If I use this rule:
I get this result from command prompt:
Policy for lan zone is to accept everything. You can change the rule to deny the port 53 for ipv6 family.
However it would add some delay to all queries that try from ipv6 first.
You'd better advertise the ipv6 address of the lancache server.
If I just enable IPv6 on the machine, and don't change anything else, do you think DNS requests will fail?
Enabling IPv6 on the DNS server box has weird results. Initiating a game download will start with the lancache, but after 20-45 seconds it stops using the lancache and uses the internet. I can no longer download from steamcache.
I made the following changes:
Used the Dynamic IPv6 address of the lancache DNS server (how do I assign a static IPv6 address?):
I no longer am limiting my Ethernet adapter to IPv4 only. IPv4 and 6 are both enabled.
If I close and open Steam, it will start downloading again from the lancache. This does not work anymore.
Is the DoH changing my DNS? do I need to change other settings in OpenWRT?
EDIT: The lancache will randomly work and other times not.
You need to verify that lan clients only query lancache over ipv4 or ipv6.
DoH can bypass the announced nameservers. You'd have to intercept it.
Yea I think I need to unfortunately. I can flushdns and restart steam to make it use lancache, but I think DoH might be what's causing problems.
I am just typing this example into my SSH session?
opkg update
opkg install ipset resolveip
# Configure IP sets
uci -q delete dhcp.doh
uci set dhcp.doh="ipset"
uci set dhcp.doh.instance="doh"
uci add_list dhcp.doh.name="doh"
uci add_list dhcp.doh.name="doh6"
uci commit dhcp
/etc/init.d/dnsmasq restart
# Filter DoH traffic
for IPV in 4 6
do
uci -q delete firewall.doh${IPV%4}_fwd
uci set firewall.doh${IPV%4}_fwd="rule"
uci set firewall.doh${IPV%4}_fwd.name="Deny-DoH"
uci set firewall.doh${IPV%4}_fwd.src="lan"
uci set firewall.doh${IPV%4}_fwd.dest="wan"
uci set firewall.doh${IPV%4}_fwd.dest_port="443"
uci set firewall.doh${IPV%4}_fwd.proto="tcp udp"
uci set firewall.doh${IPV%4}_fwd.family="ipv${IPV}"
uci set firewall.doh${IPV%4}_fwd.ipset="doh${IPV%4} dest"
uci set firewall.doh${IPV%4}_fwd.target="REJECT"
done
uci commit firewall
/etc/init.d/firewall restart
# Configure hotplug
mkdir -p /etc/hotplug.d/online
cat << "EOF" > /etc/hotplug.d/online/60-ipset-doh
if [ ! -e /var/lock/ipset-doh ] \
&& lock -n /var/lock/ipset-doh
then
uclient-fetch -O - "https://raw.githubusercontent.com/\
dibdot/DoH-IP-blocklists/master/doh-domains.txt" \
| uci -q batch << EOI
delete dhcp.doh.domain
$(sed -e "s/^.*$/\
del_list dhcp.doh.domain='\0'\n\
add_list dhcp.doh.domain='\0'/")
commit dhcp
EOI
lock -u /var/lock/ipset-doh
fi
EOF
cat << "EOF" >> /etc/sysupgrade.conf
/etc/hotplug.d/online/60-ipset-doh
EOF
. /etc/hotplug.d/online/60-ipset-doh
# Populate IP sets
ipset setup
This is what my Linux shows for DNS/IPv6:
I'm not familiar with Linux or IPv6 so I'm not sure if anything sticks out as problematic.
looks good to me.
Yes.
