may differ)

config wifi-iface
	option device 'radio0'
	option mode 'ap'
	option encryption 'psk2+ccmp'
	option key '****'
	option network 'kidsafe'
	option ssid 'OpenWrt-KidSafe'

Looking good, I'll watch this thread with interest - thank you for the effort.

There was one outstanding issue with regard to Multiple DNS (dnsmasq) instances in LEDE which was causing both (or all) WiFi networks to use the same DNS servers. If this is a bug within LEDE and someone knows more about creating bug reports, please let me know what I can do to help here.

With this config, we get:

/tmp/resolv.conf.auto
/tmp/resolv.conf.kidsafe

The main 5GHz and 2.4GHz networks (used by adults and not restricted) were set to pull in DNS servers from resolv.conf.auto, while the KidSafe WiFi pulls DNS servers from resolv.conf.kidsafe

The problem with my KidSafe Wifi Multiple DNS instance LEDE setup is that nothing was being written to the resolv.conf.kidsafe file. The file was being created correctly and being polled correctly from KidSafe WiFi clients, but nothing was being written to that file. It always remained blank.

The problem was with the resolv.conf.auto file being written was:

# Interface lan
nameserver 208.67.222.222
nameserver 208.67.220.220
# Interface wan
nameserver 208.67.222.222
nameserver 208.67.220.220
# Interface kidsafe
nameserver 208.67.222.123
nameserver 208.67.220.123

The correct resolv.conf files should be as follows:

resolv.conf.auto

# Interface lan
nameserver 208.67.222.222
nameserver 208.67.220.220
# Interface wan
nameserver 208.67.222.222
nameserver 208.67.220.220

resolv.conf.kidsafe

# Interface kidsafe
nameserver 208.67.222.123
nameserver 208.67.220.123

So to work around the potential Multiple DNS instance LEDE bug, I had to manually create a "hacky" fix to this which survives every sysupgrade that I do. If somebody is able to share a smoother, more correct, less "hacky" fix, I am always happy to receive any kind of help or suggestions.

I had to manually create a resolv.conf.kidsafe file:
/etc/resolv.conf.kidsafe

# Interface kidsafe
nameserver 208.67.222.123
nameserver 208.67.220.123

I had to edit sysupgrade.conf to keep this file on every sysupgrade:

/etc/sysupgrade.conf

/etc/resolv.conf.kidsafe

I had to edit rc.local so that, upon any reboot or sysupgrade, my fix would be applied automatically and copied to the correct location:

/etc/rc.local

sleep 60
cp /etc/resolv.conf.kidsafe /tmp/resolv.conf.kidsafe

exit 0

There was one modification that had to be done to my original settings from the original post of this thread.

In /etc/config/network I had to remove the following:

option dns '208.67.222.123 208.67.220.123'

That had to be removed since it was incorrectly being written to the main resolv.conf.auto file instead of the proper resolv.conf.kidsafe file.

So while this probably appears sloppy and "hacky", my Multiple DNSmasq instance setup with a separate KidSafe WiFi (additional protection for kids) is absolutely smooth sailing and has survived well over a dozen sysupgrades. I fixed this issue locally about a month ago and has been running smooth ever since, however I had this long delay in writing about this fix here in this thread. So I apologize for that.

Cheers!

Also need to remove the following from /etc/config/dhcp:

list server '208.67.222.123'
list server '208.67.220.123'

I just played along at home (blindly :D), i must have caught the brain waves in the air with your latest post - I decided i wanted to create a "Guest aka Dummy" WiFi/Network with a separate DNSMasq instance!

Thanks for sharing, much appreciated. It was good to have a hand hold with my first deep dive into LEDE - I think i got the foundations to try out a few other things now.

If i learn anything relevant, i'll be sure to post it as i'm sure this article will become a valuable reference point.

Cheers,
Nash

EDIT: Went wrong somewhere... Just tested connectivity from my phone - got no DNS. I would have been damn impressed if it "just worked" though... Now i have to chase down all the 'kidsafes' that i missed editing out

Some key things to look for if DNS is failing to resolve with regard to this multiple DNS instance setup.