1 Like
root@FriendlyWrt:~# for IPV in 4 6
do
uci -q delete firewall.doh${IPV%4}_fwd
uci set firewall.doh${IPV%4}_fwd="rule"
uci set firewall.doh${IPV%4}_fwd.name="Deny-DoH"
uci set firewall.doh${IPV%4}_fwd.src="lan"
uci set firewall.doh${IPV%4}_fwd.dest="wan"
uci set firewall.doh${IPV%4}_fwd.dest_port="443"
uci set firewall.doh${IPV%4}_fwd.proto="tcp udp"
uci set firewall.doh${IPV%4}_fwd.family="ipv${IPV}"
uci set firewall.doh${IPV%4}_fwd.ipset="doh${IPV%4} dest"
uci set firewall.doh${IPV%4}_fwd.target="REJECT"
done
uci commit firewall
/etc/init.d/firewall restart
The fw4 firewall does not appear to be loaded, try fw4 flush to delete all rules.
Is this normal?
root@FriendlyWrt:~# mkdir -p /etc/hotplug.d/online
cat << "EOF" > /etc/hotplug.d/online/60-ipset-doh
if [ ! -e /var/lock/ipset-doh ] \
&& lock -n /var/lock/ipset-doh
then
uclient-fetch -O - "https://raw.githubusercontent.com/\
dibdot/DoH-IP-blocklists/master/doh-domains.txt" \
| uci -q batch << EOI
delete dhcp.doh.domain
$(sed -e "s/^.*$/\
del_list dhcp.doh.domain='\0'\n\
add_list dhcp.doh.domain='\0'/")
commit dhcp
EOI
lock -u /var/lock/ipset-doh
fi
EOF
cat << "EOF" >> /etc/sysupgrade.conf
/etc/hotplug.d/online/60-ipset-doh
EOF
. /etc/hotplug.d/online/60-ipset-doh
Downloading 'https://raw.githubusercontent.com/dibdot/DoH-IP-blocklists/master/doh-domains.txt'
Connecting to 2606:50c0:8002::154:443
Writing to stdout
- 100% |*******************************| 3193 0:00:00 ETA
Download completed (3193 bytes)
root@FriendlyWrt:~# ipset setup
ipset v7.15: No command specified: unknown argument setup
Try `ipset help' for more information.
root@FriendlyWrt:~#
and ipset setup doesn't appear to be working.
If you are on 23.02-rc it might not be implemented yet.
There is an extra step to have the ipset setup functionality.
I currently don't have DNS on my network by the looks. Do you have any suggestions? Googling problems is more difficult lol
I have installed RC3 ( I think) and I am unable to SSH into the router anymore. PowerShell tells me my password is incorrect and MobaXTerm just ends the session.
I can use LuCi just fine
OpenWrt 22.03.0-rc3 r19378-9f415792e1 / LuCI openwrt-22.03 branch git-22.140.66268-ef99568
I reinstalled a fresh version of OpenWrt 22.03.0-rc1 r19302-df622768da / LuCI openwrt-22.03 branch git-22.083.69105-af8e91c
and will try upgrading to rc3 before messing with any DNS settings.
Do you think upgrading caused the loss of SSH login?
Is there a rule of thumb for which upgrade file to use?
https://downloads.openwrt.org/releases/22.03.0-rc3/targets/rockchip/armv8/
I noticed LuCi noted thatt squash can be in-place reinstalled. I used ext4 as that worked for me in the past.
Is it the same system with your previous post?
Running Release Candidate versions can have unexpected behaviour, as it is not stable yet.
The R4S doesn't still support any stable version, so inevitably you'll have to either wait for it or tolerate the issues that appear in RC versions. You can use either of them, squashfs can revert to defaults easily if you mess it up, ext4 is more widely known. If in doubt go for the squash.
Yup, same system. Thanks for checking.
I will try the squash this time.
So the squash version I couldn't unpack without getting 2 errors. I tried the ext4 again and the same results. I am unable to SSH into the router, but LuCi works fine.
Am I looking at waiting until a full release comes out and/or R4S support before I can continue?
Or is there a way to SSH/disable DoH using LuCi?
EDIT:
I noticed my WAN and LAN LEDs aren't functioning. Would rc2 do me any good?
OOF and QoS isn't present either. Going to have to revert.
What do these errors say?