In LuCI, go to Status - Processes:

Verify that you've got two separate dnsmasq instances with two different PIDs. Something like:

/usr/sbin/dnsmasq -C /var/etc/dnsmasq.conf.main -k -x /var/run/dnsmasq/dnsmasq.main.pid
/usr/sbin/dnsmasq -C /var/etc/dnsmasq.conf.kidsafe -k -x /var/run/dnsmasq/dnsmasq.kidsafe.pid

Also check the file /tmp/resolv.conf.kidsafe (or whichever name you may use instead of kidsafe) to ensure that the file is populated specifically with the DNS servers that you want that dnsmasq instance to be utilizing.

Please follow up and let us all know what the issue ends up being. I am hoping that I can simplify this process somehow when I have more time because there are a lot of areas that could potentially go wrong.

Many thanks Wild for your effort! Anyhow I think I found a more elegant way for accomplishing this copy:

cp /etc/resolv.conf.kidsafe /tmp/resolv.conf.kidsafe

You could modify your dnsmasq start script, by searching for the service_start() operation and then append the line above at the end of it. In this way, each time you start (or restart) dnsmasq, also the file has been copied.

No need to put it in rc.local anymore

Hope it helps

Hi, cheers for the additional info. The issue was as simple as chasing down the rogue "kidsafe" entries from where i had copy/pasted and changed to my own name!

I have 2 dnsmasq processes running, and haven't had any overwriting of files like you experienced. However, i'm trying to understand what exactly you were experiencing, because i actually reverted the additional changes you made and everything appears to be working as expected. Nothing is writing to any resolv files, however i suspect that it should be..

So, there's still some little gremlins running around, got a few sorted out when the housemate tried using the wifi this morning.

The below appears resolved as per footnote.

"expandhosts" doesn't appear to be working, or so it would immediately appear. It's hit and miss whether i can resolve an internal hostname on the main network. Yet if i perform nslookup and call those hostnames, the server resolves them fine (with their .lan suffix).

I'm also a bit shady about whether the "guest" network is actually hitting the specified external DNS servers too. If i enable DNS query log to syslog, no queries are logged. I also wasn't able to catch the queries with tcpdump on the router, nor could i catch any traffic from the "guest" subnet, although i didn't spend too much time crafting my syntax and making sure i had them right for the flow.

As for the guide you have produced - If followed step by step, it's a working tutorial. Inevitably little things crop up, i would imagine anyone attempting LEDE installation, and a relatively complex setup like this has the skill to tackle them. Once nutted out properly, if merged into a single guide it's a 5 minute job. A section dedicated to expanding a little on each of the services you've enforced as a reference guide of its own, as ultimately that will become the honeypot next to the goldmine of dual dnsmasq & dhcp.

I'm going to give "Guest OpenVPN" a shot. That was the end result in mind for me once i saw what LEDE could do - A second SSID that had a permanent VPN connection. I'm not even 24hrs exposed to LEDE yet!

Edit:_I can't say for certain as i was "fiddling", but i think...
adding;

option local '/lan/'
option domain 'paradox.local'
to /etc/config/dhcp under 'main'

and/or

local=/lan/
domain=paradox.local
dhcp-option=3,192.168.1.1
dhcp-option=6,192.168.1.1
to /etc/dnsmasq.conf
_ resolved my internal name resolution issues. All resolving fine now.__

Read this thread and follow-ups with great interest - many thanks @WildByDesign and @parad0xnasha !

Now, my ideal setup would be to have one network using dnscrypt-proxy (and a 'local' dnssec provider other than OpenDNS, no ad block, no filters) and another "kids" network using OpenDNS family shield dns, Google and Youtube safe searches etc. (all kids devices connected to this network and prohibited from lan access). To me, having dnscrypt-proxy on top of one dnsmasq instance should not be a problem but I seem to have issues with two instances of dnsmasq running in a first place - do You have any idea what the problem could be related to for router running a downloaded (not custom built) Lede 17.01.4 ?

Thanks,
Adam

Maybe I didn't get it straight, but I guess I've found another bug in the multiple dnsmasq istance. If I set for each istance a different resolv.conf file and than I setup the firewall to force DNS only in the guest wifi, with this rule:

   config redirect 'force_dns_guest'
    option src 'guest'
    option proto 'tcp udp'
    option src_dport '53'
    option dest_port '53'
    option target 'DNAT'
    option name 'Force-DNS-guest'
    option dest 'guest'

(with or without the option dest 'guest' entry) I get that also the main lan dns istance has been forced. The problem is that I don't want to force the DNS in the main lan. So in order to get it working I have to comment the following line in the main dnsmasq istance:

#option resolvfile '/tmp/resolv.conf.auto'

Therefore, am I using in the wrong way the firewall and then I've to modify that rule or is there a bug in dnsmasq indeed?

For the resolv.conf files problem...
Actually the resolv.conf.auto is correctly generated.
If you specify any dns for an interface in /etc/config/network, it it will appear in the resolv.auto.conf file.
You can comment out the resolv.conf.auto option and use option noresolv '1'for each instance you defined. (main, kidssafe)
So dnsmasq will not use any of the dns servers that you have specified per interface
(etc/config/network -> option dns)
Then add the list server option to your dnsmasq instances (main, kidssafe)
So both main and kidssafe use different dns servers.

I use this for my guest network

config redirect
option name 'Force DNS ISOLATED'
option target 'DNAT'
option src 'isolated'
option dest 'isolated'
option src_dport '53'
option dest_port '53'
option proto 'tcp udp'
option dest_ip 'ip_of_isolated_interface'

@shm0 Thank you so much for sharing. Your suggestion for DNS settings is clear, clean, concise and sounds like the best case scenario for this particular setup. I will experiment with this as well for a day or so and then I will update the settings shared here accordingly. Thank you.

@shm0 I followed your instructions and all seems working now, excepting one thing.

I have 2 interfaces ('lan' and 'languest') and 2 dnsmasq istance ('main' and 'guest') respectively assigned to the 2 interfaces. I want the lan-main environment to not force the DNS to the router, instead I want the opposite (rather to force the DNS) in the languest-guest enviroment.

If I use you rule above, as following:

config redirect 'force_dns_guest'
    option src 'guest'
    option proto 'tcp udp'
    option src_dport '53'
    option dest_port '53'
    option target 'DNAT'
    option name 'Force-DNS-guest'
    option dest 'guest'
    option dest_ip '192.168.2.1'

Still the clients on the lan-main environment have been redirected

This is my dhcp file:

config dnsmasq 'main'
    option domainneeded '1'
    option filterwin2k '0'
    option boguspriv '1'
    option localise_queries '1'
    option rebind_protection '1'
    option rebind_localhost '0'
    option local '/lan/'
    option domain 'lan'
    option expandhosts '1'
    option nonegcache '0'
    option authoritative '1'
    option readethers '1'
    option leasefile '/tmp/dhcp.leases'
    #option resolvfile '/tmp/resolv.conf.auto'
    option nonwildcard '1'
    option localservice '1'
    list interface 'lan'
    option cachesize '2000'
    option noresolv '1'
    #list server '208.67.222.222'
    #list server '208.67.220.220'

config dnsmasq 'guest'
    option domainneeded '1'
    option filterwin2k '0'
    option boguspriv '1'
    option localise_queries '1'
    option rebind_protection '1'
    option rebind_localhost '1'
    option local '/languest/'
    option domain 'languest'
    option expandhosts '1'
    option nonegcache '0'
    option authoritative '1'
    option readethers '1'
    option leasefile '/tmp/dhcp.leases.guest'
    #option resolvfile '/tmp/resolv.conf.guest'
    option nonwildcard '1'
    option localservice '1'
    option strictorder '1'
    list interface 'languest'
    list notinterface 'lo'
    list server '208.67.222.222'
    list server '208.67.220.220'
    option noresolv '1' 

In order to avoid my clients on lan-main enviroment to not be forced to use the DNS on the router, I have to comment out the list server on the 'main' dnsmasq istance

For reference I add also my network file:

config interface 'loopback'
    option ifname 'lo'
    option proto 'static'
    option ipaddr '127.0.0.1'
    option netmask '255.0.0.0'

config interface 'lan'
    option type 'bridge'
    option ifname 'eth0.1'
    option proto 'static'
    option ipaddr '192.168.1.1'
    option netmask '255.255.255.0'
    option ip6assign '60'

config interface 'languest'
    option _orig_ifname 'wlan1-1'
    option _orig_bridge 'false'
    option proto 'static'
    option ipaddr '192.168.2.1'
    option netmask '255.255.255.0'

Am I doing something wrong?

@matthew_eli Some of the more technical aspects are above my head and I understand that the question was not directed toward me. But I wanted to put forward one suggestion just in case it may be beneficial.

On one interface, you could potentially force/push DNS out to those specific clients.

Example:

list dhcp_option '6,208.67.222.222,208.67.220.220'

I have used that previously for several years for other purposes. I haven't tried it specifically within this multiple DNS instance setup yet though, but I assume that it should work just the same. Cheers!

EDIT: Although, I just realized that in that scenario you would need to make use of Adblock package Force DNS option if you were utilizing Adblock for those clients.

You're welcome.

Can you test the following dnsmasq config please
(Leave everything else as it is)

config dnsmasq 'lan'
option domainneeded '1'
option filterwin2k '0'
option boguspriv '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '0'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
#option resolvfile '/tmp/resolv.conf.auto'
option noresolv '1'
option nonwildcard '1'
option localservice '1'
option cachesize '2000'
list interface 'lan'
list notinterface 'lo'
list server '208.67.222.222'
list server '208.67.220.220'

config dnsmasq 'kidsafe'
option domainneeded '1'
option filterwin2k '0'
option boguspriv '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/languest/'
option domain 'languest'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases.guest'
#option resolvfile '/tmp/resolv.conf.guest'
option noresolv '1'
option nonwildcard '1'
option localservice '1'
option strictorder '1'
list interface 'languest'
list notinterface 'lo'
list server '208.67.222.123'
list server '208.67.220.123'

Without the force dns firewall rule, does this work?
Can you confirm that the main network uses the 'normal' dns server and the guest network the limited one? (clear dns cache on client beforehand)

In luci -> network -> firewall
What are the names of your firewall zones?
lan or main?
languest or kidsafe or guest?
Why did you change your interface names? (kidsafe then languest)

Can you post your configs please
/etc/config/network
/etc/config/firewall
/etc/config/dhcp
thank you.

In your firewall config you posted, the name for the zone is kidsafe and not guest

config redirect 'force_dns_guest'
option name 'Force-DNS-guest'
option target 'DNAT'
option src 'kidsafe'
option dest 'kidsafe'
option proto 'tcp udp'
option src_dport '53'
option dest_port '53'
option dest_ip '192.168.2.1'

Hi @shm0,

I can say that without the force dns firewall rule, your settings works flawlessly.

In my firewall, the zones are 'lan' and 'guest'

I don't use kidsafe in my setting as interface; recap:

INTERFACE: 'lan' and 'languest'
ZONE: 'lan' and 'guest'
DNSMASQ ISTANCE: 'main' and 'guest'

I want all the client connected to languest to using force DNS by the router; in lan the clients can use their own dns, specified by some dhcp rules;

here are the files:

config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'

config globals 'globals'
option ula_prefix 'fdd9:ed74:2177::/48'

config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
option dns '8.8.8.8 8.8.4.4'

config interface 'wan'
option ifname 'eth1.2'
option _orig_ifname 'eth1.2'
option _orig_bridge 'false'
option proto 'pppoe'
option username '****'
option password '****'
option ipv6 'auto'
option peerdns '0'

config interface 'wan6'
option ifname 'eth1.2'
option proto 'dhcpv6'

config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'

config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 2 3 5t'

config switch_vlan
option device 'switch0'
option vlan '2'
option ports '4 6t'

config interface 'languest'
option _orig_ifname 'wlan1-1'
option _orig_bridge 'false'
option proto 'static'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'

config interface 'vpn0'
option ifname 'tun0'
option proto 'none'
option auto '1'

config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'

config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'

config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6'

config forwarding
option src 'lan'
option dest 'wan'

config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'

config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'

config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'

config include
option path '/etc/firewall.user'

config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
option family 'any'
option reload '1'

config rule 'Allow_OpenVPN_Inbound'
option target 'ACCEPT'
option src '*'
option dest_port '447'
option proto 'tcp'
option name 'Allow-OPENVPN'

config zone 'vpn'
option name 'vpn'
option network 'vpn0'
option input 'ACCEPT'
option output 'ACCEPT'
option masq '1'
option forward 'REJECT'

config forwarding
option dest 'lan'
option src 'vpn'

config forwarding
option dest 'wan'
option src 'vpn'

config forwarding
option dest 'vpn'
option src 'lan'

config zone
option forward 'REJECT'
option output 'ACCEPT'
option name 'guest'
option input 'REJECT'
option network 'languest'

config forwarding
option dest 'wan'
option src 'guest'

config rule
option src 'guest'
option src_port '67-68'
option dest_port '67-68'
option proto 'udp'
option target 'ACCEPT'
option name 'Allow-GUEST-DHCP-request'

config rule
option src 'guest'
option dest 'lan'
option name 'Deny-GUEST-Lan'
option target 'DROP'

config rule
option target 'ACCEPT'
option src 'wan'
option name 'Allow-FTP'
option proto 'tcp'
option dest_port '21'
option family 'ipv4'

config rule
option target 'ACCEPT'
option src 'wan'
option name 'Allow-FTP-TLS'
option proto 'tcp'
option dest_port '64000-64100'
option family 'ipv4'

config rule
option name 'Allow-GUEST-DNS-Queries'
option src 'guest'
option dest_port '53'
option proto 'tcpudp'
option target 'ACCEPT'

config redirect 'force_dns'
option src 'lan'
option proto 'tcp udp'
option src_dport '53'
option dest_port '53'
option target 'DNAT'
option name 'Force-DNS'
option enabled '0'
option dest 'lan'
option dest_ip '192.168.1.1'

config redirect 'force_dns_guest'
option src 'guest'
option proto 'tcp udp'
option src_dport '53'
option dest_port '53'
option target 'DNAT'
option name 'Force-DNS-guest'
option dest 'guest'
option dest_ip '192.168.2.1'

(For the Dhcp I truncated all the entries of my clients to 2, one for each tagged family)

config dnsmasq 'main'
option domainneeded '1'
option filterwin2k '0'
option boguspriv '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '0'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
#option resolvfile '/tmp/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
list interface 'lan'
option cachesize '2000'
option noresolv '1'
#list server '208.67.222.222'
#list server '208.67.220.220'

config dnsmasq 'guest'
option domainneeded '1'
option filterwin2k '0'
option boguspriv '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/languest/'
option domain 'languest'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases.guest'
#option resolvfile '/tmp/resolv.conf.guest'
option nonwildcard '1'
option localservice '1'
option strictorder '1'
list interface 'languest'
list notinterface 'lo'
list server '208.67.222.222'
    list server '208.67.220.220'
option noresolv '1'

config dhcp 'lan'
option instance 'main'
option interface 'lan'
option start '100'
option limit '150'
option dhcpv6 'server'
option ra 'server'
option leasetime '24h'
option ra_management '1'
list dhcp_option '6,208.67.222.222,208.67.220.220'
option dynamicdhcp '0'

config dhcp 'wan'
option interface 'wan'
option ignore '1'

config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'

config host
option name 'tomtom'
option dns '1'
option mac 'XX:XX:XX:XX:XX:XX'
option ip '192.168.1.12'
option tag 'opendns'

config host
option name 'sp-mat'
option dns '1'
option mac 'XX:XX:XX:XX:XX:XX'
option ip '192.168.1.11'
option tag 'google'

config tag 'google'
list dhcp_option '6,8.8.8.8,8.8.4.4'

config tag 'opendns'
list dhcp_option '6,208.67.222.222,208.67.220.220'

config dhcp 'languest'
option instance 'guest'
option start '100'
option limit '150'
option interface 'languest'
option leasetime '3h'

Any chance someone could create a luci-app to do these settings behind the scenes and give it a pretty face?

I tested around on my setup with the dns force rules.
Works fine and can't reproduce this.
Strange.
Maybe someone else has an idea?

Hi,

@shm0, why it is correct please?

The logic would say that via multiple dnsmasq instances with unique resolv files specified in the respective sections should have end up with DNS servers listed in the proper resolv.conf.* file not in the default.

According to https://lede-project.org/docs/user-guide/dns_configuration:

Not really mentioning anything about resolv.conf.auto ... at boot time resolv.conf is linked against resolv.conf.auto thus this explanation is kind of correct-ish. Resolv.conf.auto is generated only - if I am correct - because that is netifd's default ... so I definitely miss something for sure but cannot get why it is correct instead of doing what is actually specified in the configuration file.

Appreciate any insight to help understand why LEDE is doing like this.

Great idea! At a minimum, someone should summarize this and put it in the wiki as a how to.